WIP: LPE CVE-2024-1086 #19625
Draft
WIP: LPE CVE-2024-1086 #19625
+382
−0
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jvoisin
reviewed
Nov 8, 2024
Comment on lines
+81
to
+91
| release = kernel_release | ||
| if ( | ||
| Rex::Version.new(release.split('-').first) >= Rex::Version.new('5.15.0') && | ||
| Rex::Version.new(release.split('-').first) < Rex::Version.new('6.0') | ||
| ) || | ||
| ( | ||
| Rex::Version.new(release.split('-').first) < Rex::Version.new('6.6') && | ||
| Rex::Version.new(release.split('-').first) >= Rex::Version.new('6.0') | ||
| ) | ||
| return CheckCode::Appears("Kernel version #{release} appears to be vulnerable") | ||
| end |
There was a problem hiding this comment.
Suggested change
| release = kernel_release | |
| if ( | |
| Rex::Version.new(release.split('-').first) >= Rex::Version.new('5.15.0') && | |
| Rex::Version.new(release.split('-').first) < Rex::Version.new('6.0') | |
| ) || | |
| ( | |
| Rex::Version.new(release.split('-').first) < Rex::Version.new('6.6') && | |
| Rex::Version.new(release.split('-').first) >= Rex::Version.new('6.0') | |
| ) | |
| return CheckCode::Appears("Kernel version #{release} appears to be vulnerable") | |
| end | |
| release = kernel_release().split('-').first | |
| if release.between(Rex::Version.new('5.15.0'), Rex::Version.new('6.0')) | |
| return CheckCode::Appears("Kernel version #{release} appears to be vulnerable") | |
| elsif release.between(Rex::Version.new('6.0'), Rex::Version.new('6.6')) | |
| return CheckCode::Appears("Kernel version #{release} appears to be vulnerable") | |
| end |
but it seems that this can be simplified even further to:
release = kernel_release().split('-').first
if release.between(Rex::Version.new('5.15.0'), Rex::Version.new('6.6'))
return CheckCode::Appears("Kernel version #{release} appears to be vulnerable")
end
| end | ||
|
|
||
| def check_musl_tools? | ||
| lib = cmd_exec('dpkg --get-selections | grep musl-tools') |
There was a problem hiding this comment.
This will only work on Debian :/
| zip.add_file(file.split('CVE-2024-1086/')[1], file_contents) | ||
| end | ||
| print_status('Finished creating exploit source zip, uploading...') | ||
| zip_path = "#{nested_base}/.#{rand_text_alphanumeric(5..10)}.zip" |
There was a problem hiding this comment.
Can't the files be concatenated instead?
| fail_with Failure::BadConfig, "#{base_dir} is not writable" | ||
| end | ||
|
|
||
| nested_base = "#{base_dir}/.#{rand_text_alphanumeric(5..10)}" |
There was a problem hiding this comment.
A couple of IDS are flagging binary execution happening instead hidden folders. I think it'd be better to let the user specify the full path of the folder.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes: #19153
WIP exploit for CVE-2024-1086 . Running the exploit by hand on the box seems fairly reliable. However running it through metasploit currently results in about 75% hard lock of the box either instantly, or within 6min. 25% of the time its perfect though!
Only been testing the live build functionality, not the 'drop a pre-complied binary' branch
I forgot to bring along a bunch of the library files as well, so need to add those back.