Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Multiple local exploit suggester enhancements #16413

Merged
merged 8 commits into from
May 25, 2022
Merged

Multiple local exploit suggester enhancements #16413

merged 8 commits into from
May 25, 2022

Conversation

sjanusz-r7
Copy link
Contributor

@sjanusz-r7 sjanusz-r7 commented Apr 5, 2022
edited
Loading

This PR requires rapid7/metasploit-payloads#570 to ensure Python Meterpreter compatibility.
This PR also moves the get_drives function to windows.rb, which prevents issues such as #15949 where many modules were not checked as they were reported as incompatible due to missing Railgun.

This PR also adds in advanced options that allow the user to specify if different parameters should be validated, e.g. ValidateArch, ValidatePlatform, and ValidateMeterpreterCommands.

It also adds in a valid and invalid tables that store the modules which were and weren't tried against the current session. This is color-coded by default and can be configured or disabled to improve visual clarity.

It also adds a real-time counter of how many exploits are being tried, to show to the user that the module is doing something.

It uses the native_arch functionality rather than arch as that was found to be more reliable. Python's arch was being reported as Python which no modules considered as viable.

We no longer rely on the session_incompatibility_reasons from the post_mixin.rb, as we have realised that wasn't covering all bases. For example, it wasn't setting the module target at all, meaning some exploits could be marked as unwanted as the target architecture/platform could be mismatched. Instead, the setting of targets and validation of modules is done in the exploit suggester itself, and the solution implemented is more robust.

Tested against Kali, using Mettle, Java and Python Meterpreter

Verification

  • msfconsole -q
  • use payload/linux/x64/meterpreter/reverse_tcp
  • set lhost {lhost}
  • generate -f elf -o mettle.elf (We use Mettle here as it has no Railgun support.)
  • chmod +x mettle.elf
  • Run ./mettle.elf on a Kali machine and get a session
  • use post/multi/recon/local_exploit_suggester
  • run session=-1 validatearch=true validateplatform=true validatemeterpretercommands=true
  • To be shown the modules that weren't considered as valid, run session=-1 verbose=true
  • Verify that exploit checks are happening

Before

msf6 post(multi/recon/local_exploit_suggester) > sessions

Active sessions
===============

  Id  Name  Type                   Information             Connection
  --  ----  ----                   -----------             ----------
  1         meterpreter x64/linux  kali @ 192.168.129.161  192.168.129.1:4444 -> 192.168.129.161:51254  (192.168.129.161)

msf6 post(multi/recon/local_exploit_suggester) > options

Module options (post/multi/recon/local_exploit_suggester):

   Name             Current Setting  Required  Description
   ----             ---------------  --------  -----------
   SESSION          -1               yes       The session to run this module on
   SHOWDESCRIPTION  false            yes       Displays a detailed description for the available exploits

msf6 post(multi/recon/local_exploit_suggester) > advanced

Module advanced options (post/multi/recon/local_exploit_suggester):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   VERBOSE    false            no        Enable detailed status messages
   WORKSPACE                   no        Specify the workspace for this module

msf6 post(multi/recon/local_exploit_suggester) > run

[*] 192.168.129.161 - Collecting local exploits for x64/linux...
[-] 192.168.129.161 - No suggestions available.
[*] Post module execution completed

After

Without validation checks

msf6 post(multi/recon/local_exploit_suggester) > run session=-1 ValidateArch=false ValidatePlatform=false

msf6 post(multi/recon/local_exploit_suggester) > run session=-1 ValidateArch=false ValidatePlatform=false

[*] ::1 - Collecting local exploits for python/linux...
[*] ::1 - 167 exploit checks are being tried...
[+] ::1 - exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec: The target is vulnerable.
[+] ::1 - exploit/linux/local/cve_2022_0847_dirtypipe: The target appears to be vulnerable. Linux kernel version found: 5.14.0
[+] ::1 - exploit/linux/local/cve_2022_0995_watch_queue: The target appears to be vulnerable.
[+] ::1 - exploit/linux/local/desktop_privilege_escalation: The target is vulnerable.
[+] ::1 - exploit/linux/local/network_manager_vpnc_username_priv_esc: The service is running, but could not be validated.
[+] ::1 - exploit/linux/local/pkexec: The service is running, but could not be validated.
[+] ::1 - exploit/linux/local/polkit_dbus_auth_bypass: The service is running, but could not be validated. Detected polkit framework version 0.105.
[+] ::1 - exploit/linux/local/su_login: The target appears to be vulnerable.
[*] Running check method for exploit 142 / 142
[*] ::1 - Valid modules for session 1:
============================

 #    Name                                                                    Potentially Vulnerable?  Check Result
 -    ----                                                                    -----------------------  ------------
 1    exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec                     Yes                      The target is vulnerable.
 2    exploit/linux/local/cve_2022_0847_dirtypipe                             Yes                      The target appears to be vulnerable. Linux kernel version found: 5.14.0
 3    exploit/linux/local/cve_2022_0995_watch_queue                           Yes                      The target appears to be vulnerable.
 4    exploit/linux/local/desktop_privilege_escalation                        Yes                      The target is vulnerable.
 5    exploit/linux/local/network_manager_vpnc_username_priv_esc              Yes                      The service is running, but could not be validated.
 6    exploit/linux/local/pkexec                                              Yes                      The service is running, but could not be validated.
 7    exploit/linux/local/polkit_dbus_auth_bypass                             Yes                      The service is running, but could not be validated. Detected polkit framework version 0.105.
 8    exploit/linux/local/su_login                                            Yes                      The target appears to be vulnerable.
 9    exploit/android/local/futex_requeue                                     No                       The check raised an exception.
 10   exploit/android/local/janus                                             No                       The check raised an exception.
 11   exploit/linux/local/abrt_raceabrt_priv_esc                              No                       The target is not exploitable.
...
Over 100 more modules here
...
 141  exploit/windows/local/webexec                                           No                       The check raised an exception.
 142  exploit/windows/local/windscribe_windscribeservice_priv_esc             No                       The check raised an exception.

[*] Post module execution completed

With validation checks

msf6 post(multi/recon/local_exploit_suggester) > run session=-1

[*] ::1 - Collecting local exploits for python/linux...
[*] ::1 - 167 exploit checks are being tried...
[+] ::1 - exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec: The target is vulnerable.
[+] ::1 - exploit/linux/local/cve_2022_0847_dirtypipe: The target appears to be vulnerable. Linux kernel version found: 5.14.0
[+] ::1 - exploit/linux/local/cve_2022_0995_watch_queue: The target appears to be vulnerable.
[+] ::1 - exploit/linux/local/desktop_privilege_escalation: The target is vulnerable.
[+] ::1 - exploit/linux/local/network_manager_vpnc_username_priv_esc: The service is running, but could not be validated.
[+] ::1 - exploit/linux/local/pkexec: The service is running, but could not be validated.
[+] ::1 - exploit/linux/local/su_login: The target appears to be vulnerable.
[*] Running check method for exploit 51 / 51
[*] ::1 - Valid modules for session 1:
============================

 #   Name                                                                Potentially Vulnerable?  Check Result
 -   ----                                                                -----------------------  ------------
 1   exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec                 Yes                      The target is vulnerable.
 2   exploit/linux/local/cve_2022_0847_dirtypipe                         Yes                      The target appears to be vulnerable. Linux kernel version found: 5.14.0
 3   exploit/linux/local/cve_2022_0995_watch_queue                       Yes                      The target appears to be vulnerable.
 4   exploit/linux/local/desktop_privilege_escalation                    Yes                      The target is vulnerable.
 5   exploit/linux/local/network_manager_vpnc_username_priv_esc          Yes                      The service is running, but could not be validated.
 6   exploit/linux/local/pkexec                                          Yes                      The service is running, but could not be validated.
 7   exploit/linux/local/su_login                                        Yes                      The target appears to be vulnerable.
 8   exploit/linux/local/abrt_raceabrt_priv_esc                          No                       The target is not exploitable.
 9   exploit/linux/local/abrt_sosreport_priv_esc                         No                       The target is not exploitable.
 10  exploit/linux/local/af_packet_chocobo_root_priv_esc                 No                       The target is not exploitable. Linux kernel 5.14.0-kali4-amd64 #1 is not vulnerable
 11  exploit/linux/local/af_packet_packet_set_ring_priv_esc              No                       The target is not exploitable.
 12  exploit/linux/local/apport_abrt_chroot_priv_esc                     No                       The target is not exploitable.
 13  exploit/linux/local/asan_suid_executable_priv_esc                   No                       The check raised an exception.
...
More modules here
...
 50  exploit/multi/local/xorg_x11_suid_server                            No                       The target is not exploitable.
 51  exploit/multi/local/xorg_x11_suid_server_modulepath                 No                       The target is not exploitable.

[*] Post module execution completed

@space-r7 space-r7 self-assigned this Apr 5, 2022
@space-r7 space-r7 removed their assignment Apr 5, 2022
dwelch-r7
dwelch-r7 reviewed Apr 7, 2022
View reviewed changes
modules/post/multi/recon/local_exploit_suggester.rb Outdated Show resolved Hide resolved
lib/msf/core/post/windows.rb Outdated Show resolved Hide resolved
@sjanusz-r7 sjanusz-r7 force-pushed the fix-local-exploit-suggester branch 3 times, most recently from 1c26b3a to 7f9d6a9 Compare April 13, 2022 12:36
jmartin-tech
jmartin-tech reviewed Apr 13, 2022
View reviewed changes
Copy link
Contributor

@jmartin-tech jmartin-tech left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updates fit the desired functionality. I noted some ideas on approach that are optional and may reduce the need to impact the core post_mixin.rb code.

modules/post/multi/recon/local_exploit_suggester.rb Outdated Show resolved Hide resolved
modules/post/multi/recon/local_exploit_suggester.rb Outdated Show resolved Hide resolved
@adfoster-r7 adfoster-r7 mentioned this pull request Apr 14, 2022
Merged
@gwillcox-r7 gwillcox-r7 self-assigned this Apr 19, 2022
@adfoster-r7 adfoster-r7 marked this pull request as draft April 19, 2022 21:24
@gwillcox-r7 gwillcox-r7 removed their assignment Apr 20, 2022
@sjanusz-r7 sjanusz-r7 force-pushed the fix-local-exploit-suggester branch from 70f4473 to f161721 Compare May 4, 2022 13:09
@h00die
Copy link
Contributor

h00die commented May 4, 2022

Was that pihole commit supposed to be in here? Just checking

@sjanusz-r7 sjanusz-r7 force-pushed the fix-local-exploit-suggester branch from f161721 to 372697d Compare May 4, 2022 14:01
@sjanusz-r7 sjanusz-r7 force-pushed the fix-local-exploit-suggester branch from 372697d to ebba5fd Compare May 4, 2022 16:19
@sjanusz-r7 sjanusz-r7 force-pushed the fix-local-exploit-suggester branch from ebba5fd to cbf8808 Compare May 10, 2022 11:10
@sjanusz-r7 sjanusz-r7 force-pushed the fix-local-exploit-suggester branch from cbf8808 to c0b60fa Compare May 12, 2022 09:31
@sjanusz-r7 sjanusz-r7 force-pushed the fix-local-exploit-suggester branch from 0506af8 to 7103a61 Compare May 19, 2022 15:23
@adfoster-r7 adfoster-r7 marked this pull request as ready for review May 20, 2022 14:44
adfoster-r7
adfoster-r7 reviewed May 24, 2022
View reviewed changes
modules/post/multi/recon/local_exploit_suggester.rb
@@ -37,15 +46,18 @@ def all_platforms

def is_module_arch?(mod)
mod_arch = mod.target.arch || mod.arch
mod_arch.include? session.arch
mod_arch.include? session.native_arch
end
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixes module suggestions for Python/Java meterpreters

adfoster-r7
adfoster-r7 reviewed May 24, 2022
View reviewed changes
modules/post/multi/recon/local_exploit_suggester.rb
@@ -60,8 +72,36 @@ def is_module_platform?(mod)
return false
end

def is_session_type_compat?(mod)
mod.session_compatible? session.sid
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note we no longer call the post mixin implementation of session_compatible? as the functionality isn't quite right for our use case. It doesn't handle native_arch, or the concept of targets correctly - which this module now does.

This module has also broken in unintended ways when folk change the post_mixin implementation, which we want to avoid. We'll have to circle back and re-evaluate the post_mixin logic individually with these requirements in mind.

@sjanusz-r7 sjanusz-r7 force-pushed the fix-local-exploit-suggester branch from f89dfbe to fbac2ae Compare May 24, 2022 15:27
adfoster-r7
adfoster-r7 reviewed May 24, 2022
View reviewed changes
modules/post/multi/recon/local_exploit_suggester.rb
result = {
has_check: true,
is_module_platform: (@validate_platform ? is_module_platform?(mod) : true),
is_module_arch: (@validate_arch ? is_module_arch?(mod) : true),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not a blocker: This should probably be is_session_arch / is_session_platform

@adfoster-r7
Copy link
Contributor

I like that the incompatible table makes it very easy to identify that our session compatibilty checks are still bit too weak.

For instance with a windows powershell session:

msf6 post(multi/recon/local_exploit_suggester) > run session=-1 verbose=true

[*] 192.168.123.133 - Collecting local exploits for windows...
[-] 192.168.123.133 - No suggestions available.

[*] 192.168.123.133 - Current Session Info:
[*] 192.168.123.133 - Session Type: powershell
[*] 192.168.123.133 - Architecture: 
[*] 192.168.123.133 - Platform: windows
[*] 192.168.123.133 - Invalid modules for session 3:
==============================

The exploit suggester won't run modules which only specify a sessiontype of shell:

 159  exploit/windows/local/registry_persistence                              Not Compatible (architecture, session type)                                                              Windows           No defined architectures                       meterpreter, shell

Not a massive deal since 99.9% of our Windows LPEs are Meterpreter only

@sjanusz-r7 sjanusz-r7 force-pushed the fix-local-exploit-suggester branch from ab60600 to 6b1faf0 Compare May 25, 2022 11:05
@adfoster-r7 adfoster-r7 self-assigned this May 25, 2022
@adfoster-r7 adfoster-r7 merged commit d225d46 into rapid7:master May 25, 2022
@adfoster-r7
Copy link
Contributor

adfoster-r7 commented May 25, 2022
edited
Loading

Release Notes

Updates the multi/recon/local_exploit_suggester with multiple enhancements, including the ability to correctly work with Java/Python Meterpreters as well as now generating a readable table of results.

@adfoster-r7 adfoster-r7 changed the title Fix local exploit suggester not suggesting local exploits Multiple local exploit suggester enhancements May 25, 2022
@adfoster-r7 adfoster-r7 added the rn-enhancement release notes enhancement label May 25, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jmartin-tech jmartin-tech jmartin-tech left review comments

@dwelch-r7 dwelch-r7 dwelch-r7 left review comments

@adfoster-r7 adfoster-r7 adfoster-r7 left review comments

@gwillcox-r7 gwillcox-r7 gwillcox-r7 left review comments

Assignees

@adfoster-r7 adfoster-r7

Labels
rn-enhancement release notes enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@sjanusz-r7 @h00die @adfoster-r7 @jmartin-tech @dwelch-r7 @gwillcox-r7 @space-r7