Skip to content

Commit

Permalink
Add ForceExploit to Linux local modules
Browse files Browse the repository at this point in the history
  • Loading branch information
bcoles committed Nov 11, 2018
1 parent 7ee70f5 commit 40bc44d
Show file tree
Hide file tree
Showing 11 changed files with 102 additions and 32 deletions.
12 changes: 9 additions & 3 deletions modules/exploits/linux/local/af_packet_chocobo_root_priv_esc.rb
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,7 @@ def initialize(info = {})
OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', %w(Auto True False) ])
]
register_advanced_options [
OptBool.new('ForceExploit', [ false, 'Override check result', false ]),
OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
]
end
Expand Down Expand Up @@ -168,12 +169,17 @@ def check
end

def exploit
if check != CheckCode::Appears
fail_with Failure::NotVulnerable, 'Target is not vulnerable'
unless check == CheckCode::Appears
unless datastore['ForceExploit']
fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
end
print_warning 'Target does not appear to be vulnerable'
end

if is_root?
fail_with Failure::BadConfig, 'Session already has root privileges'
unless datastore['ForceExploit']
fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'
end
end

unless writable? base_dir
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,7 @@ def initialize(info = {})
OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', %w(Auto True False) ])
]
register_advanced_options [
OptBool.new('ForceExploit', [ false, 'Override check result', false ]),
OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
]
end
Expand Down Expand Up @@ -164,12 +165,17 @@ def check
end

def exploit
if check != CheckCode::Appears
fail_with Failure::NotVulnerable, 'Target is not vulnerable'
unless check == CheckCode::Appears
unless datastore['ForceExploit']
fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
end
print_warning 'Target does not appear to be vulnerable'
end

if is_root?
fail_with Failure::BadConfig, 'Session already has root privileges'
unless datastore['ForceExploit']
fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'
end
end

unless writable? base_dir
Expand Down
10 changes: 8 additions & 2 deletions modules/exploits/linux/local/bpf_sign_extension_priv_esc.rb
Original file line number Diff line number Diff line change
Expand Up @@ -93,6 +93,7 @@ def initialize(info = {})
OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', %w[Auto True False] ])
]
register_advanced_options [
OptBool.new('ForceExploit', [ false, 'Override check result', false ]),
OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
]
end
Expand Down Expand Up @@ -178,11 +179,16 @@ def check

def exploit
unless check == CheckCode::Appears
fail_with Failure::NotVulnerable, 'Target not vulnerable! punt!'
unless datastore['ForceExploit']
fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
end
print_warning 'Target does not appear to be vulnerable'
end

if is_root?
fail_with Failure::BadConfig, 'Session already has root privileges'
unless datastore['ForceExploit']
fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'
end
end

unless writable? base_dir
Expand Down
16 changes: 13 additions & 3 deletions modules/exploits/linux/local/glibc_realpath_priv_esc.rb
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,7 @@ def initialize(info = {})
OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', %w(Auto True False) ])
]
register_advanced_options [
OptBool.new('ForceExploit', [ false, 'Override check result', false ]),
OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
]
end
Expand Down Expand Up @@ -161,12 +162,21 @@ def check
end

def exploit
unless check == CheckCode::Appears
unless datastore['ForceExploit']
fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
end
print_warning 'Target does not appear to be vulnerable'
end

if is_root?
fail_with Failure::BadConfig, 'Session already has root privileges'
unless datastore['ForceExploit']
fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'
end
end

if check != CheckCode::Appears
fail_with Failure::NotVulnerable, 'Target is not vulnerable'
unless writable? base_dir
fail_with Failure::BadConfig, "#{base_dir} is not writable"
end

unless writable? base_dir
Expand Down
14 changes: 10 additions & 4 deletions modules/exploits/linux/local/lastore_daemon_dbus_priv_esc.rb
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,7 @@ def initialize(info = {})
'Targets' => [[ 'Auto', {} ]],
'DefaultTarget' => 0))
register_advanced_options [
OptBool.new('ForceExploit', [ false, 'Override check result', false ]),
OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
]
end
Expand Down Expand Up @@ -119,12 +120,17 @@ def check
end

def exploit
if is_root?
fail_with Failure::BadConfig, 'Session already has root privileges'
unless check == CheckCode::Appears
unless datastore['ForceExploit']
fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
end
print_warning 'Target does not appear to be vulnerable'
end

if check != CheckCode::Appears
fail_with Failure::NotVulnerable, 'Target is not vulnerable'
if is_root?
unless datastore['ForceExploit']
fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'
end
end

print_status 'Building package...'
Expand Down
10 changes: 8 additions & 2 deletions modules/exploits/linux/local/libuser_roothelper_priv_esc.rb
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,7 @@ def initialize(info = {})
OptString.new('PASSWORD', [ true, 'Password for the current user', '' ])
]
register_advanced_options [
OptBool.new('ForceExploit', [ false, 'Override check result', false ]),
OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
]
end
Expand Down Expand Up @@ -158,11 +159,16 @@ def check

def exploit
if check == CheckCode::Safe
fail_with Failure::NotVulnerable, 'Target is not vulnerable'
unless datastore['ForceExploit']
fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
end
print_warning 'Target does not appear to be vulnerable'
end

if is_root?
fail_with Failure::BadConfig, 'Session already has root privileges'
unless datastore['ForceExploit']
fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'
end
end

unless writable? base_dir
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,7 @@ def initialize(info = {})
},
'DefaultTarget' => 0))
register_advanced_options [
OptBool.new('ForceExploit', [ false, 'Override check result', false ]),
OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])
]
end
Expand Down Expand Up @@ -95,12 +96,17 @@ def check
end

def exploit
if is_root?
fail_with Failure::BadConfig, 'Session already has root privileges'
unless check == CheckCode::Detected
unless datastore['ForceExploit']
fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
end
print_warning 'Target does not appear to be vulnerable'
end

if check != CheckCode::Detected
fail_with Failure::NotVulnerable, 'Target is not vulnerable'
if is_root?
unless datastore['ForceExploit']
fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'
end
end

@payload_name = ".#{rand_text_alphanumeric rand(10..15)}"
Expand Down
10 changes: 8 additions & 2 deletions modules/exploits/linux/local/rds_priv_esc.rb
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,7 @@ def initialize(info = {})
OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', %w(Auto True False) ])
]
register_advanced_options [
OptBool.new('ForceExploit', [ false, 'Override check result', false ]),
OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
]
end
Expand Down Expand Up @@ -151,11 +152,16 @@ def check

def exploit
unless check == CheckCode::Appears
fail_with Failure::NotVulnerable, 'Target is not vulnerable'
unless datastore['ForceExploit']
fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
end
print_warning 'Target does not appear to be vulnerable'
end

if is_root?
fail_with Failure::BadConfig, 'Session already has root privileges'
unless datastore['ForceExploit']
fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'
end
end

unless writable? base_dir
Expand Down
16 changes: 11 additions & 5 deletions modules/exploits/linux/local/recvmmsg_priv_esc.rb
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,7 @@ def initialize(info = {})
OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', %w(Auto True False) ])
]
register_advanced_options [
OptBool.new('ForceExploit', [ false, 'Override check result', false ]),
OptString.new('WritableDir', [ true, 'A directory where we can write files (must not be mounted noexec)', '/tmp' ])
]
end
Expand Down Expand Up @@ -132,7 +133,7 @@ def check

release = kernel_release
unless release =~ /^3\.11\.0-(12|15)-generic/ || release.eql?('3.8.0-19-generic')
print_error "Kernel #{release} #{version} is not exploitable"
vprint_error "Kernel #{release} #{version} is not exploitable"
return CheckCode::Safe
end
vprint_good "Kernel #{release} #{version} is exploitable"
Expand All @@ -141,12 +142,17 @@ def check
end

def exploit
if is_root?
fail_with Failure::BadConfig, 'Session already has root privileges'
unless check == CheckCode::Appears
unless datastore['ForceExploit']
fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
end
print_warning 'Target does not appear to be vulnerable'
end

if check != CheckCode::Appears
fail_with Failure::NotVulnerable, 'Target not vulnerable! punt!'
if is_root?
unless datastore['ForceExploit']
fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'
end
end

unless writable? base_dir
Expand Down
10 changes: 8 additions & 2 deletions modules/exploits/linux/local/sock_sendpage.rb
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,7 @@ def initialize(info = {})
OptBool.new('DEBUG_EXPLOIT', [ true, "Make the exploit executable be verbose about what it's doing", false ])
]
register_advanced_options [
OptBool.new('ForceExploit', [ false, 'Override check result', false ]),
OptString.new('WritableDir', [ true, 'A directory where we can write files (must not be mounted noexec)', '/tmp' ])
]
end
Expand Down Expand Up @@ -133,11 +134,16 @@ def check

def exploit
if check == CheckCode::Safe
fail_with Failure::NotVulnerable, 'Target is not vulnerable'
unless datastore['ForceExploit']
fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
end
print_warning 'Target does not appear to be vulnerable'
end

if is_root?
fail_with Failure::BadConfig, 'Session already has root privileges'
unless datastore['ForceExploit']
fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'
end
end

unless writable? base_dir
Expand Down
10 changes: 8 additions & 2 deletions modules/exploits/linux/local/ufo_privilege_escalation.rb
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,7 @@ def initialize(info = {})
OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', %w[Auto True False] ])
]
register_advanced_options [
OptBool.new('ForceExploit', [ false, 'Override check result', false ]),
OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
]
end
Expand Down Expand Up @@ -162,11 +163,16 @@ def check

def exploit
unless check == CheckCode::Appears
fail_with Failure::NotVulnerable, 'Target not vulnerable! punt!'
unless datastore['ForceExploit']
fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
end
print_warning 'Target does not appear to be vulnerable'
end

if is_root?
fail_with Failure::BadConfig, 'Session already has root privileges'
unless datastore['ForceExploit']
fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'
end
end

unless writable? base_dir
Expand Down

0 comments on commit 40bc44d

Please sign in to comment.