-
Notifications
You must be signed in to change notification settings - Fork 14k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add modules/exploits/linux/local/udev_persistence.rb #19472
base: master
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the module @jvoisin! I started a payload handler but wasn't able to get this working by rebooting the target or by bringing up network interfaces manually or by attempting to trigger udev rules with udevadm trigger -v --subsystem-match=net
I was able to return a session by manually executing the payload file: /usr/bin/udev-check-updates
but the persistence mechanism wasn't working for me.
I noticed some potential syntax errors, I'm wondering if there were maybe some changes made after you tested this? I've been testing on Ubuntu 22.04 (Linux 6.8.0-45-generic)
Thanks for your pull request! Before this can be merged, we need the following documentation for your module: |
851604d
to
36ec9d6
Compare
Thanks for your pull request! Before this can be merged, we need the following documentation for your module: |
Hello @jvoisin, tried the module but seems the rule is not triggered at boot time, the payload is written correctly and works, I will try to investigate further, would you mind adding the docs for this post module later? I opened a PR #19542 that you can use as base when it get landed. UPDATE it looks like in Ubuntu 22.04 there is no
|
36ec9d6
to
51ee269
Compare
Co-authored-by: jheysel-r7 <[email protected]>
51ee269
to
b2ad59d
Compare
I added some documentation, and a check for the presence of |
I think we can get rid of the write_file(datastore['BACKDOOR_PATH'], 'SUBSYSTEM=="net", KERNEL!="lo", RUN+="' + datastore['PAYLOAD_PATH']+'"') I will do some tests. |
It's non-trivial |
I see what you mean, I'm think we can make a child bash process with UpdateSo i tried to play a bit with som bash scripting and maybe we can have a script like this backdoor = <<~EOF
#!/bin/sh
PAYLOAD_ENC="#{payload.encoded}"
if [ -f /usr/bin/at ]; then
echo sh -c "$PAYLOAD_ENC" | at -M now
elif [ -f /usr/bin/nohup ]; then
nohup sh -c "$PAYLOAD_ENC" > /dev/null 2>&1&
else
echo sh -c "$PAYLOAD_ENC" & disown | bash
fi
EOF
upload_and_chmodx(datastore['PAYLOAD_PATH'], backdoor) However for now I am still not able to trigger the rule on ubuntu 24.04 LTS, can you provide some details where you tested that? I also tried to change the default rules location but nothing. |
Add a way to persist via udev rules.
Verification
msfconsole
use exploits/linux/local/udev_persistence