Persistence directory #19815
Persistence directory #19815
Conversation
|
I'm going to go ahead and mark this as ready for review, even though it's not. I'd like to get some eyes on the non-windows and LIB side of things. that way if there are changes, I can apply them globally instead of doing, redoing and reredoing the work. Docs are not ready, but again I only want to update them once. |
| update_info( | ||
| info, | ||
| 'DefaultOptions' => { | ||
| 'WfsDelay' => 90_000, # 25hrs |
There was a problem hiding this comment.
I think the directory structure makes a lot of sense. Assuming the contents of the files haven't changed too much we should be able to process this pretty quickly. I like the checklist you have going with the modules that make sense to consolidate and agree that'd be a good move but doing so in a dedicated PR would probably help make review easier and faster.
|
|
||
| register_advanced_options( | ||
| [ | ||
| OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp/']) |
There was a problem hiding this comment.
Since this isn't tied to a specific platform, what if we left the default value blank then determined it at runtime and set it to something sensible based on the target platform.
There was a problem hiding this comment.
That's fine, is there a way to set the value in the module /wo overwriting all the text? Something like
set_option('WritableDir', '/tmp/') or do I have to overwrite it like:
OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp/'])
|
Hello @h00die, I've investigated the functionality of the First of all, looks like the |
|
Hi @h00die, what action was not working? maybe the OSX one? |
| OptEnum.new('TARGET', [true, 'The target binary to add the exploit to.', 'SETHC', ['SETHC', 'UTILMAN', 'OSK', 'DISP']]), | ||
| # XXX this should be upgraded to drop a payload of our choosing instead |
There was a problem hiding this comment.
@h00die, I have also investigated sticky_keys, looks like for some reason the mod.target is nil instead of be something like #<Msf::Module::Target:0x00007fbaf1e83088 @default_options=nil, @name="Automatic", @opts={}, @ret=nil, @save_registers=nil>
EDIT
Found the issue.
[*] 172.25.217.92 - Valid modules for session 1:
============================
# Name Potentially Vulnerable? Check Result
- ---- ----------------------- ------------
1 exploit/windows/persistence/ps_persist Yes The service is running, but could not be validated. System likely vulnerable
2 exploit/windows/persistence/registry Yes The target is vulnerable.
3 exploit/windows/persistence/s4u Yes The service is running, but could not be validated. System likely vulnerable
4 exploit/windows/persistence/service Yes The target appears to be vulnerable.
5 exploit/windows/persistence/sticky_keys Yes The target appears to be vulnerable. Target is likely vulnerable
6 exploit/windows/persistence/vss Yes The target appears to be vulnerable. Target is likely vulnerable
7 exploit/windows/persistence/wmi Yes The target appears to be vulnerable. Target is likely vulnerable
8 exploit/multi/persistence/obsidian_plugin No The target is not exploitable. No vaults found
9 exploit/multi/persistence/sshkey No The target is not exploitable. Unable to read SSH config: /etc/ssh/sshd_config
10 exploit/windows/persistence/registry_vbs No The target is not exploitable. Path doesn't exists: /tmp/
[*] Post module execution completed
msf6 post(multi/recon/persistence_suggester) >
This datastore option breaks the target informations.
| OptEnum.new('TARGET', [true, 'The target binary to add the exploit to.', 'SETHC', ['SETHC', 'UTILMAN', 'OSK', 'DISP']]), | |
| # XXX this should be upgraded to drop a payload of our choosing instead | |
| OptEnum.new('BIN_TARGET', [true, 'The target binary to add the exploit to.', 'SETHC', ['SETHC', 'UTILMAN', 'OSK', 'DISP']]), | |
| # XXX this should be upgraded to drop a payload of our choosing instead |
|
Hi @h00die, I'll move on with other persistence PRs that have been blocked. You can rebase this PR once it's done. Let me know if you would need help moving forward with this PR! |
Fixes #19592 .
Move modules to a persistence directory
TO DO
Msf::Exploit::Localinclude Msf::Exploit::Local::Persistence, andprepend Msf::Exploit::Remote::AutoCheckcheckmethodNotesfield,DisclosureDatefieldWritableDirorderegisterit.moved_fromandDeprecatedmixin.install_persistenceand cleanup over rc-fileprysticky_keyswork with this[-] Exploit failed [timeout-expired]: Timeout::Error execution expiredFuture Items
These will be converted to issues to do outside of this big change.
windows/registry_vbs.rb,windows/registry.rb, should be combined since they do nearly the same thing. one just drops a VBS script on system, the other writes it all into the registrywindows/persistence_exe.rbshould be divided up. It can write to the registry, which duplicates the above, it can write a service, which duplicateswindows/service.rb, and can make a task.sshkeyand windowssshkey, they should be combined and moved to multi.linux/service.rbfeels overly complex between the different service systems. I think breaking it into the following would be best:system_v_persistence.rb,upstart_persistence.rb,openrc_persistence.rb,systemd_persistence.rc.Maybe removing the code bits to be indatawould help as well, but may not be needed once its broken up?sshkeymodules should executessh_login_pubkey. While there's a mixin for CheckModule, we may want something likePayloadModuleor something similar to avoid rewriting code.Assistance
Would love assistance and suggestions on this! Mainly at this point figuring out why setting
Passivetotruein the lib makes the modules exit at the end of code and not keep running (even though theyre running as a job)