linux payloads metasploit

[stboon]

Hi
There seems to be too few linux payloads for metasploits. The ones like adduser or chroot requires root access.
What if the exploited service runs on a less priveledged account? It seems useless to shove a shell back to the
attacker when the exploited service runs on a less priviledged account.

e.g.
#bt~ whoami
mysql
apache

I would like to know how to escalate priviledges on a linux system.

[lupin]

It seems useless to shove a shell back to the attacker when the exploited service runs on a less priviledged account.

I disagree. An unprivileged shell is much better than no shell at all. It can help you run commands necessary to escalate your privileges to root. It also may give you enough rights to acquire your objective - e.g. you will be able to read certain files on the system, you will be able to send network traffic and potentially use the system as a pivot, etc, etc.

I would like to know how to escalate priviledges on a linux system.

Use a privilege escalation exploit. They usually involve either exploiting the Linux kernel or a kernel module, exploiting a program that is running as root or exploiting a program that can be made to run as root (e.g. a SUID binary). Search the Exploit DB for local exploits on Linux, you should be able to find a few.

If you also read up on privileges in Linux and the various ways to run something as root you will also learn how to check for configuration flaws that may lead to the possibility of privilege escalation. From memory, Hacking Exposed has a chapter on this. This blog entry also has some hints in this direction.

[purehate]

Also you are not accounting for systems which are administered badly. Its amazing the amount of places that run web apps and cronjobs as root or give the apache user loose privileges in order to access certain areas. There are lots of ways to escalate your privs on a linux box.

[thorin]

This would seem to be more of a request for the actual Metasploit devs. If you think there are too few exploits for Linux you should:

1) Take it up with the people who actually develop/maintain Metasploit (http://www.metasploit.com/).
2) Produce and contribute some (http://www.metasploit.com/contribute/).

Metasploit is simply included as part of Backtrack the BT team does not control how many exploits Metasploit offers for a particular platform or target.

[opreat0r]

Index of /scripts/downloaded/localroot

included recent binary for the BSD exploit :P

[stboon]

T.Q. for the links...
Here is another tool National Vulnerability Database (NVD) Search Vulnerabilities