Metasploit-framework: local_exploit_suggester - setuid_nmap - Post failed: NoMethodError undefined method `fs' for Session:shell
The check method in modules/exploits/unix/local/setuid_nmap.rb:54 uses session.fs.file.stat which is not compatible with shell sessions, despite the module specifying 'SessionTypes' => [ 'shell', 'meterpreter' ]
Upgrading the shell session to meterpreter allows Multi Recon Local Exploit Suggester to function as expected.
Steps to reproduce
msf exploit(multi/handler) > use post/multi/recon/local_exploit_suggester
msf post(multi/recon/local_exploit_suggester) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell cmd/unix 172.16.191.244:1337 -> 172.16.191.252:51338 (172.16.191.252)
msf post(multi/recon/local_exploit_suggester) > set session 1
session => 1
msf post(multi/recon/local_exploit_suggester) > run
[*] 172.16.191.252 - Collecting local exploits for cmd/unix...
[*] 172.16.191.252 - 7 exploit checks are being tried...
[-] 172.16.191.252 - Post failed: NoMethodError undefined method `fs' for #<Session:shell 172.16.191.252:51338 (172.16.191.252) "">
[-] 172.16.191.252 - Call stack:
[-] 172.16.191.252 - /pentest/exploit/metasploit-framework/modules/exploits/unix/local/setuid_nmap.rb:54:in `check'
[-] 172.16.191.252 - /pentest/exploit/metasploit-framework/modules/post/multi/recon/local_exploit_suggester.rb:136:in `block in run'
[-] 172.16.191.252 - /pentest/exploit/metasploit-framework/modules/post/multi/recon/local_exploit_suggester.rb:134:in `each'
[-] 172.16.191.252 - /pentest/exploit/metasploit-framework/modules/post/multi/recon/local_exploit_suggester.rb:134:in `run'
[*] Post module execution completed
It's worth noting that a quick review of the Setuid Nmap Exploit module shows the exploit should work with either shell or meterpreter sessions - it's only the check method which is problematic.
As such, the module could probably be updated to use something like the following (which I stole from here):
def setuid?(remote_file)
cmd_exec("test -u '#{remote_file.strip}' && echo true").include?('true')
end
bcoles
All 6 comments
that or the post API (which is supposed to make this stuff work transparently for module writers?) could just be extended to have the method on shell sessions.
busterb
on 16 Jan 2018
@busterb , that would be preferable.
Using [ ] might be more widely supported than test ?
I started refactoring but got side tracked.
def check
if cmd_exec("[ -s '#{nmap_path}' ] && echo true").include?('true')
vprint_good("#{nmap_path} executable is suid")
return CheckCode::Vulnerable
end
CheckCode::Safe
end
Yep, the Post API was designed to make this transparent for module authors. Obviously this is not how history played out. I'd update the Post API and then the module and any other modules that are affected.
wvu-r7
on 19 Jan 2018
I see what happened here.
wvu-r7
on 20 Jan 2018
GLHF :P
bcoles
on 20 Jan 2018
test is fine. [ is usually the same thing, but it requires ]. Both are POSIX if that matters to you.
wvu-r7
on 23 Jan 2018
Related issues
adrianmihalko
路
3Comments
fluit105
路
3Comments
handsomebeast
路
3Comments
bugshere
路
3Comments
Acidical
路
3Comments
Most helpful comment
that or the post API (which is supposed to make this stuff work transparently for module writers?) could just be extended to have the method on shell sessions.