Clean up the temperary script with the clear text password in it from sudo module

[digitalcombine]

Fixes #13893

[*] Command shell session 1 opened (192.168.14.98:1285 -> 192.168.14.11:50428) at 2020-07-25 08:44:34 -0600

msf5 exploit(multi/handler) > use post/multi/manage/sudo
msf5 post(multi/manage/sudo) > set VERBOSE true
verbose => true
msf5 post(multi/manage/sudo) > set PASSWORD the$sign
password => the$sign
msf5 post(multi/manage/sudo) > set SESSION 1
session => 1
msf5 post(multi/manage/sudo) > run

[*] SUDO: Attempting to upgrade to UID 0 via sudo
[*] Sudoing with password `the$sign'.
[*] Writing the SUDO_ASKPASS script: /tmp/.ghIpLFa
[*] Max line length is 4096
[*] Writing 28 bytes in 1 chunks of 102 bytes (octal-encoded), using printf
[*] Setting executable bit.
[*] Setting environment variable.
[*] Executing sudo -s -A
[+] SUDO: Root shell secured.
[*] Post module execution completed
msf5 post(multi/manage/sudo) > sessions -i 1
[*] Starting interaction with 1...

id
uid=0(root) gid=0(wheel) groups=0(wheel),5(operator)
cat /tmp/.ghIpLFa
cat: /tmp/.ghIpLFa: No such file or directory
ls -la /tmp/.ghIpLFa
ls: /tmp/.ghIpLFa: No such file or directory

[bcoles]

LGTM

Before:

msf5 exploit(multi/handler) > [*] Command shell session 1 opened (172.16.191.165:1338 -> 172.16.191.139:46376) at 2020-07-26 01:28:31 -0400

msf5 exploit(multi/handler) > use post/multi/manage/sudo 
msf5 post(multi/manage/sudo) > set verbose true
verbose => true
msf5 post(multi/manage/sudo) > set session 1
session => 1
msf5 post(multi/manage/sudo) > set password password
password => password
msf5 post(multi/manage/sudo) > run

[*] SUDO: Attempting to upgrade to UID 0 via sudo
[*] Sudoing with password `password'.
[*] Writing the SUDO_ASKPASS script: /tmp/.JgdUOab
[*] Max line length is 4096
[*] Writing 26 bytes in 1 chunks of 95 bytes (octal-encoded), using printf
[*] Setting executable bit.
[*] Setting environment variable.
[*] Executing sudo -s -A
[+] SUDO: Root shell secured.
[*] Post module execution completed
msf5 post(multi/manage/sudo) > sessions -i 1
[*] Starting interaction with 1...

id
uid=0(root) gid=0(root) groups=0(root)
cat /tmp/.JgdUOab
#!/bin/sh
echo 'password'
^C
Abort session 1? [y/N]  y

[*] 172.16.191.139 - Command shell session 1 closed.  Reason: User exit
msf5 post(multi/manage/sudo) > 

After:

msf5 post(multi/manage/sudo) > edit modules/post/multi/manage/sudo.rb
[-] Reloading Metasploit modules is not supported (try "reload")
msf5 post(multi/manage/sudo) > reload
[*] Reloading module...
msf5 post(multi/manage/sudo) > [*] Command shell session 2 opened (172.16.191.165:1338 -> 172.16.191.139:46378) at 2020-07-26 01:30:00 -0400

msf5 post(multi/manage/sudo) > set session 2
session => 2
msf5 post(multi/manage/sudo) > run

[*] SUDO: Attempting to upgrade to UID 0 via sudo
[*] Sudoing with password `password'.
[*] Writing the SUDO_ASKPASS script: /tmp/.PQlIBsi
[*] Max line length is 4096
[*] Writing 26 bytes in 1 chunks of 95 bytes (octal-encoded), using printf
[*] Setting executable bit.
[*] Setting environment variable.
[*] Executing sudo -s -A
[+] SUDO: Root shell secured.
[*] Post module execution completed
msf5 post(multi/manage/sudo) > sessions -i 2
[*] Starting interaction with 2...

id
uid=0(root) gid=0(root) groups=0(root)
cat /tmp/.PQlIBsi
cat: /tmp/.PQlIBsi: No such file or directory

[bcoles]

Works as described. Ideally the password should never be written to /tmp/ (or at least chmod(askpass_sh, 700)) but that's just one of many problems with this module. Approved.

[bcoles]

Release Notes

Updated the post/multi/manage/sudo module to automatically remove clear text sudo passwords from temporary files created in /tmp/ upon completion.