New tincd post-auth BOF exploit module #2756
Conversation
|
Please run this through |
|
msftidy.rb runs through now |
|
This is definitely a cool module. But I was wondering if you've tried the Msf::Exploit::Remote::Tcp mixin for the TincExploitClient class? The TincExploitClient class definitely needs to be implemented as a mixin, probably placed somewhere in the msf/lib/msf/core/exploit directory. And instead of using the Ruby socket, it needs to at least use Rex, otherwise the engine cannot manage the connection. Please take your time and ask questions along the way, may be a little tricky to implement. @jlee-r7 Please feel free to add more, or correct me if I'm wrong. |
|
I'm trying to relocate the TincExploitClient, but wasn't able to do it so far. I'll try to use the Rex socket afterwards, but as long as it has recv and a send method that should work somehow. At the same time I'm also working on Pidora 18 ARM exploitation target. I already control pc (eip), but have to dive into a little bit more ARM details (+ defeating NX on ARM). As I won't have access to a computer in January, this has to wait until February 2014. |
|
so with the last commit the module is done from my point. I open another pull request as soon as the ARM part is done |
| end | ||
|
|
||
| def get_line() | ||
| idx = @inbuffer.index("\n") |
There was a problem hiding this comment.
index can return nil if there is no "\n", which will cause issues later. Does some other code ensure that @inbuffer has newlines?
There was a problem hiding this comment.
Every get_line() call has a has_line() call (and if clause) right before it, so it is not possible that the index function returns nil
|
Ready for another round of feedback from @jlee-r7. The code is tested and works (even with different RSA key sizes of client/server, ROP still works too). |
| elf_base64 = Rex::Text::encode_base64(exe) | ||
| filename = rand_text_alpha(1) | ||
| # try plain first | ||
| args = ['/bin/sh', '-c', "cd /tmp;echo #{elf_base64}|base64 -d>#{filename};chmod +x #{filename};./#{filename}"] |
There was a problem hiding this comment.
is base64 command installed by default on Fedora?
There was a problem hiding this comment.
Also, /tmp is often mounted noexec. At the time the exploit lands, is the current directory writable?
There was a problem hiding this comment.
base64 is installed on my freshly installed Fedora 19 where I only installed the dependencies for tincd.
The current directory when the exploit lands is / and is only writable when the deamon runs as root. When the deamon runs as root the current directory is the better choice, as an unprivileged user /tmp is the better choice. I thought it's probably best if it's customizable, see commit e5a237a
| # | ||
| def handle_write | ||
| # handle encryption queue first | ||
| if @encryption_queue.length > 0 |
There was a problem hiding this comment.
same here, could optionally use unless @encryption_queue.length.empty?
|
awesome stuff @floyd-fuh, some fixes are required (some are optional) before we can land this, but thanks very much for your submission! |
|
@kernelsmith what do you think? I'm ready if you are. |
|
By now this feels like doing responsible disclosure :( |
|
Hey, @floyd-fuh. I'm really sorry about the lack of movement on this. We spoke a bit on IRC about @kernelsmith taking over, but he's probably busy now... I think this is good to go. :) |
|
Merge conflicts were fixed, the rest are just style gripes but not show stoppers. |
|
As commented on #2756 (comment), should have specs for new protocol libraries, but since it's used exactly once I'm not making a federal case out of it. worst that happens is that future changes either break all of framework or break just this module. The first case is easy to spot. |
|
w00t, thanks! |
|
Changes Unknown when pulling 9243cfd on floyd-fuh:master into * on rapid7:master*. |
A pull request to get some feedback. I'd appreciate if you comment as well on the following: