New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add module Xorg Suid Server privesc for OpenBSD #10913

wants to merge 7 commits into
base: master


None yet
2 participants

aringo commented Nov 4, 2018

Module adds the ability to privesc by overwriting crontab in session or spawn an external session. It was tested on OpenBSD 6.3 and 6.4 along with CentOS 7. The exploit did work on some linux configurations.

List the steps needed to make sure this thing works
To test you must have a session on an OpenBSD box.
With OpenBSD most shells will not function, openssl is default and it is also encrypted.
I modified my sshexec to take cmd/unix and will probably try to commit that later. (like 6 lines)

To get a session with higher privileges

  • use exploit/openbsd/local/xorg_x11_suid_server
  • set session 1
  • set LHOST x.x.x.x
  • exploit


To get an external session with higher privileges

  • set builtin false

This comment has been minimized.


bcoles commented Nov 4, 2018

Hi @aringo

Thanks for the contribution.

It would be best to submit the two changes as two PRs (one for sshexec, one for the new module). This will help speed up the review process and ensure landing one change does not hold up landing the other.

Also, it is required that code in your fork be merged from a unique branch in your repository to master in Rapid7's. Please create a new branch in your fork of framework and resubmit this from that branch.

git checkout -b <BRANCH_NAME>
git push <your_fork_remote> <BRANCH_NAME>

This helps protect the process, ensure users are aware of commits on the branch being considered for merge, allows for a location for more commits to be offered without mingling with other contributor changes and allows contributors to make progress while a PR is still being reviewed.

Closing based on the this requirement, please do resubmit from a unique branch.

@bcoles bcoles closed this Nov 4, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment