The 'fusermount' binary, part of the FUSE system in Linux, executes the /bin/mount binary with ruid set to 0 without clearing the environment variables provided by unprivileged users. This flaw can be leveraged by local unprivileged users to gain root privileges by leveraging the functionality provided by the LIBMOUNT_MTAB environment variable to overwrite an arbitrary file on the affected system. This module will try to overwrite the /etc/bash.bashrc file, which is executed every time any user spawns an interactive Bash shell. That means that a new agent will be deployed every time any user opens a new interactive shell (either login or non-login ones) on the vulnerable machine. Note that this also means that installed agents will run with the privileges of the users that have launched interactive shells. Unlike other privilege escalation exploits, this module will not stop after installing the first agent; it will stay running until a new agent with root permissions is installed (that is, if the root user happens to run an interactive shell on the vulnerable machine), or until the user-specified time limit is reached, whatever happens first. Note that non-root agents will be kept, since they still can be valuable despite not having superuser privileges.
This module exploits a command injection vulnerability in HP Client Automation. The flaw exists within the radexecd.exe component which listens by default on TCP port 3465. When handling a remote execution request the process does not properly authenticate the user issuing the request. The command to be executed is also not properly sanitized. A remote attacker can exploit this vulnerability to execute arbitrary code under the context of SYSTEM. Authentication is not required to exploit this vulnerability.
This exploit abuses a persistent cross site scripting vulnerability in Wordpress to install an OS Agent in the server running the Wordpress installation. To do this, it posts a comment with the cross site scripting code for every target selected. The injected code will attempt to install a Wordpress plugin everytime the post comment is rendered, and it will immediately remove itself from the DOM so as to not be visible or execute again until the page containing it is opened again. The attack will be successful when someone visits the page with the attack while being logged in with administrator credentials. The attack should not have any effect on visitors either not logged in or without sufficient permissions to install a plugin. If the comment is queued for moderation, the attack will continue only if it's approved. Because the contents of the comment are quite clearly an XSS attack, it's better to try to avoid the moderation of the comment. The following attack steps are then recommended. Using 'Verification Mode' Use the 'Verification Mode' provided by this module turning it on by means of the 'VERIFICATION MODE ON' parameter. Complete the 'Verification Mode' parameters. Run the module. Verify the post to attack (i.e., open it in a web browser). If the comment appears without the need for moderation, you can directly attack the page. Otherwise, wait until the comment is approved, and then conduct the attack turning the verification mode off. Using 'Web Proxy': Navigate to the Wordpress post you mean to use a target and add a comment. Do not use Impact's 'Web Proxy' module while doing it. If the comment is moderated, wait for the message to be approved. Configure the current scenario to use the same user agent as your browser. Run the 'Web Proxy' module, and configure your web browser to use it. Visit the same post with the proxy configured: the cookies captured with the 'Web Proxy' module will be used for the atack. Also, the same author and author email will be used. Run this module against the blog post URL discovered by the 'Web Proxy'. The target webpage must be a Wordpress post. The module will attempt to read certain values from the comment posting form, for which will make a request to the post first. It will next make a POST against a different URL (the action of said form) to create the comment with the attack code. Keep in mind that, for comments to be automatically approved, the request should be made from the same IP, with the same user agent, with the same author name, and with the same author email. In all cases, you'll need to wait for a logged in administrator to visit the post. The attack will be executed on a 'onmouseover' event on the page with the comment. If you choose to post the attack skipping the use of cookies and other request values to avoid moderation, you should provide an author name and author email in the Advanced paramenters. If not provided, dummy values will be used, reducing even further the chances of a moderation approval. By default on some systems, the owner for the Wordpress plugins directory is different from the one running the HTTP server, so plugin installation works differently from what the current implementation of this module expects. In those cases, the attack will fail even though the vulnerability is present. If the installation of the plugin succeeds, an agent will installed, and both the comment and the plugin will be removed from Wordpress. This module will keep waiting for agent connections until manually stopped.
This module runs a DHCP server. When requests (DHCPREQUEST or DHCPDISCOVER) are received, it will respond with an offer according to the given configuration, and it will include a string leveraging the GNU Bash Environment Variables Injection vulnerability into the DHCP's 'default-url' option to register a crond script, that'll subsequently download and execute an Impact agent, using the target system's wget. The injection will be tried once per MAC. Keep in mind that a successful attack requires that the attacked hosts have connectivity to Impact's web server after the attack -which might set new network settings in the target-, so consider changing the source agent for the web server module if you're attacking from an agent different from /localagent. Also, if the source agent has multiple network interfaces listed, select the appropriate one for the network you're attacking. If the agent is running in a host with more than one network interface, be sure to select the appropriate one so the module receives and responds in the correct network. This module requires that the pcap plugin be installed.
This module exploits a vulnerability in Linux. The overlayfs filesystem does not correctly check file permissions when creating new files in the upper filesystem directory. This can be exploited by an unprivileged process in kernels with CONFIG_USER_NS=y and where overlayfs has the FS_USERNS_MOUNT flag, which allows the mounting of overlayfs inside unprivileged mount namespaces.
Subscribe to Linux