Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cleanup apport_abrt_chroot_priv_esc #11761

Merged
merged 1 commit into from
Apr 29, 2019
Merged

Cleanup apport_abrt_chroot_priv_esc #11761

merged 1 commit into from
Apr 29, 2019

Conversation

bcoles
Copy link
Contributor

@bcoles bcoles commented Apr 19, 2019

Updates the apport_abrt_chroot_priv_esc module to be more in-line with current Linux LPE modules through code style changes and using new libs.

Also fixes a few issues when using the module on Meterpreter sessions:

  • The module made use of cd, which won't work on Meterpreter sessions, causing hard linking to fail, causing the exploit to fail. Using cd also results in the exploit directory generated by the exploit to appear in the working directory, not the intended directory, resulting in the directory not being cleaned up after a failed exploitation attempt.
  • The module upgraded the session in a new process (sub-shell) prior to executing the payload. This implementation works for command shell sessions, but was unsafe for Meterpreter sessions, and would cause the exploit to fail.

Note, it should work on Ubuntu 14.04.1 out of the box; but if you're testing on Fedora 19/20/21, you'll likely need to reintroduce the vulnerability as per #9399 (comment) #9399 (comment) (although disabling SELinux should not be necessary) - unless you feel like attempting to cherry pick the appropriate packages.

@bcoles
Copy link
Contributor Author

bcoles commented Apr 22, 2019
edited
Loading

@msjenkins-r7 would you lie to me?

@wchen-r7 wchen-r7 self-assigned this Apr 26, 2019
@wchen-r7
Copy link
Contributor

Module works for me. I'll land this in a bit:

msf5 exploit(linux/local/apport_abrt_chroot_priv_esc) > run

[*] Started reverse TCP handler on 172.16.249.1:4445 
[*] Writing '/tmp/.1KI5rW' (64812 bytes) ...
[*] Writing '/tmp/.LlwvX' (207 bytes) ...
[*] Launching exploit...
[*] Sending stage (985320 bytes) to 172.16.249.135
[*] Meterpreter session 3 opened (172.16.249.1:4445 -> 172.16.249.135:58425) at 2019-04-29 13:51:36 -0500

meterpreter >

@wchen-r7 wchen-r7 merged commit da9aba0 into rapid7:master Apr 29, 2019
wchen-r7 added a commit that referenced this pull request Apr 29, 2019
@wchen-r7
Land #11761, Cleanup apport_abrt_chroot_priv_esc
6668b22
@wchen-r7
Copy link
Contributor

wchen-r7 commented Apr 29, 2019
edited by gdavidson-r7
Loading

Release Notes

This updates the apport_abrt_chroot_priv_esc module to be more in-line with current Linux LPE modules through code style changes and using new libs.

msjenkins-r7 pushed a commit that referenced this pull request Apr 29, 2019
@wchen-r7 @msjenkins-r7
Land #11761, Cleanup apport_abrt_chroot_priv_esc
338d25a
@bcoles bcoles deleted the apport_abrt_chroot_priv_esc branch April 29, 2019 19:17
@gdavidson-r7 gdavidson-r7 added the rn-enhancement release notes enhancement label May 14, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@wchen-r7 wchen-r7

Labels
enhancement module rn-enhancement release notes enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@bcoles @wchen-r7 @gdavidson-r7