Init

gardnerapp · gardnerapp · commit edc187a0a56c · 2025-04-15T15:33:51.000-04:00
diff --git a/modules/exploits/linux/local/cve_2020_9931_apport_symlink_privesc.rb b/modules/exploits/linux/local/cve_2020_9931_apport_symlink_privesc.rb
@@ -0,0 +1,90 @@
+# Randomness itself is a give away of exploitation
+class MetasploitModule < Msf::Exploit::Local
+  Rank = NormalRanking
+
+  # TODO get exact apport version after setting up a test environment
+  # TODO targets in the initialize method and how they work
+  # TODO other priv esc vectors, startup folders, periodic scripts 
+  # The vunerable version of apport may be available on other systems, distros and versions 
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'Ubuntu Xenial Xerus Apport Symlink Hijacking Privilege Escalation ',
+        'Description' => %q{
+        	On the Ubuntu Xenial Xerus 16.04.7 release the Apport 2.20 crash handler is vulnerable
+        	to symlink injection. Following a crash Apport will write reports to /var/lock/apport/lock, 
+        	an attacker who can create a symlink to a privileged directory via /var/lock/apport will be 
+        	able to create files with global 0777 permissions. This module exploits this weaknes by writing 
+        	payloads to /etc/crontab/ as the root user.  
+          
+        },
+        'License' => MSF_LICENSE,
+        'Author' => [ 
+        	'gardnerapp' # mirageinfosec.cloud
+        ],
+        'References' => [
+          [
+           'URL', 'https://nostarch.com/zero-day' # pg. 59
+          ]
+        ],
+        'Platform' => 'linux',
+        'Targets' => [
+          [
+            
+          ]
+        ],
+        'Payload' => {
+          'BadChars' => "\x00"
+        },
+        'Privileged' => false,
+        'DisclosureDate' => '',
+        'DefaultTarget' => 0,
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'Reliability' => [REPEATABLE_SESSION],
+          'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]
+        },
+      )
+      register_options [
+      	OptString.new('Cron Name', [true, 'Name of the Crontab file', Rex::Text.rand_text_alpha(rand(8..12))])
+      ]
+    )
+  end
+
+  def check
+  	# Check Ubuntu
+    # Check Release
+    # Check Apport presence and version
+  	return CheckCode::Safe unless session.platform == 'linux'
+
+  	return CheckCode::Safe unless kernel_version =~ /[uU]buntu/
+
+  	# Check apport version
+  	if !command_exists?('apport-cli')
+  		return CheckCode::Safe('apport-cli does not appear to be installed or in the $PATH') 
+  	end 
+
+  	apport = cmd_exec('apport-cli --version').to_s 
+
+  	return CheckCode::Detected('Unable to determine apport version') if apport.blank?
+
+  	version = Rex::Version.new(apport.split('-').first)
+
+  	vulnerable = Rex::Version.new '2.20'
+  	# Were there prior versions of apport which are NOT vulnerableii
+  	# if version < vulnerable return bad 
+ 
+  end
+
+  def exploit
+    # Methods for 
+    # symlinking /var/lock/apport to /etc/crontab
+    # Touching a file to this
+    # verifying the permissions on the file (root ownership)
+    # writing payloads 
+    # what type of payloads
+  end
+
+end
