From c3080d69f2ac785a3e16d6b461f7b4a924827060 Mon Sep 17 00:00:00 2001 From: Brendan Coles Date: Sun, 4 Nov 2018 05:28:32 +0000 Subject: [PATCH] Use writable? method for local modules --- .../local/af_packet_chocobo_root_priv_esc.rb | 2 +- .../local/af_packet_packet_set_ring_priv_esc.rb | 2 +- modules/exploits/linux/local/bpf_priv_esc.rb | 12 +++++++----- .../linux/local/bpf_sign_extension_priv_esc.rb | 2 +- .../linux/local/glibc_realpath_priv_esc.rb | 2 +- .../linux/local/libuser_roothelper_priv_esc.rb | 2 +- .../exploits/linux/local/rc_local_persistence.rb | 16 ++++++++-------- modules/exploits/linux/local/rds_priv_esc.rb | 2 +- .../exploits/linux/local/recvmmsg_priv_esc.rb | 2 +- modules/exploits/linux/local/sock_sendpage.rb | 2 +- .../linux/local/ufo_privilege_escalation.rb | 2 +- .../osx/local/dyld_print_to_file_root.rb | 5 +++-- modules/exploits/osx/local/rootpipe.rb | 7 +++++-- .../exploits/osx/local/rootpipe_entitlements.rb | 3 ++- modules/exploits/osx/local/rsh_libmalloc.rb | 3 ++- modules/exploits/osx/local/setuid_tunnelblick.rb | 2 +- modules/exploits/osx/local/setuid_viscosity.rb | 2 +- modules/exploits/osx/local/tpwn.rb | 5 +++-- .../osx/local/vmware_bash_function_root.rb | 6 ++++-- modules/post/multi/recon/sudo_commands.rb | 8 ++------ 20 files changed, 47 insertions(+), 40 deletions(-) diff --git a/modules/exploits/linux/local/af_packet_chocobo_root_priv_esc.rb b/modules/exploits/linux/local/af_packet_chocobo_root_priv_esc.rb index e104638353..84c600ab59 100644 --- a/modules/exploits/linux/local/af_packet_chocobo_root_priv_esc.rb +++ b/modules/exploits/linux/local/af_packet_chocobo_root_priv_esc.rb @@ -176,7 +176,7 @@ class MetasploitModule < Msf::Exploit::Local fail_with Failure::BadConfig, 'Session already has root privileges' end - unless cmd_exec("test -w '#{base_dir}' && echo true").include? 'true' + unless writable? base_dir fail_with Failure::BadConfig, "#{base_dir} is not writable" end diff --git a/modules/exploits/linux/local/af_packet_packet_set_ring_priv_esc.rb b/modules/exploits/linux/local/af_packet_packet_set_ring_priv_esc.rb index 0bd66f5783..9381543e08 100644 --- a/modules/exploits/linux/local/af_packet_packet_set_ring_priv_esc.rb +++ b/modules/exploits/linux/local/af_packet_packet_set_ring_priv_esc.rb @@ -172,7 +172,7 @@ class MetasploitModule < Msf::Exploit::Local fail_with Failure::BadConfig, 'Session already has root privileges' end - unless cmd_exec("test -w '#{base_dir}' && echo true").include? 'true' + unless writable? base_dir fail_with Failure::BadConfig, "#{base_dir} is not writable" end diff --git a/modules/exploits/linux/local/bpf_priv_esc.rb b/modules/exploits/linux/local/bpf_priv_esc.rb index a60f513841..654ba3faee 100644 --- a/modules/exploits/linux/local/bpf_priv_esc.rb +++ b/modules/exploits/linux/local/bpf_priv_esc.rb @@ -50,11 +50,13 @@ class MetasploitModule < Msf::Exploit::Local 'Privileged' => true } )) - register_options([ - OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]), - OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', ['Auto', 'True', 'False']]), - OptInt.new('MAXWAIT', [ true, 'Max seconds to wait for decrementation in seconds', 120 ]) - ]) + register_options [ + OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', ['Auto', 'True', 'False']]), + OptInt.new('MAXWAIT', [ true, 'Max seconds to wait for decrementation in seconds', 120 ]) + ] + register_advanced_options [ + OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]), + ] end def check diff --git a/modules/exploits/linux/local/bpf_sign_extension_priv_esc.rb b/modules/exploits/linux/local/bpf_sign_extension_priv_esc.rb index 2337d2964f..e4ebb086bc 100644 --- a/modules/exploits/linux/local/bpf_sign_extension_priv_esc.rb +++ b/modules/exploits/linux/local/bpf_sign_extension_priv_esc.rb @@ -185,7 +185,7 @@ class MetasploitModule < Msf::Exploit::Local fail_with Failure::BadConfig, 'Session already has root privileges' end - unless cmd_exec("test -w '#{base_dir}' && echo true").include? 'true' + unless writable? base_dir fail_with Failure::BadConfig, "#{base_dir} is not writable" end diff --git a/modules/exploits/linux/local/glibc_realpath_priv_esc.rb b/modules/exploits/linux/local/glibc_realpath_priv_esc.rb index 9d4fefd3c2..075185bb43 100644 --- a/modules/exploits/linux/local/glibc_realpath_priv_esc.rb +++ b/modules/exploits/linux/local/glibc_realpath_priv_esc.rb @@ -169,7 +169,7 @@ class MetasploitModule < Msf::Exploit::Local fail_with Failure::NotVulnerable, 'Target is not vulnerable' end - unless cmd_exec("test -w '#{base_dir}' && echo true").include? 'true' + unless writable? base_dir fail_with Failure::BadConfig, "#{base_dir} is not writable" end diff --git a/modules/exploits/linux/local/libuser_roothelper_priv_esc.rb b/modules/exploits/linux/local/libuser_roothelper_priv_esc.rb index 2edd4a64fd..b4670a21fb 100644 --- a/modules/exploits/linux/local/libuser_roothelper_priv_esc.rb +++ b/modules/exploits/linux/local/libuser_roothelper_priv_esc.rb @@ -165,7 +165,7 @@ class MetasploitModule < Msf::Exploit::Local fail_with Failure::BadConfig, 'Session already has root privileges' end - unless cmd_exec("test -w '#{base_dir}' && echo true").include? 'true' + unless writable? base_dir fail_with Failure::BadConfig, "#{base_dir} is not writable" end diff --git a/modules/exploits/linux/local/rc_local_persistence.rb b/modules/exploits/linux/local/rc_local_persistence.rb index a35dd83f90..6d83453bf4 100644 --- a/modules/exploits/linux/local/rc_local_persistence.rb +++ b/modules/exploits/linux/local/rc_local_persistence.rb @@ -36,22 +36,22 @@ class MetasploitModule < Msf::Exploit::Local end def exploit - unless cmd_exec("test -w '/etc/rc.local' && echo true").include? 'true' - fail_with Failure::BadConfig, '/etc/rc.local is not writable' + rc_path = '/etc/rc.local' + + unless writable? rc_path + fail_with Failure::BadConfig, "#{rc_path} is not writable" end - print_status('Reading /etc/rc.local') + print_status "Reading #{rc_path}" # read /etc/rc.local, but remove `exit 0` - rc_local = read_file('/etc/rc.local').gsub(/^exit.*$/, '') + rc_local = read_file(rc_path).gsub(/^exit.*$/, '') # add payload and put back `exit 0` rc_local << "\n#{payload.encoded}\nexit 0\n" # write new file - print_status('Patching /etc/rc.local') - write_file('/etc/rc.local', rc_local) + print_status "Patching #{rc_path}" + write_file(rc_path, rc_local) end end - - diff --git a/modules/exploits/linux/local/rds_priv_esc.rb b/modules/exploits/linux/local/rds_priv_esc.rb index cb184f470b..045117850a 100644 --- a/modules/exploits/linux/local/rds_priv_esc.rb +++ b/modules/exploits/linux/local/rds_priv_esc.rb @@ -158,7 +158,7 @@ class MetasploitModule < Msf::Exploit::Local fail_with Failure::BadConfig, 'Session already has root privileges' end - unless cmd_exec("test -w '#{base_dir}' && echo true").include? 'true' + unless writable? base_dir fail_with Failure::BadConfig, "#{base_dir} is not writable" end diff --git a/modules/exploits/linux/local/recvmmsg_priv_esc.rb b/modules/exploits/linux/local/recvmmsg_priv_esc.rb index bfb40c429b..9139bd3ef9 100644 --- a/modules/exploits/linux/local/recvmmsg_priv_esc.rb +++ b/modules/exploits/linux/local/recvmmsg_priv_esc.rb @@ -149,7 +149,7 @@ class MetasploitModule < Msf::Exploit::Local fail_with Failure::NotVulnerable, 'Target not vulnerable! punt!' end - unless cmd_exec("test -w '#{base_dir}' && echo true").include? 'true' + unless writable? base_dir fail_with Failure::BadConfig, "#{base_dir} is not writable" end diff --git a/modules/exploits/linux/local/sock_sendpage.rb b/modules/exploits/linux/local/sock_sendpage.rb index 44a194e082..86e7ff1633 100644 --- a/modules/exploits/linux/local/sock_sendpage.rb +++ b/modules/exploits/linux/local/sock_sendpage.rb @@ -140,7 +140,7 @@ class MetasploitModule < Msf::Exploit::Local fail_with Failure::BadConfig, 'Session already has root privileges' end - unless cmd_exec("test -w '#{base_dir}' && echo true").include? 'true' + unless writable? base_dir fail_with Failure::BadConfig, "#{base_dir} is not writable" end diff --git a/modules/exploits/linux/local/ufo_privilege_escalation.rb b/modules/exploits/linux/local/ufo_privilege_escalation.rb index faba6c155e..f996eebe86 100644 --- a/modules/exploits/linux/local/ufo_privilege_escalation.rb +++ b/modules/exploits/linux/local/ufo_privilege_escalation.rb @@ -169,7 +169,7 @@ class MetasploitModule < Msf::Exploit::Local fail_with Failure::BadConfig, 'Session already has root privileges' end - unless cmd_exec("test -w '#{base_dir}' && echo true").include? 'true' + unless writable? base_dir fail_with Failure::BadConfig, "#{base_dir} is not writable" end diff --git a/modules/exploits/osx/local/dyld_print_to_file_root.rb b/modules/exploits/osx/local/dyld_print_to_file_root.rb index f4e7ddd504..093f94e845 100644 --- a/modules/exploits/osx/local/dyld_print_to_file_root.rb +++ b/modules/exploits/osx/local/dyld_print_to_file_root.rb @@ -6,6 +6,7 @@ class MetasploitModule < Msf::Exploit::Local Rank = GreatRanking + include Msf::Post::File include Msf::Post::OSX::Priv include Msf::Post::OSX::System include Msf::Exploit::EXE @@ -43,7 +44,7 @@ class MetasploitModule < Msf::Exploit::Local 'DefaultOptions' => { 'PAYLOAD' => 'osx/x64/shell_reverse_tcp' } )) - register_options [ + register_advanced_options [ OptString.new('WritableDir', [true, 'Writable directory', '/.Trashes']) ] end @@ -65,7 +66,7 @@ class MetasploitModule < Msf::Exploit::Local fail_with Failure::NotVulnerable, 'Target is not vulnerable' end - unless cmd_exec("test -w '#{base_dir}' && echo true").include? 'true' + unless writable? base_dir fail_with Failure::BadConfig, "#{base_dir} is not writable" end diff --git a/modules/exploits/osx/local/rootpipe.rb b/modules/exploits/osx/local/rootpipe.rb index b298ef4ca7..e1ee79e30b 100644 --- a/modules/exploits/osx/local/rootpipe.rb +++ b/modules/exploits/osx/local/rootpipe.rb @@ -6,6 +6,7 @@ class MetasploitModule < Msf::Exploit::Local Rank = GreatRanking + include Msf::Post::File include Msf::Post::OSX::Priv include Msf::Post::OSX::System include Msf::Exploit::EXE @@ -52,7 +53,9 @@ class MetasploitModule < Msf::Exploit::Local )) register_options [ - OptString.new('PYTHON', [true, 'Python executable', '/usr/bin/python']), + OptString.new('PYTHON', [true, 'Python executable', '/usr/bin/python']) + ] + register_advanced_options [ OptString.new('WritableDir', [true, 'Writable directory', '/.Trashes']) ] end @@ -78,7 +81,7 @@ class MetasploitModule < Msf::Exploit::Local fail_with Failure::NotVulnerable, 'Target is not vulnerable' end - unless cmd_exec("test -w '#{base_dir}' && echo true").include? 'true' + unless writable? base_dir fail_with Failure::BadConfig, "#{base_dir} is not writable" end diff --git a/modules/exploits/osx/local/rootpipe_entitlements.rb b/modules/exploits/osx/local/rootpipe_entitlements.rb index f79329e1da..ef15b31f80 100644 --- a/modules/exploits/osx/local/rootpipe_entitlements.rb +++ b/modules/exploits/osx/local/rootpipe_entitlements.rb @@ -6,6 +6,7 @@ class MetasploitModule < Msf::Exploit::Local Rank = GreatRanking + include Msf::Post::File include Msf::Post::OSX::Priv include Msf::Post::OSX::System include Msf::Exploit::EXE @@ -74,7 +75,7 @@ class MetasploitModule < Msf::Exploit::Local fail_with Failure::NotVulnerable, 'Target is not vulnerable' end - unless cmd_exec("test -w '#{base_dir}' && echo true").include? 'true' + unless writable? base_dir fail_with Failure::BadConfig, "#{base_dir} is not writable" end diff --git a/modules/exploits/osx/local/rsh_libmalloc.rb b/modules/exploits/osx/local/rsh_libmalloc.rb index 5b9a97d3b1..7eea3024a4 100644 --- a/modules/exploits/osx/local/rsh_libmalloc.rb +++ b/modules/exploits/osx/local/rsh_libmalloc.rb @@ -6,6 +6,7 @@ class MetasploitModule < Msf::Exploit::Local Rank = NormalRanking + include Msf::Post::File include Msf::Post::OSX::Priv include Msf::Post::OSX::System include Msf::Exploit::EXE @@ -58,7 +59,7 @@ class MetasploitModule < Msf::Exploit::Local fail_with Failure::BadConfig, 'Session already has root privileges' end - unless cmd_exec("test -w '#{base_dir}' && echo true").include? 'true' + unless writable? base_dir fail_with Failure::BadConfig, "#{base_dir} is not writable" end diff --git a/modules/exploits/osx/local/setuid_tunnelblick.rb b/modules/exploits/osx/local/setuid_tunnelblick.rb index 187bc16147..4803ffc326 100644 --- a/modules/exploits/osx/local/setuid_tunnelblick.rb +++ b/modules/exploits/osx/local/setuid_tunnelblick.rb @@ -87,7 +87,7 @@ class MetasploitModule < Msf::Exploit::Local fail_with Failure::NotVulnerable, 'Target is not vulnerable' end - unless cmd_exec("test -w '#{base_dir}' && echo true").include? 'true' + unless writable? base_dir fail_with Failure::BadConfig, "#{base_dir} is not writable" end diff --git a/modules/exploits/osx/local/setuid_viscosity.rb b/modules/exploits/osx/local/setuid_viscosity.rb index a81cfbf3cd..3c78c0724f 100644 --- a/modules/exploits/osx/local/setuid_viscosity.rb +++ b/modules/exploits/osx/local/setuid_viscosity.rb @@ -89,7 +89,7 @@ class MetasploitModule < Msf::Exploit::Local fail_with Failure::NotVulnerable, 'Target is not vulnerable' end - unless cmd_exec("test -w '#{base_dir}' && echo true").include? 'true' + unless writable? base_dir fail_with Failure::BadConfig, "#{base_dir} is not writable" end diff --git a/modules/exploits/osx/local/tpwn.rb b/modules/exploits/osx/local/tpwn.rb index c5a9da5ced..646d5984d1 100644 --- a/modules/exploits/osx/local/tpwn.rb +++ b/modules/exploits/osx/local/tpwn.rb @@ -6,6 +6,7 @@ class MetasploitModule < Msf::Exploit::Local Rank = NormalRanking + include Msf::Post::File include Msf::Post::OSX::Priv include Msf::Post::OSX::System include Msf::Exploit::EXE @@ -39,7 +40,7 @@ class MetasploitModule < Msf::Exploit::Local 'DefaultTarget' => 0 )) - register_options [ + register_advanced_options [ OptString.new('WritableDir', [true, 'Writable directory', '/.Trashes']) ] end @@ -61,7 +62,7 @@ class MetasploitModule < Msf::Exploit::Local fail_with Failure::NotVulnerable, 'Target is not vulnerable' end - unless cmd_exec("test -w '#{base_dir}' && echo true").include? 'true' + unless writable? base_dir fail_with Failure::BadConfig, "#{base_dir} is not writable" end diff --git a/modules/exploits/osx/local/vmware_bash_function_root.rb b/modules/exploits/osx/local/vmware_bash_function_root.rb index 274679fdea..fe044b5689 100644 --- a/modules/exploits/osx/local/vmware_bash_function_root.rb +++ b/modules/exploits/osx/local/vmware_bash_function_root.rb @@ -54,9 +54,11 @@ class MetasploitModule < Msf::Exploit::Local )) register_options [ - OptString.new('WritableDir', [true, 'Writable directory', '/tmp']), OptString.new('VMWARE_PATH', [true, "The path to VMware.app", '/Applications/VMware Fusion.app']), ] + register_advanced_options [ + OptString.new('WritableDir', [true, 'Writable directory', '/tmp']) + ] end def base_dir @@ -90,7 +92,7 @@ class MetasploitModule < Msf::Exploit::Local fail_with Failure::NotVulnerable, 'Target is not vulnerable' end - unless cmd_exec("test -w '#{base_dir}' && echo true").include? 'true' + unless writable? base_dir fail_with Failure::BadConfig, "#{base_dir} is not writable" end diff --git a/modules/post/multi/recon/sudo_commands.rb b/modules/post/multi/recon/sudo_commands.rb index fb9d0090e7..f6c0751b06 100644 --- a/modules/post/multi/recon/sudo_commands.rb +++ b/modules/post/multi/recon/sudo_commands.rb @@ -43,10 +43,6 @@ class MetasploitModule < Msf::Post datastore['PASSWORD'].to_s end - def is_writable?(path) - cmd_exec("test -w '#{path}' && echo true").include? 'true' - end - def is_executable?(path) cmd_exec("test -x '#{path}' && echo true").include? 'true' end @@ -84,11 +80,11 @@ class MetasploitModule < Msf::Post base_name = File.basename cmd if file_exist? cmd - if is_writable? cmd + if writable? cmd print_good "#{cmd} is writable!" return true end - elsif is_writable? base_dir + elsif writable? base_dir print_good "#{cmd} does not exist and #{base_dir} is writable!" return true end