Update version check

2018-12-15 05:39:50 +00:00 · 2018-12-15 05:39:50 +00:00 · b8e134b95d
parent 68d451711b
commit b8e134b95d
1 changed files with 15 additions and 14 deletions
--- a/modules/exploits/linux/local/bpf_priv_esc.rb
+++ b/modules/exploits/linux/local/bpf_priv_esc.rb
@ -21,18 +21,21 @@ class MetasploitModule < Msf::Exploit::Local
        does not properly reference count file descriptors, resulting
        in a use-after-free, which can be abused to escalate privileges.

-        The target system must be compiled with CONFIG_BPF_SYSCALL
-        and must not have kernel.unprivileged_bpf_disabled set to 1.
+        The target system must be compiled with `CONFIG_BPF_SYSCALL`
+        and must not have `kernel.unprivileged_bpf_disabled` set to 1.

-        Ubuntu kernels prior to 4.4.0-22-generic are vulnerable.
+        This module has been tested successfully on:

-        This module has been tested successfully on Ubuntu 16.04 (x64)
-        kernel 4.4.0-21-generic.
+        Ubuntu 16.04 (x64) kernel 4.4.0-21-generic (default kernel);
+        Ubuntu 16.04 (x64) kernel 4.4.0-38-generic;
+        Ubuntu 16.04 (x64) kernel 4.4.0-42-generic;
+        Ubuntu 16.04 (x64) kernel 4.4.0-98-generic;
+        Ubuntu 16.04 (x64) kernel 4.4.0-140-generic.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
-          'jannh@google.com',                    # discovery
+          'jannh@google.com',                    # discovery and exploit
          'h00die <mike@shorebreaksecurity.com>' # metasploit module
        ],
      'Platform'       => ['linux'],
@ -47,6 +50,9 @@ class MetasploitModule < Msf::Exploit::Local
          ['EDB', '39772'],
          ['URL', 'https://bugs.chromium.org/p/project-zero/issues/detail?id=808'],
          ['URL', 'https://usn.ubuntu.com/2965-1/'],
+          ['URL', 'https://launchpad.net/bugs/1578705'],
+          ['URL', 'http://changelogs.ubuntu.com/changelogs/pool/main/l/linux/linux_4.4.0-22.39/changelog'],
+          ['URL', 'https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4557.html'],
          ['URL', 'https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8358b02bf67d3a5d8a825070e1aa73f25fb2e4c7']
        ],
      'Targets'        =>
@ -64,6 +70,7 @@ class MetasploitModule < Msf::Exploit::Local
        {
          'AKA' =>
            [
+              'double-fdput',
              'doubleput.c'
            ]
        },
@ -174,14 +181,6 @@ class MetasploitModule < Msf::Exploit::Local
      vprint_error "Kernel version #{release} is not vulnerable"
      return CheckCode::Safe
    end
-
-    # Ubuntu kernel version check
-    if release =~ /^4\.4\.0-(\d+)-generic/
-      if $1.to_i > 21
-        vprint_error "Kernel version #{release} is not vulnerable"
-        return CheckCode::Safe
-      end
-    end
    vprint_good "Kernel version #{release} appears to be vulnerable"

    lib = cmd_exec('dpkg --get-selections | grep ^fuse').to_s
@ -537,6 +536,8 @@ class MetasploitModule < Msf::Exploit::Local
  def cleanup
    cmd_exec "killall #{@hello_name}"
    cmd_exec "killall #{@doubleput_name}"
+  ensure
+    super
  end

  def on_new_session(session)