windows telemetry persistence #20843
Conversation
|
|
||
| def writable_dir | ||
| d = super | ||
| return session.sys.config.getenv(d) if d.start_with?('%') |
There was a problem hiding this comment.
not a blocker: Might be a pattern we could consolidate on behind the scenes in the library code
There was a problem hiding this comment.
Potentially we'll need expand_path if this needs to handle the scenario of %TMP%/some/path
Did this scenario come up in your real user testing? 👀
|
|
||
| def writable_dir | ||
| d = super | ||
| return session.sys.config.getenv(d) if d.start_with?('%') |
There was a problem hiding this comment.
Do we need any additional guard clause to ensure this isn't calling session.sys on non-meterpreter sessions, or potentially the core post file mixin that has the expand path method available 🤞
| vprint_status("Checking registry write access to: #{regkey}\\#{rand}") | ||
| return Msf::Exploit::CheckCode::Safe("Unable to write to registry path #{regkey}\\#{rand}") if registry_createkey("#{regkey}\\#{rand}").nil? | ||
|
|
||
| registry_deletekey("#{regkey}\\#{rand}") |
There was a problem hiding this comment.
Should this be popped into an ensure block to make sure it's cleaned up afterwards (with a rescue wrapper) 👀
Msf::Exploit::CheckCode::Vulnerable('Registry writable')
ensure
begin
registry_deletekey("#{regkey}\\#{rand}")
rescue
vprint ... etc ..
end
end
| ' or CompatTelRunner.exe (user)' | ||
| print_line(" or wait till #{@next_run_time} (SYSTEM)") | ||
|
|
||
| @clean_up_rc = %(execute -f cmd.exe -a "/c reg delete \\\"#{regkey}\\#{telemetry}\\\" /f" -H\n) |
There was a problem hiding this comment.
Question: Do we need to handle the scenario of clean_up_rc already having values in it?
@clean_up_rc ||= +""
@clean_up_rc << %(execute -f cmd.exe -a "/c reg delete \\\"#{regkey}\\#{telemetry}\\\" /f" -H\n)
2 participants
fixes #20828 by adding a new persistence technique via windows telemetry.
Verification
use exploit/windows/persistence/telemetryset session #run