New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add glibc $ORIGIN Expansion Privilege Escalation exploit #9467
Conversation
This one's a "classic" fave! ;) |
|
Ubuntu 10.04 x64
|
did a rebase, compiles now.
(waiting on my centos 5.5 to finish downloading) |
since the |
I'm hesitant to fail on all versions of Ubuntu. As you suggest, documentation suggests that Ubuntu is affected. Killing the session is bad. I might have to implement the same work around as the other glibc module: # The echo at the end of the command is required
# else the original session may die
output = cmd_exec "#{exp_path}& echo " This only seems to be necessary for shell sessions. |
I have to do some ESX patching, then get centos 5.5 installed, so you got a little to test changes |
Latest commit seems to have fixed premature session termination for shell sessions on Ubuntu. As for |
centos 5.5 doesn't play nice on my esxi, no mouse, no nic, and that was as far as I cared to go. Switching to Fedora 13, hopefully better results. |
confirmed ubuntu session is no longer killed |
Excellent. The premature termination of shell sessions upon backgrounding a program during a |
Fedora 13 was a good test
|
also good on meterp for fedora13 |
merged this, not sure why (unless its just delayed) its still saying open.... It may be worth throwing in a comment to the docs about Ubuntu being vulnerable, but the exploit not working against it. Figured that could be a quick add to the docs, and didn't want to hold this up any longer over a one liner. |
Release NotesThe exploits/linux/local/glibc_origin_expansion_priv_esc module has been added to the framework. This module abuses a vulnerability in the GNU C Library (glibc) dynamic linker on older (Fedora 13, Centos 5.5) operating systems for privilege escalation. |
ah, i think yesterday i may have done a rebase to get that |
Thanks. Yeah I'd say that's what happened. I'm not sure if it's best practice for a PR author to rebase within a PR? It would drag the merge into master. Not a big deal I guess. I'll create a separate PR for the minor doco updates. Closed this PR. |
Add glibc $ORIGIN Expansion Privilege Escalation exploit.
Verification
msfconsole
use exploit/linux/local/glibc_origin_expansion_priv_esc
set SESSION <ID>
run
Example Output