0x00 Preface
---
In penetration testing, we often encounter Windows virtual machines, which typically have VMware Tools installed. Leveraging the script execution functionality of VMware Tools can enable a backdoor that starts automatically on boot.
Articles on this technique:
https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/
https://www.hexacorn.com/blog/2017/01/14/beyond-good-ol-run-key-part-53/
Based on the reference materials, this article will analyze exploitation approaches and provide defense recommendations.
0x01 Introduction
---
This article will cover the following:
- Exploitation Approach
- Exploitation Analysis
- Defense Recommendations
0x02 Exploitation Approach
---
The script execution function of VMware Tools supports running in the following four states:
- power, power-on state
- resume, resume state
- suspend, suspend state
- shutdown, shutdown state
You can choose one of the following two methods to configure the script execution function:
1. Using VMwareToolboxCmd.exe
Default installation path: "C:\Program Files\VMware\VMware Tools\VMwareToolboxCmd.exe"
Command example 1:
"C:\Program Files\VMware\VMware Tools\VMwareToolboxCmd.exe" script power enable |
After executing the command, the file C:\ProgramData\VMware\VMware Tools\tools.conf will be created under the default installation path, with the content:
[powerops] |
Implementation effect:
When the system boots up, "C:\Program Files\VMware\VMware Tools\poweron-vm-default.bat" will be executed with System privileges.
Note:
For the power command, only boot operations are supported; restart operations cannot trigger it.
Command Example 2:
"C:\Program Files\VMware\VMware Tools\VMwareToolboxCmd.exe" script suspend set "c:\test\1.bat" |
After executing the command, a file C:\ProgramData\VMware\VMware Tools\tools.conf will be created under the default installation path, with the content:
[powerops] |
Effect:
When the system enters suspend state, "c:\test\1.bat" will be executed with System privileges.
2. Using tools.conf
Directly create the file C:\ProgramData\VMware\VMware Tools\tools.conf
File content example:
[powerops] |
Effect:
When the system starts up, "C:\Program Files\VMware\VMware Tools\poweron-vm-default.bat" will be executed with System privileges. When the system enters suspend state, "c:\test\1.bat" will be executed with System privileges.
Additional Notes:
View help instructions for VMwareToolboxCmd.exe:
"C:\Program Files\VMware\VMware Tools\VMwareToolboxCmd.exe" help |
View default path for startup scripts:
"C:\Program Files\VMware\VMware Tools\VMwareToolboxCmd.exe" script power default |
View current path for startup scripts:
"C:\Program Files\VMware\VMware Tools\VMwareToolboxCmd.exe" script power current |
0x03 Exploitation Analysis
---
Creating the file C:\ProgramData\VMware\VMware Tools\tools.conf requires administrator privileges.
Through VMware Tools' script execution feature, startup scripts run with System privileges.
To enhance stealth, set the default startup script to poweron-vm-default.bat, and add commands in poweron-vm-default.bat to load DLL via rundll32.
0x04 Defense Detection
---
By default, VMware Tools does not enable the script execution function, meaning the file C:\ProgramData\VMware\VMware Tools\tools.conf does not exist.
1. Identify whether the script execution function is enabled
Check the content of the file C:\ProgramData\VMware\VMware Tools\tools.conf
If the file does not exist, it indicates that the script execution function is not enabled.
2. Identify the content of script execution
Check the content of the file C:\ProgramData\VMware\VMware Tools\tools.conf
If the absolute path of the script file is not specified, the default absolute path for the script file is "C:\Program Files\VMware\VMware Tools\"
0x05 Summary
---
This article analyzes the exploitation approach of the VMware Tools script execution function and provides defense recommendations.