New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
VSS Persistence on Windows 7 #2503
VSS Persistence on Windows 7 #2503
Conversation
print_status("Not Running .EXE") | ||
else | ||
print_good("Running uploaded Executable.") | ||
run_malware = session.sys.process.execute("cmd.exe /c %SYSTEMROOT%\\system32\\wbem\\wmic.exe process call create \\\\?\\GLOBALROOT\\Device\\#{volume_data_id}\\Windows\\Temp\\#{file_name}", nil, {'Hidden' => true}) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
breaking this into multiple lines would make it much more readable.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
end
- end
- if datastore["EXECUTE"].nil? or datastore["EXECUTE"].empty?
-
print_status("Not Running .EXE")
is this what you are talking about?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nvm i gotchu
The module isn't msftidy compliant, warnings should be fixed in order to proceed:
|
'License' => MSF_LICENSE, | ||
'Platform' => ['win'], | ||
'SessionTypes' => ['meterpreter'], | ||
'Author' => ['MrXors Mr.Xors<at>gmail.com'], |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The correct format for the Author entry would be:
'Author' => [ 'MrXors <Mr.Xors[at]gmail.com>' ],
Im still having a issue using optpath on RPATH cause it errors out for some reason when you try to enter \location\to\put\exe\ , i need this format to be ( \Windows\Temp or \Users\Public\Desktop ) entered in order to avoid using regex to splice up the datastore['RPATH'] var and remove the C:\ or what ever the issue is when im using OptPath. OptString works great. |
RPATH is okey as string because it's a remote path :) The comment only applied to the PATH option indeed. |
Cool, that saves me. |
Processing again btw :) |
awesome! i know i changed it up a bit, hopefully for the better. |
@location = trgloc | ||
end | ||
ext = file[file.rindex(".") .. -1] | ||
if ext and ext.downcase == ".exe" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like extension of file can be only ".exe", is it right :? If it isn't exe @file_on_target isn't correctly initialized.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes it can only be exe.
Hi @MrXors, https://github.com/MrXors/metasploit-framework/pull/1 tries to clean the code in this pull request. After modification it has been tested successfully:
The svhost26.exe is a meterpreter which is successfully correctly at the moment, but even with REGKEY set to true, and even when the registry entry is created I am not able to get a new session when target system is rebooted. Is REGKEY working correctly on your testing :? I'm going to try with your code without any modification to test if the REGKEY option is working as expected. On the other hand, feel free to review, check, discuss, test, etc. this code and once you feel comfortable feel free to land into your repo so this one will be automatically updated. Thanks! |
Testing with your current code the RUNKEY feature isn't working neither:
On the handler I got a first session when running the executable:
is the RUNKEY working correctly on your side :? Am I forgetting something on my testing? guidance is welcome! |
i just tested your code and the cmd_exec("vssadmin List Shadow|find "Sha...) is not giving me any output but i like your layout better i will fix runkey issue also. On my code RUNKEY is working but i havent checked the reboot shell, i believe i have got a shell after reboot.commiting soon/ merging your code also |
cool, thanks a lot! I will test all the features once pull request is updated :) |
almost there, got the reg problem fixed, it was a var issue, now need to make schtask not pop up cmd windows when executing , runkey session works after reboot, needed to add wmic process create to cmd to run executeble, going home then upload merged data, thanks for the help, Rapid-7 Kicks Ass! and thank you for the quick response time |
hahaha cool, no thank you for collaboration and keep working on it! Feel free to update pr when ready and we'll continue the pull request handling :) |
Processing! |
Successfully tested RUNKEY, SCHTASKS and the resource script for cleanup:
Sessions correctly got every two minutes and after restarting, once user inits session (password required):
|
Lading! Thanks @MrXors for keep working on it! |
Last holdup, just verifying with @jlee-r7 if this module is okey as post exploitation module. With the introduction of support for local exploits, afaik the preferred way of writing modules to get persistence is through local exploits, since they finally get a session. But since he has already reviewed this module maybe I'm wrong.... so just asking for confirmation before landing. |
Awesome ! Thanks for all the help! |
Okay, so after speaking with @jlee-r7:
I've already converted the post module to local exploit, it's an easy change :) So user hasn't to worry about the payload creation if he would like to make msf session persistent. If he wants to use his own EXE, still the EXE::Custom provided by the Msf::Exploit::EXE mixin can be used :) Test:
The changes are available at https://github.com/MrXors/metasploit-framework/pull/2, @MrXors please, feel free to check, review, discuss and once you feel comfortable you can land it into your repo and this one will be automatically updated and ready to go! |
works great, i Love it way better as an exploit mod, looks good to me boss! ready to go |
absolutely! landing! thanks a lot @MrXors ! |
This Module uploads your provided executable , creates a back up (VSS) and then it deletes the executable , runs it from ?\GLOBALROOT/HarddiskVolumeShadowCopy\d{1,3}/%TEMP%\executable , this module also gives you the option to add SCHTASK and AUTORUN KEY to give it more "persistence". the option to run the exe is also added to let the attacker decide when to run it.