review of ubuntu_needrestart_lpe

h00die · h00die · commit 437c9fc99edd · 2025-01-09T16:23:09.000-05:00
diff --git a/documentation/modules/exploit/linux/local/ubuntu_needrestart_lpe.md b/documentation/modules/exploit/linux/local/ubuntu_needrestart_lpe.md
@@ -10,7 +10,7 @@ Exploitation against vulnerable needrestart versions on
 Debian 12 and Fedora 39 were unsuccessful
 however install and run instructions are listed below.
 
-### Debian 
+### Debian
 
 Install: `apt-get install needrestart=3.6-4+deb12u1`
 
@@ -36,6 +36,10 @@ Binary location: `/usr/sbin/needrestart`
 
 ## Options
 
+### ListenerTimeout
+
+The maximum number of seconds to wait for session. Defaults to `90,000` which is 25hrs.
+
 ## Scenarios
 
 ### Ubuntu 22.04 with needrestart 3.5-5ubuntu2.1
diff --git a/modules/exploits/linux/local/ubuntu_needrestart_lpe.rb b/modules/exploits/linux/local/ubuntu_needrestart_lpe.rb
@@ -36,7 +36,8 @@ def initialize(info = {})
         ],
         'Platform' => [ 'linux' ],
         'Arch' => [ ARCH_X86, ARCH_X64 ],
-        'Stance' => Msf::Exploit::Stance::Passive, # seems to not work...
+        'Stance' => Msf::Exploit::Stance::Passive,
+        'Passive' => true,
         'SessionTypes' => [ 'shell', 'meterpreter' ],
         'Targets' => [[ 'Auto', {} ]],
         'Privileged' => true,
@@ -55,7 +56,8 @@ def initialize(info = {})
       )
     )
     register_advanced_options [
-      OptString.new('WritableDir', [ true, 'A directory where we can write and execute files', '/tmp' ])
+      OptString.new('WritableDir', [ true, 'A directory where we can write and execute files', '/tmp' ]),
+      OptInt.new('ListenerTimeout', [ true, 'The maximum number of seconds to wait for session', 90_000 ]) # 25hrs
     ]
   end
 
@@ -105,7 +107,7 @@ def check
 
     return CheckCode::Appears("Vulnerable needrestart version #{package} detected on Ubuntu #{version}") if package < fixed_versions[version]
 
-    CheckCode::Safe("needrestart is not vulnerable on Ubuntu #{version}")
+    CheckCode::Safe("needrestart version #{package} is not vulnerable on Ubuntu #{version}")
   end
 
   def exploit
@@ -166,9 +168,8 @@ def exploit
 
     # Launch exploit with a timeout.  We also have a vprint_status so if the user wants all the
     # output from the exploit being run, they can optionally see it
-    timeout = 90_000 # 25 hours
     print_status 'Launching exploit, and waiting for needrestart to run...'
-    output = cmd_exec "PYTHONPATH=\"#{base_dir}\" python3 '#{py_stub_path}'", nil, timeout
+    output = cmd_exec "PYTHONPATH=\"#{base_dir}\" python3 '#{py_stub_path}'", nil, datastore['ListenerTimeout']
     output.each_line { |line| vprint_status line.chomp }
   end
 end
