module
Linux Kernel 4.6.3 Netfilter Privilege Escalation
| Disclosed | Created |
|---|---|
| Jun 3, 2016 | May 30, 2018 |
Disclosed
Jun 3, 2016
Created
May 30, 2018
Description
This module attempts to exploit a netfilter bug on Linux Kernels before 4.6.3, and currently
only works against Ubuntu 16.04 (not 16.04.1) with kernel 4.4.0-21-generic.
Several conditions have to be met for successful exploitation:
Ubuntu:
1. ip_tables.ko (ubuntu), iptable_raw (fedora) has to be loaded (root running iptables -L will do such)
2. libc6-dev-i386 (ubuntu), glibc-devel.i686 & libgcc.i686 (fedora) needs to be installed to compile
Kernel 4.4.0-31-generic and newer are not vulnerable. This exploit does not bypass SMEP/SMAP.
We write the ascii files and compile on target instead of locally since metasm bombs for not
having cdefs.h (even if locally installed)
only works against Ubuntu 16.04 (not 16.04.1) with kernel 4.4.0-21-generic.
Several conditions have to be met for successful exploitation:
Ubuntu:
1. ip_tables.ko (ubuntu), iptable_raw (fedora) has to be loaded (root running iptables -L will do such)
2. libc6-dev-i386 (ubuntu), glibc-devel.i686 & libgcc.i686 (fedora) needs to be installed to compile
Kernel 4.4.0-31-generic and newer are not vulnerable. This exploit does not bypass SMEP/SMAP.
We write the ascii files and compile on target instead of locally since metasm bombs for not
having cdefs.h (even if locally installed)
Authors
h00die mike@stcyrsecurity.com
vnik
Jesse Hertz
Tim Newsham
vnik
Jesse Hertz
Tim Newsham
Platform
Linux
Architectures
x86, x64
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.