New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
WIP Xorg x11 suid server modulepath #11025
WIP Xorg x11 suid server modulepath #11025
Conversation
Have you looked at rapt0r's exploit for this bug on Solaris 11.4 ? |
|
||
# linux checks | ||
uname = cmd_exec "uname" | ||
if uname =~ /linux/i |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This isn't necessary if you're only targeting Linux.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This technique works on Solaris also, I'll open it up. It does not work on OpenBSD though.
modules/exploits/multi/local/xorg_x11_suid_server_modulepath.rb
Outdated
Show resolved
Hide resolved
xdisplay = datastore['Xdisplay'] | ||
sofile = "#{modulepath}/#{datastore['sofile']}" | ||
|
||
stub = %Q^ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For Linux, you could use Metasm to dynamically compile the shared object, rather than relying on gcc
to be on the box. Here's an example.
modules/exploits/multi/local/xorg_x11_suid_server_modulepath.rb
Outdated
Show resolved
Hide resolved
modules/exploits/multi/local/xorg_x11_suid_server_modulepath.rb
Outdated
Show resolved
Hide resolved
modules/exploits/multi/local/xorg_x11_suid_server_modulepath.rb
Outdated
Show resolved
Hide resolved
Any luck with adding support for Solaris ? There's a few examples of dealing with Solaris' insane Perhaps it would be better to get this landed and circle back later.
I think it makes sense to keep the two vectors separate. Partly because they're exploited differently, but mostly because the module logic is already complex enough as a |
Hi @aringo! Do you mind if I try adding a Solaris target to your module? Thanks! |
In the interest of getting this landed soon, I added support for Metasm, Solaris targets, and documentation. |
Testing on Centos 7.4:
Testing on Solaris 11.4:
|
Release NotesThis exploits a local privilege escalation vulnerability on targets running Xorg server versions from |
Using this version of the exploit there is no need to overwrite crontab, works against Selinux, and is near instant. I had some difficulties getting this to work on OpenBSD. Should I try to update the other one to use this method for Linux? Kind of burnt out on this exploit now so WIP 馃挴
msfconsole