New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add module Xorg SUID privesc #10916

Open
wants to merge 13 commits into
base: master
from

Conversation

Projects
None yet
3 participants
@aringo
Contributor

aringo commented Nov 4, 2018

Module adds the ability to privesc by overwriting crontab in session or spawns an external session. It was tested on OpenBSD 6.3 and 6.4 along with CentOS 7.

Steps needed to make sure this thing works
Must have a session on an OpenBSD or Linux box. If using a Centos box the user the session is running under must have console lock.

With OpenBSD most cmd shells requirements are not met on a default install.
I found openssl to be a good default shell plus it is encrypted.

To privesc OpenBSD

  • use exploit/multi/local/xorg_x11_suid_server
  • set session 1
  • set LHOST x.x.x.x
    OpenBSD
    openbsd

To privesc Linux (Have console lock)

  • use exploit/multi/local/xorg_x11_suid_server
  • set session 1
  • set LHOST x.x.x.x
    Below example has verbose set to True
    linux

@aringo aringo changed the title from Initial module of Xorg SUID privesc for OpenBSD to Add module of Xorg SUID privesc for OpenBSD Nov 4, 2018

@aringo aringo changed the title from Add module of Xorg SUID privesc for OpenBSD to Add module Xorg SUID privesc for OpenBSD Nov 4, 2018

Show resolved Hide resolved modules/exploits/openbsd/local/xorg_x11_suid_server.rb Outdated
Show resolved Hide resolved modules/exploits/openbsd/local/xorg_x11_suid_server.rb Outdated
Show resolved Hide resolved modules/exploits/openbsd/local/xorg_x11_suid_server.rb Outdated
Show resolved Hide resolved modules/exploits/openbsd/local/xorg_x11_suid_server.rb Outdated
Show resolved Hide resolved modules/exploits/openbsd/local/xorg_x11_suid_server.rb Outdated
Show resolved Hide resolved modules/exploits/openbsd/local/xorg_x11_suid_server.rb Outdated
Show resolved Hide resolved modules/exploits/openbsd/local/xorg_x11_suid_server.rb Outdated
Show resolved Hide resolved modules/exploits/openbsd/local/xorg_x11_suid_server.rb Outdated
Show resolved Hide resolved modules/exploits/openbsd/local/xorg_x11_suid_server.rb Outdated
Show resolved Hide resolved modules/exploits/openbsd/local/xorg_x11_suid_server.rb Outdated
@wvu-r7

This comment has been minimized.

Contributor

wvu-r7 commented Nov 5, 2018

@aringo: Thank you for what appears to be your first submission! Apologies for the flurry of review comments. Please let me know if there is anything I can explain better. I was curious to see when someone would put up a module for this. :-)

aringo and others added some commits Nov 4, 2018

@bcoles

Now that the module supports multiple targets, please git mv modules/exploits/openbsd/local/xorg_x11_suid_server.rb modules/exploits/multi/local/xorg_x11_suid_server.rb && git add modules/exploits/multi/local/xorg_x11_suid_server.rb && git commit -m "move module to exploits/multi/local" && git push origin xorg_privesc

bcoles and others added some commits Nov 11, 2018

Update modules/exploits/multi/local/xorg_x11_suid_server.rb
Co-Authored-By: aringo <ringo.aaron@gmail.com>
Update modules/exploits/multi/local/xorg_x11_suid_server.rb
Co-Authored-By: aringo <ringo.aaron@gmail.com>

@bcoles bcoles dismissed their stale review Nov 12, 2018

Module has been moved to exploit/multi/

Comments have been addressed

@aringo aringo changed the title from Add module Xorg SUID privesc for OpenBSD to Add module Xorg SUID privesc Nov 12, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment