You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: modules/exploits/linux/local/desktop_privilege_escalation.rb
+39-23Lines changed: 39 additions & 23 deletions
Original file line number
Diff line number
Diff line change
@@ -1,5 +1,5 @@
1
1
##
2
-
# This module requires Metasploit: http//metasploit.com/download
2
+
# This module requires Metasploit: http://metasploit.com/download
3
3
# Current source: https://github.com/rapid7/metasploit-framework
4
4
##
5
5
@@ -16,31 +16,47 @@ class Metasploit4 < Msf::Exploit::Local
16
16
17
17
definitialize(info={})
18
18
super(update_info(info,{
19
-
'Name'=>'Desktop Linux Password Stealer and Privilege Escalation',
20
-
'Description'=>%q{
21
-
This module steals the user password of an administrative user on a desktop Linux system when it is entered for unlocking the screen or for doing administrative actions using policykit. Then it escalates to root privileges using sudo and the stolen user password.
22
-
23
-
It exploits the design weakness that there is no trusted channell for transferring the password from the keyboard to the actual password verificatition against the shadow file (which is running as root since /etc/shadow is only readable to the root user). Both screensavers (xscreensaver/gnome-screensaver) and policykit use a component running under the current user account to query for the password and then pass it to a setuid-root binary to do the password verification. Therefore it is possible to inject a password stealer after compromising the user account. Since sudo requires only the user password (and not the root password of the system), stealing the user password of an administrative user directly allows escalating to root privileges.
24
-
25
-
Please note that you have to start a handler as a background job before running this exploit since the exploit will only create a shell when the user actually enters the password (which may be hours after launching the exploit). Using exploit/multi/handler with the option ExitOnSession set to false should do the job.
19
+
'Name'=>'Desktop Linux Password Stealer and Privilege Escalation',
20
+
'Description'=>%q{
21
+
This module steals the user password of an administrative user on a desktop Linux system
22
+
when it is entered for unlocking the screen or for doing administrative actions using
23
+
policykit. Then it escalates to root privileges using sudo and the stolen user password.
24
+
It exploits the design weakness that there is no trusted channell for transferring the
25
+
password from the keyboard to the actual password verificatition against the shadow file
26
+
(which is running as root since /etc/shadow is only readable to the root user). Both
27
+
screensavers (xscreensaver/gnome-screensaver) and policykit use a component running under
28
+
the current user account to query for the password and then pass it to a setuid-root binary
29
+
to do the password verification. Therefore it is possible to inject a password stealer
30
+
after compromising the user account. Since sudo requires only the user password (and not
31
+
the root password of the system), stealing the user password of an administrative user
32
+
directly allows escalating to root privileges. Please note that you have to start a handler
33
+
as a background job before running this exploit since the exploit will only create a shell
34
+
when the user actually enters the password (which may be hours after launching the exploit).
35
+
Using exploit/multi/handler with the option ExitOnSession set to false should do the job.
0 commit comments