Module: Msf::Post::Linux::BusyBox

Includes:
Common, File
Defined in:
lib/msf/core/post/linux/busy_box.rb

Instance Method Summary collapse

Methods included from File

#_read_file_meterpreter, #_unix_max_line_length, #_write_file_unix_shell, #append_file, #attributes, #cd, #chmod, #dir, #directory?, #executable?, #exist?, #expand_path, #exploit_data, #file?, #file_local_write, #file_remote_digestmd5, #file_remote_digestsha1, #file_remote_digestsha2, #immutable?, #mkdir, #pwd, #read_file, #readable?, #rename_file, #rm_f, #rm_rf, #setuid?, #upload_and_chmodx, #upload_file, #writable?, #write_file

Methods included from Common

#clear_screen, #cmd_exec, #cmd_exec_get_pid, #command_exists?, #get_env, #get_envs, #has_pid?, #peer, #report_virtualization, #rhost, #rport

Instance Method Details

#busy_box_file_exist?(file_path) ⇒ Boolean

Note:

Msf::Post::File#file? doesnt work because test -f is not available in busybox

Checks if the file exists in the target

Parameters:

  • file_path (String)

    the target file path

Returns:

  • (Boolean)

    true if files exists, false otherwise


18
19
20
21
22
23
24
25
# File 'lib/msf/core/post/linux/busy_box.rb', line 18

def busy_box_file_exist?(file_path)
  contents = read_file(file_path)
  if contents.nil? || contents.empty?
    return false
  end

  true
end

#busy_box_is_writable_dir?(dir_path) ⇒ Boolean

Checks if the directory is writable in the target

Parameters:

  • dir_path (String)

    the target directory path

Returns:

  • (Boolean)

    true if target directory is writable, false otherwise


31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
# File 'lib/msf/core/post/linux/busy_box.rb', line 31

def busy_box_is_writable_dir?(dir_path)
  res = false
  rand_str = Rex::Text.rand_text_alpha(16)
  file_path = "#{dir_path}/#{rand_str}"

  cmd_exec("echo #{rand_str}XXX#{rand_str} > #{file_path}")
  Rex::sleep(0.3)
  rcv = read_file(file_path)

  if rcv.include?("#{rand_str}XXX#{rand_str}")
    res = true
  end

  cmd_exec("rm -f #{file_path}")
  Rex::sleep(0.3)

  res
end

#busy_box_writable_dirString

Checks some directories that usually are writable in devices running busybox

Returns:

  • (String)

    If the function finds a writable directory, it returns the path. Else it returns nil


52
53
54
55
56
57
58
59
60
# File 'lib/msf/core/post/linux/busy_box.rb', line 52

def busy_box_writable_dir
  dirs = %w(/etc/ /mnt/ /var/ /var/tmp/)

  dirs.each do |d|
    return d if busy_box_is_writable_dir?(d)
  end

  nil
end

#busy_box_write_file(file_path, data, prepend = false) ⇒ Boolean

Note:

BusyBox commands are limited and Msf::Post::File#write_file doesn't work here, because of it is necessary to implement an specific method.

Writes data to a file

Parameters:

  • file_path (String)

    the file path to write on the target

  • data (String)

    the content to be written

  • prepend (Boolean) (defaults to: false)

    if true, prepend the data to the target file. Otherwise, overwrite the target file

Returns:

  • (Boolean)

    true if target file is writable and it was written. Otherwise, false.


72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
# File 'lib/msf/core/post/linux/busy_box.rb', line 72

def busy_box_write_file(file_path, data, prepend = false)
  if prepend
    dir = busy_box_writable_dir
    return false unless dir
    cmd_exec("cp -f #{file_path} #{dir}tmp")
    Rex::sleep(0.3)
  end

  rand_str = Rex::Text.rand_text_alpha(16)
  cmd_exec("echo #{rand_str} > #{file_path}")
  Rex::sleep(0.3)

  unless read_file(file_path).include?(rand_str)
    return false
  end

  cmd_exec("echo \"\"> #{file_path}")
  Rex::sleep(0.3)

  lines = data.lines.map(&:chomp)
  lines.each do |line|
    cmd_exec("echo #{line.chomp} >> #{file_path}")
    Rex::sleep(0.3)
  end

  if prepend
    cmd_exec("cat #{dir}tmp >> #{file_path}")
    Rex::sleep(0.3)

    cmd_exec("rm -f #{dir}tmp")
    Rex::sleep(0.3)
  end

  true
end