From 93a133d5de2b7546cf5b0e98ee18faed87416e43 Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Wed, 16 Nov 2011 16:48:19 -0600 Subject: [PATCH] Always try both export and setenv. Fixups to allow for correct reading from echoy nix shells. Fixes is_root? to not treat an empty string as 0 --- lib/msf/core/auxiliary/login.rb | 2 +- lib/msf/core/post/linux/priv.rb | 20 ++++++++++--------- .../session/provider/single_command_shell.rb | 19 ++++++++++++++++-- modules/post/linux/manage/sudo.rb | 6 +++--- 4 files changed, 32 insertions(+), 15 deletions(-) diff --git a/lib/msf/core/auxiliary/login.rb b/lib/msf/core/auxiliary/login.rb index 40deeb8cf1..94af2d0c41 100644 --- a/lib/msf/core/auxiliary/login.rb +++ b/lib/msf/core/auxiliary/login.rb @@ -130,7 +130,7 @@ module Auxiliary::Login end def password_prompt? - return true if @recvd =~ @password_regex + return true if(@recvd =~ @password_regex or @recvd =~ /#{datastore['USERNAME']}'s/) return false end diff --git a/lib/msf/core/post/linux/priv.rb b/lib/msf/core/post/linux/priv.rb index affff90659..c7df872bbf 100644 --- a/lib/msf/core/post/linux/priv.rb +++ b/lib/msf/core/post/linux/priv.rb @@ -6,19 +6,21 @@ module Linux module Priv include ::Msf::Post::Common - # Returns true if running as root, false if not. - def is_root? - root_priv = false - user_id = cmd_exec("id -u") - if user_id.to_i == 0 + # Returns true if running as root, false if not. + def is_root? + root_priv = false + user_id = cmd_exec("id -u") + if user_id and !user_id.empty? + if user_id.strip.lstrip.to_i == 0 root_priv = true - elsif user_id =~ /^\d*$/ + elsif user_id.to_s =~ /^\d*$/ root_priv = false - else - raise "Could not determine UID: #{user_id}" end - return root_priv + else + raise "Could not determine UID: #{user_id}" end + return root_priv + end end # Priv end # Linux diff --git a/lib/msf/core/session/provider/single_command_shell.rb b/lib/msf/core/session/provider/single_command_shell.rb index e9f540e4f0..0ed5b2c456 100644 --- a/lib/msf/core/session/provider/single_command_shell.rb +++ b/lib/msf/core/session/provider/single_command_shell.rb @@ -91,12 +91,27 @@ module SingleCommandShell def shell_command_token_unix(cmd, timeout=10) # read any pending data buf = shell_read(-1, 0.01) + set_shell_token_index(timeout) token = ::Rex::Text.rand_text_alpha(32) # Send the command to the session's stdin. - # NOTE: if the session echoes input we don't need to echo the token twice. shell_write(cmd + ";echo #{token}\n") - shell_read_until_token(token, 0, timeout) + shell_read_until_token(token, @shell_token_index, timeout) + end + + # NOTE: if the session echoes input we don't need to echo the token twice. + def set_shell_token_index(timeout) + return @shell_token_index if @shell_token_index + token = ::Rex::Text.rand_text_alpha(32) + numeric_token = rand(0xffffffff) + 1 + cmd = "echo #{numeric_token}" + shell_write(cmd + ";echo #{token}\n") + res = shell_read_until_token(token, 0, timeout) + if res.to_i == numeric_token + @shell_token_index = 0 + else + @shell_token_index = 1 + end end # diff --git a/modules/post/linux/manage/sudo.rb b/modules/post/linux/manage/sudo.rb index 06dbf68bed..d68e9069ab 100644 --- a/modules/post/linux/manage/sudo.rb +++ b/modules/post/linux/manage/sudo.rb @@ -48,6 +48,7 @@ class Metasploit3 < Msf::Post def run print_status("SUDO: Attempting to upgrade to UID 0 via sudo") sudo_bin = cmd_exec("which sudo") + my_id = cmd_exec("id -u") if is_root? print_status "Already root, so no need to upgrade permissions. Aborting." return @@ -98,10 +99,9 @@ class Metasploit3 < Msf::Post cmd_exec("echo echo #{password} >> #{askpass_sh}") cmd_exec("chmod +x #{askpass_sh}") vprint_status "Setting environment variable." - # Bruteforce-set the environment variable? is cmd_exec() always - # going to be in the context of /bin/sh ? + # Bruteforce-set the environment variable with both setenv and export. askpass_env = cmd_exec("setenv SUDO_ASKPASS #{askpass_sh}") - cmd_exec("export SUDO_ASKPASS=#{askpass_sh}") if askpass_env.to_s.empty? + cmd_exec("export SUDO_ASKPASS=#{askpass_sh}") vprint_status "Executing sudo -s -A" cmd_exec("sudo -s -A") vprint_status "Deleting the askpass script."