SHOW:
|
|
- or go back to the newest paste.
| 1 | Source: https://twitter.com/vnik5287/status/748843859065483264 | |
| 2 | ||
| 3 | /** | |
| 4 | * Ubuntu 16.04 local root exploit - netfilter target_offset OOB | |
| 5 | * check_compat_entry_size_and_hooks/check_entry | |
| 6 | * | |
| 7 | * Tested on 4.4.0-21-generic. SMEP/SMAP bypass available in descr_v2.c | |
| 8 | * | |
| 9 | * Vitaly Nikolenko | |
| 10 | * vnik@cyseclabs.com | |
| 11 | * 23/04/2016 | |
| 12 | * | |
| 13 | * | |
| 14 | * ip_tables.ko needs to be loaded (e.g., iptables -L as root triggers | |
| 15 | * automatic loading). | |
| 16 | * | |
| 17 | * vnik@ubuntu:~$ uname -a | |
| 18 | * Linux ubuntu 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux | |
| 19 | * vnik@ubuntu:~$ gcc decr.c -m32 -O2 -o decr | |
| 20 | * vnik@ubuntu:~$ gcc pwn.c -O2 -o pwn | |
| 21 | * vnik@ubuntu:~$ ./decr | |
| 22 | * netfilter target_offset Ubuntu 16.04 4.4.0-21-generic exploit by vnik | |
| 23 | * [!] Decrementing the refcount. This may take a while... | |
| 24 | * [!] Wait for the "Done" message (even if you'll get the prompt back). | |
| 25 | * vnik@ubuntu:~$ [+] Done! Now run ./pwn | |
| 26 | * | |
| 27 | * vnik@ubuntu:~$ ./pwn | |
| 28 | * [+] Escalating privs... | |
| 29 | * root@ubuntu:~# id | |
| 30 | * uid=0(root) gid=0(root) groups=0(root) | |
| 31 | * root@ubuntu:~# | |
| 32 | * | |
| 33 | */ | |
| 34 | ||
| 35 | Proof of Concept: | |
| 36 | https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40053.zip | |
| 37 | https://cyseclabs.com/exploits/target_offset_vnik.zip |
