Rapid7 Vulnerability & Exploit Database

Linux Kernel 4.6.3 Netfilter Privilege Escalation

Back to Search

Linux Kernel 4.6.3 Netfilter Privilege Escalation



This module attempts to exploit a netfilter bug on Linux Kernels before 4.6.3, and currently only works against Ubuntu 16.04 (not 16.04.1) with kernel 4.4.0-21-generic. Several conditions have to be met for successful exploitation: Ubuntu: 1. ip_tables.ko (ubuntu), iptable_raw (fedora) has to be loaded (root running iptables -L will do such) 2. libc6-dev-i386 (ubuntu), glibc-devel.i686 & libgcc.i686 (fedora) needs to be installed to compile Kernel 4.4.0-31-generic and newer are not vulnerable. This exploit does not bypass SMEP/SMAP. We write the ascii files and compile on target instead of locally since metasm bombs for not having cdefs.h (even if locally installed)


  • h00die <mike@stcyrsecurity.com>
  • vnik
  • Jesse Hertz
  • Tim Newsham




x86, x64


Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/linux/local/netfilter_priv_esc_ipv4
msf exploit(netfilter_priv_esc_ipv4) > show targets
msf exploit(netfilter_priv_esc_ipv4) > set TARGET < target-id >
msf exploit(netfilter_priv_esc_ipv4) > show options
    ...show and set options...
msf exploit(netfilter_priv_esc_ipv4) > exploit

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security