finish prototyping the check method

gardnerapp · gardnerapp · commit f8f0ac5da7cd · 2025-04-15T15:33:51.000-04:00
diff --git a/modules/exploits/linux/local/cve_2020_9931_apport_symlink_privesc.rb b/modules/exploits/linux/local/cve_2020_9931_apport_symlink_privesc.rb
@@ -0,0 +1,104 @@
+# Randomness itself is a give away of exploitation
+class MetasploitModule < Msf::Exploit::Local
+  Rank = NormalRanking
+
+  include Msf::Post::Linux::System
+
+  # TODO get exact apport version after setting up a test environment
+  # TODO targets in the initialize method and how they work
+  # TODO other priv esc vectors, startup folders, periodic scripts 
+  # The vunerable version of apport may be available on other systems, distros and versions 
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'Ubuntu Xenial Xerus Apport Symlink Hijacking Privilege Escalation ',
+        'Description' => %q{
+        	On the Ubuntu Xenial Xerus 16.04.7 release the Apport 2.20 crash handler is vulnerable
+        	to symlink injection. Following a crash Apport will write reports to /var/lock/apport/lock, 
+        	an attacker who can create a symlink to a privileged directory via /var/lock/apport will be 
+        	able to create files with global 0777 permissions. This module exploits this weaknes by writing 
+        	payloads to /etc/crontab/ as the root user.  
+          
+        },
+        'License' => MSF_LICENSE,
+        'Author' => [ 
+        	'gardnerapp' # mirageinfosec.cloud
+        ],
+        'References' => [
+          [
+           'URL', 'https://nostarch.com/zero-day' # pg. 59
+          ]
+        ],
+        'Platform' => 'linux',
+        'Targets' => [
+          [
+            
+          ]
+        ],
+        'Payload' => {
+          'BadChars' => "\x00"
+        },
+        'Privileged' => false,
+        'DisclosureDate' => '',
+        'DefaultTarget' => 0,
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'Reliability' => [REPEATABLE_SESSION],
+          'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]
+        },
+      )
+      register_options [
+      	OptString.new('Cron Name', [true, 'Name of the Crontab file', Rex::Text.rand_text_alpha(rand(8..12))])
+      ]
+    )
+  end
+
+  def check
+  	return CheckCode::Safe('Platform is not Linux') unless session.platform == 'linux'
+
+  	return CheckCode::Safe('Target is not Ubuntu') unless kernel_version =~ /[uU]buntu/
+
+    # Todo check distro version here 
+    # Determine is xenail, and vxenial release version
+
+    sys_info = get_sysinfo
+    puts system_info
+
+    distro = sysinfo[:distro]
+    puts distro
+    version = sysinfo[:version]
+    puts system_info
+
+    # Maybe add <||= for the version, need to find out if other kernel versions are vulmerable
+    if distro != 'Xenial Xerus' || version != '16.04.7'
+      return CheckCode::Safe('Target is not the correct Linux distro or kernel version')
+    end 
+
+  	# Check apport version
+  	if !command_exists?('apport-cli')
+  		return CheckCode::Safe('apport-cli does not appear to be installed or in the $PATH') 
+  	end 
+
+  	apport = cmd_exec('apport-cli --version').to_s 
+
+  	return CheckCode::Detected('Unable to determine apport version') if apport.blank?
+
+  	version = Rex::Version.new(apport.split('-').first)
+
+  	vulnerable = Rex::Version.new '2.20'
+  	# Were there prior versions of apport which are NOT vulnerableii
+  	# if version < vulnerable return bad 
+  end
+
+  def exploit
+    # Methods for 
+    # symlinking /var/lock/apport to /etc/crontab
+    # Touching a file to this
+    # verifying the permissions on the file (root ownership)
+    # writing payloads 
+    # what type of payloads
+  end
+
+end
