Skip to content
Permalink
Browse files

Land #12535, module traits for some local exploits

  • Loading branch information...
wvu-r7 committed Nov 7, 2019
2 parents d34dd39 + 3849830 commit 2b3c2b6af5e3b841eec1284f5ba8146bea3d5155
@@ -62,11 +62,13 @@ def initialize(info = {})
[ 'URL', 'https://www.securitytracker.com/id/1037403' ],
[ 'URL', 'https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=84ac7260236a49c79eede91617700174c2c19b0c' ]
],
'DefaultTarget' => 0,
'Notes' =>
{
'AKA' => ['chocobo_root.c']
}
'Notes' =>
{
'AKA' => ['chocobo_root.c'],
'Reliability' => [ REPEATABLE_SESSION ],
'Stability' => [ CRASH_OS_DOWN ]
},
'DefaultTarget' => 0
))
register_options [
OptInt.new('TIMEOUT', [ true, 'Race timeout (seconds)', '600' ]),
@@ -66,6 +66,11 @@ def initialize(info = {})
[ 'URL', 'https://github.com/xairy/kernel-exploits/blob/master/CVE-2017-7308/poc.c' ],
[ 'URL', 'https://github.com/bcoles/kernel-exploits/blob/cve-2017-7308/CVE-2017-7308/poc.c' ]
],
'Notes' =>
{
'Reliability' => [ REPEATABLE_SESSION ],
'Stability' => [ CRASH_OS_DOWN ],
},
'DefaultTarget' => 0))
register_options [
OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', %w(Auto True False) ])
@@ -64,7 +64,9 @@ def initialize(info = {})
],
'Notes' =>
{
'AKA' => ['unsanitary.sh']
'AKA' => ['unsanitary.sh'],
'Reliability' => [ REPEATABLE_SESSION ],
'Stability' => [ CRASH_SAFE ]
},
'DefaultTarget' => 0))
register_options [
@@ -79,16 +79,14 @@ def initialize(info = {})
[ 'URL', 'http://openwall.com/lists/oss-security/2017/12/21/2'],
[ 'URL', 'https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=95a762e2c8c942780948091f8f2a4f32fce1ac6f' ]
],
'DefaultTarget' => 0,
'Notes' =>
{
'AKA' =>
[
'get-rekt-linux-hardened.c',
'upstream44.c'
]
}
))
'Notes' =>
{
'AKA' => ['get-rekt-linux-hardened.c', 'upstream44.c'],
'Reliability' => [ REPEATABLE_SESSION ],
'Stability' => [ CRASH_OS_DOWN ],
},
'DefaultTarget' => 0
))
register_options [
OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', %w[Auto True False] ])
]
@@ -64,6 +64,11 @@ def initialize(info = {})
'PrependSetuid' => true,
'PrependFork' => true
},
'Notes' =>
{
'Reliability' => [ REPEATABLE_SESSION ],
'Stability' => [ CRASH_SAFE ]
},
'DefaultTarget' => 0))
register_options [
OptString.new('KTSUSS_PATH', [true, 'Path to staprun executable', '/usr/bin/ktsuss'])
@@ -60,7 +60,6 @@ def initialize(info = {})
['URL', 'https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.18.19'],
['URL', 'https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.2']
],
'DefaultTarget' => 0,
'DefaultOptions' =>
{
'AppendExit' => true,
@@ -71,11 +70,13 @@ def initialize(info = {})
'WfsDelay' => 60,
'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp'
},
'Notes' =>
'Notes' =>
{
'AKA' => ['subuid_shell.c']
}
))
'AKA' => ['subuid_shell.c'],
'Reliability' => [ REPEATABLE_SESSION ],
'Stability' => [ CRASH_SAFE ]
},
'DefaultTarget' => 0))
register_options [
OptEnum.new('COMPILE', [true, 'Compile on target', 'Auto', %w[Auto True False]])
]
@@ -56,7 +56,13 @@ def initialize(info = {})
[
[ 'CVE', '2019-11660' ],
[ 'URL', 'https://softwaresupport.softwaregrp.com/doc/KM03525630' ]
]
],
'Notes' =>
{
'Reliability' => [ REPEATABLE_SESSION ],
'Stability' => [ CRASH_SAFE ]
},
'DefaultTarget' => 0
))

register_options(
@@ -54,6 +54,11 @@ def initialize(info = {})
'Payload' => 'linux/x64/meterpreter/reverse_tcp',
'PrependFork' => true,
},
'Notes' =>
{
'Reliability' => [ REPEATABLE_SESSION ],
'Stability' => [ CRASH_SAFE ]
},
'DisclosureDate' => 'Jul 4 2019'))
register_advanced_options [
OptBool.new('ForceExploit', [false, 'Override check result', false]),
@@ -66,6 +66,11 @@ def initialize(info = {})
'PrependFork' => true,
'WfsDelay' => 30
},
'Notes' =>
{
'Reliability' => [ REPEATABLE_SESSION ],
'Stability' => [ CRASH_SAFE ]
},
'DefaultTarget' => 0))
register_options [
OptString.new('SERVU_PATH', [true, 'Path to Serv-U executable', '/usr/local/Serv-U/Serv-U'])
@@ -64,6 +64,11 @@ def initialize(info = {})
[ 'Linux x86', { 'Arch' => ARCH_X86 } ]
],
'DisclosureDate' => 'Aug 13 2009',
'Notes' =>
{
'Reliability' => [ REPEATABLE_SESSION ],
'Stability' => [ CRASH_OS_DOWN ],
},
'DefaultTarget' => 0))
register_options [
OptBool.new('DEBUG_EXPLOIT', [ true, "Make the exploit executable be verbose about what it's doing", false ])
@@ -62,6 +62,11 @@ def initialize(info = {})
],
'SessionTypes' => ['shell', 'meterpreter'],
'Targets' => [['Auto', {}]],
'Notes' =>
{
'Reliability' => [ REPEATABLE_SESSION ],
'Stability' => [ CRASH_SAFE ]
},
'DefaultTarget' => 0))
register_options [
OptString.new('STAPRUN_PATH', [true, 'Path to staprun executable', '/usr/bin/staprun'])
@@ -65,6 +65,11 @@ def initialize(info = {})
[ 'URL', 'https://github.com/bcoles/kernel-exploits/commits/cve-2017-1000112' ]
],
'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' },
'Notes' =>
{
'Reliability' => [ REPEATABLE_SESSION ],
'Stability' => [ CRASH_OS_DOWN ],
},
'DefaultTarget' => 0))
register_options [
OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', %w[Auto True False] ])
@@ -55,10 +55,15 @@ def initialize(info = {})
'WfsDelay' => 30,
'Payload' => 'linux/x64/meterpreter_reverse_tcp'
},
'DefaultTarget' => 1,
'Arch' => [ ARCH_X86, ARCH_X64 ],
'SessionTypes' => [ 'shell', 'meterpreter' ],
'Privileged' => true ))
'Privileged' => true,
'Notes' =>
{
'Reliability' => [ REPEATABLE_SESSION ],
'Stability' => [ CRASH_SAFE ]
},
'DefaultTarget' => 1))
register_advanced_options [
OptBool.new('ForceExploit', [false, 'Override check result', false]),
OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp']),
@@ -50,7 +50,12 @@ def initialize(info = {})
[ 'URL', 'http://www.magnicomp.com/support/cve/CVE-2017-6516.shtml' ],
[ 'URL', 'https://labs.mwrinfosecurity.com/advisories/magnicomps-sysinfo-root-setuid-local-privilege-escalation-vulnerability/' ],
[ 'URL', 'https://labs.mwrinfosecurity.com/advisories/multiple-vulnerabilities-in-magnicomps-sysinfo-root-setuid/' ]
]
],
'Notes' =>
{
'Reliability' => [ REPEATABLE_SESSION ],
'Stability' => [ CRASH_SAFE ]
}
))
register_options(
[
@@ -12,7 +12,7 @@ class MetasploitModule < Msf::Exploit::Local
include Msf::Post::File

def initialize(info={})
super( update_info( info, {
super( update_info( info,
'Name' => 'Setuid Nmap Exploit',
'Description' => %q{
Nmap's man page mentions that "Nmap should never be installed with
@@ -39,15 +39,21 @@ def initialize(info={})
[ 'BSD x86', { 'Arch' => ARCH_X86 } ],
],
'DefaultOptions' => { "PrependSetresuid" => true, "WfsDelay" => 2 },
'DefaultTarget' => 0,
}
'Notes' =>
{
'Reliability' => [ REPEATABLE_SESSION ],
'Stability' => [ CRASH_SAFE ]
},
'DefaultTarget' => 0
))
register_options([
# These are not OptPath becuase it's a *remote* path
OptString.new("WritableDir", [ true, "A directory where we can write files", "/tmp" ]),
OptString.new("Nmap", [ true, "Path to setuid nmap executable", "/usr/bin/nmap" ]),
OptString.new("ExtraArgs", [ false, "Extra arguments to pass to Nmap (e.g. --datadir)", "" ]),
OptString.new("Nmap", [ true, "Path to setuid nmap executable", "/usr/bin/nmap" ]),
OptString.new("ExtraArgs", [ false, "Extra arguments to pass to Nmap (e.g. --datadir)", "" ]),
])
register_advanced_options [
OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])
]
end

def check

0 comments on commit 2b3c2b6

Please sign in to comment.
You can’t perform that action at this time.