Factorize and remove includes

Speeds up compilation and removes dependency on bionic source

Author: egypt

lib/msf/core/exploit.rb

@@ -297,6 +297,7 @@ def abort_sockets
 	# algorithm.  It's just important that it returns an array of all of the
 	# mixin modules.
 	#
+	# @return [Array]
 	def self.mixins
 		mixins  = []
 		wl      = [ Msf::Exploit ]

lib/msf/core/exploit/local.rb

@@ -7,10 +7,10 @@ class Exploit
 
 ###
 #
-# The local exploit class is a specialization of the exploit module class that
-# is geared toward exploits that are performed locally.  Locally, in this
-# case, is defined as an exploit that is realized by means other than network
-# communication.
+# A specialization of the {Exploit exploit module class} that is geared
+# toward exploits that are performed locally.  Locally, in this case,
+# is defined as an exploit that is realized by means other than
+# network communication.
 #
 ###
 class Local < Exploit

lib/msf/core/post_mixin.rb

@@ -25,9 +25,10 @@ def initialize(info={})
 	end
 
 	#
-	# Grabs a session object from the framework or raises OptionValidateError
+	# Grabs a session object from the framework or raises {OptionValidateError}
 	# if one doesn't exist.  Initializes user input and output on the session.
 	#
+	# @raise [OptionValidateError] if {#session} returns nil
 	def setup
 		if not session
 			raise Msf::OptionValidateError.new(["SESSION"])
@@ -66,6 +67,9 @@ def cleanup
 	#
 	# Return the associated session or nil if there isn't one
 	#
+	# @return [Msf::Session]
+	# @return [nil] if the id provided in the datastore does not
+	#   correspond to a session
 	def session
 		# Try the cached one
 		return @session if @session and not session_changed?
@@ -84,6 +88,7 @@ def session
 	#
 	# Cached sysinfo, returns nil for non-meterpreter sessions
 	#
+	# @return [Hash,nil]
 	def sysinfo
 		begin
 			@sysinfo ||= session.sys.config.sysinfo
@@ -100,13 +105,15 @@ def post_commands
 		{}
 	end
 
+	# Whether this module's {Msf::Exploit::Stance} is {Msf::Exploit::Stance::Passive passive}
 	def passive?
 		self.passive
 	end
 
 	#
 	# Return a (possibly empty) list of all compatible sessions
 	#
+	# @return [Array]
 	def compatible_sessions
 		sessions = []
 		framework.sessions.each do |sid, s|
@@ -120,13 +127,18 @@ def compatible_sessions
 	# Return false if the given session is not compatible with this module
 	#
 	# Checks the session's type against this module's
-	# +module_info["SessionTypes"]+ as well as examining platform
-	# compatibility.  +sess_or_sid+ can be a Session object, Fixnum, or String.
-	# In the latter cases it sould be a key in in +framework.sessions+.
+	# <tt>module_info["SessionTypes"]</tt> as well as examining platform
+	# compatibility.  +sess_or_sid+ can be a Session object, Fixnum, or
+	# String.  In the latter cases it sould be a key in
+	# +framework.sessions+.
 	#
-	# NOTE: because it errs on the side of compatibility, a true return value
-	# from this method does not guarantee the module will work with the
-	# session.
+	# @note Because it errs on the side of compatibility, a true return
+	#   value from this method does not guarantee the module will work
+	#   with the session.
+	#
+	# @param sess_or_sid [Msf::Session,Fixnum,String]
+	#   A session or session ID to compare against this module for
+	#   compatibility.
 	#
 	def session_compatible?(sess_or_sid)
 		# Normalize the argument to an actual Session
@@ -186,6 +198,8 @@ def session_compatible?(sess_or_sid)
 	#
 	# True when this module is passive, false when active
 	#
+	# @return [Boolean]
+	# @see passive?
 	attr_reader :passive
 
 protected

modules/exploits/linux/local/udev_netlink.rb

@@ -27,7 +27,6 @@ class Metasploit4 < Msf::Exploit::Local
 	include Msf::Post::File
 	include Msf::Post::Common
 
-	include Msf::Exploit::Local::LinuxKernel
 	include Msf::Exploit::Local::Linux
 	include Msf::Exploit::Local::Unix
 
@@ -47,7 +46,7 @@ def initialize(info={})
 						'egypt'            # metasploit module
 					],
 				'Platform'      => [ 'linux' ],
-				'Arch'          => [ ARCH_X86 ],
+				'Arch'          => [ ARCH_X86, ARCH_X86_64 ],
 				'SessionTypes'  => [ 'shell', 'meterpreter' ],
 				'References'    =>
 					[
@@ -103,53 +102,74 @@ def exploit
 			call exit
 		|
 
-		# Set up the same include order as the bionic build system.
-		# See external/source/meterpreter/source/bionic/libc/Jamfile
-		cparser.lexer.include_search_path = [
-			"external/source/meterpreter/source/bionic/libc/include/",
-			"external/source/meterpreter/source/bionic/libc/private/",
-			"external/source/meterpreter/source/bionic/libc/bionic/",
-			"external/source/meterpreter/source/bionic/libc/kernel/arch-x86/",
-			"external/source/meterpreter/source/bionic/libc/kernel/common/",
-			"external/source/meterpreter/source/bionic/libc/arch-x86/include/",
-		]
-
-		cparser.parse(%Q|
-			#define DEBUGGING
-			// Fixes a parse error in bionic's libc/kernel/arch-x86/asm/types.h
-			#ifndef __extension__
-			#define __extension__
-			#endif
-			// Fixes a parse error in bionic's libc/include/sys/cdefs_elf.h
-			// Doing #if on an undefined macro is fine in GCC, but a parse error in
-			// metasm.
-			#ifndef __STDC__
-			#define __STDC__ 0
-			#endif
-			#include <sys/types.h>
-			#include <stdarg.h>
-			#include <stdio.h>
-			#include <unistd.h>
-			#include <errno.h>
-		|)
-
-		[
-			"external/source/meterpreter/source/bionic/libc/bionic/__errno.c",
-			"external/source/meterpreter/source/bionic/libc/bionic/__set_errno.c",
-			"external/source/meterpreter/source/bionic/libc/stdio/stdio.c",
-		].each do |fname|
-			cparser.parse(File.read(fname), fname)
-		end
-
 		payload_path = "#{datastore["WritableDir"]}/#{Rex::Text.rand_text_alpha(10)}"
 		evil_path = "#{datastore["WritableDir"]}/#{Rex::Text.rand_text_alpha(10)}"
 
-		unix_socket_h(sc)
-		linux_x86_syscall_wrappers(sc)
-
 		main = %Q^
+/*
+** All of these includes are now factorized.
+**/
+/*
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <unistd.h>
+#include <errno.h>
 #include <string.h>
 #include <linux/netlink.h>
+*/
+
+#define NETLINK_KOBJECT_UEVENT 15
+#define PF_NETLINK 16
+#define SOCK_DGRAM 2
+#define AF_NETLINK PF_NETLINK
+
+typedef unsigned short __kernel_sa_family_t;
+typedef unsigned int __socklen_t;
+typedef int __ssize_t;
+typedef unsigned int __u32;
+extern int close(int __fd);
+typedef unsigned short sa_family_t;
+typedef unsigned long size_t;
+extern int socket(int __domain, int __type, int __protocol);
+extern int sprintf(char *__s, const char *__format, ...);
+
+const struct iovec {
+	void *iov_base;
+	size_t iov_len;
+};
+extern void *memset(void *__s, int __c, size_t __n);
+
+const struct sockaddr {
+	sa_family_t sa_family;
+	char sa_data[14];
+};
+
+struct sockaddr_nl {
+	__kernel_sa_family_t nl_family;
+	unsigned short nl_pad;
+	__u32 nl_pid;
+	__u32 nl_groups;
+};
+typedef __socklen_t socklen_t;
+typedef __ssize_t ssize_t;
+
+extern int bind(int __fd, const struct sockaddr *__addr, socklen_t __len);
+
+const struct msghdr {
+	void *msg_name;
+	socklen_t msg_namelen;
+	const struct iovec *msg_iov;
+	size_t msg_iovlen;
+	void *msg_control;
+	size_t msg_controllen;
+	int msg_flags;
+};
+
+extern ssize_t sendmsg(int __fd, const struct msghdr *__message, int __flags);
+/* end factorize */
+
 #define NULL 0
 
 int main() {
@@ -196,6 +216,10 @@ def exploit
 }
 ^
 		cparser.parse(main, "main.c")
+		# This will give you all the structs and #defines (from all included
+		# headers) that are actually used by our C code so we can avoid
+		# needing them at runtime.
+		#puts cparser.factorize
 
 		asm = cpu.new_ccompiler(cparser, sc).compile