review comments

h00die · Dec 23, 2023 · a5698f6 · a5698f6
1 parent 5e30328
commit a5698f6
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 8 deletions.
diff --git a/documentation/modules/exploit/linux/local/saltstack_salt_minion_deployer.md b/documentation/modules/exploit/linux/local/saltstack_salt_minion_deployer.md
@@ -31,7 +31,7 @@ A directory on the compromised host we can write our payload to. Defaults to `/t
 
 ## TargetWritableDir
 
-A directory on the target hosts we can write our payload to. Defaults to `/tmp`
+A directory on the target hosts we can write and execute our payload to. Defaults to `/tmp`
 
 ## CALCULATE
 

diff --git a/modules/exploits/linux/local/saltstack_salt_minion_deployer.rb b/modules/exploits/linux/local/saltstack_salt_minion_deployer.rb
@@ -45,21 +45,20 @@ def initialize(info = {})
       )
     )
     register_options [
-      OptString.new('SALT', [true, 'salt-master executable location', '']),
+      OptString.new('SALT', [true, 'salt-master executable location', '/usr/bin/salt-master']),
       OptString.new('MINIONS', [true, 'Minions Target', '*']),
       OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]),
-      OptString.new('TargetWritableDir', [ true, 'A directory where we can write files on targets', '/tmp' ]),
+      OptString.new('TargetWritableDir', [ true, 'A directory where we can write and execute files on targets', '/tmp' ]),
       OptBool.new('CALCULATE', [ true, 'Calculate how many boxes will be attempted', true ]),
       OptInt.new('ListenerTimeout', [ false, 'The maximum number of seconds to wait for new sessions', 60 ]),
-      OptInt.new('TIMEOUT', [true, 'Timeout for salt commands to run', 120])
+      OptInt.new('TIMEOUT', [true, 'Timeout for salt commands to run in seconds', 120])
     ]
   end
 
   def salt_master
     return @salt if @salt
 
     ['/usr/bin/salt-master', datastore['SALT']].each do |exec|
-      next unless file?(exec)
       next unless executable?(exec)
 
       @salt = exec
@@ -76,8 +75,6 @@ def list_minions
       return
     end
 
-    count = 0
-
     begin
       out = cmd_exec('salt-key', '-L --output=yaml', datastore['TIMEOUT'])
       vprint_status(out)
@@ -95,13 +92,16 @@ def list_minions
 
     store_path = store_loot('saltstack_minions', 'application/x-yaml', session, minions.to_yaml, 'minions.yaml', 'SaltStack Salt salt-key list')
     print_good("#{peer} - minion file successfully retrieved and saved to #{store_path}")
+    count = 0
     minions['minions'].each do |minion|
       tbl << ['Accepted', minion]
       count += 1
     end
 
     print_good(tbl.to_s)
-    print_good("#{count} minions were found accepted, and will attempt to execute payload. Waiting 10 seconds incase this isn't optimal.")
+
+    # https://github.com/rapid7/metasploit-framework/pull/18626#discussion_r1434577017
+    print_good("#{count} minions were found in the accepted state, and will attempt to execute payload. If this isn't an expected volume (too many), ctr+c to halt execution. Pausing 10 seconds.")
     Rex.sleep(10)
   end