Add an exploit for CVE-2023-6546

[jvoisin]

Verification

List the steps needed to make sure this thing works

• Start msfconsole
• Get a session
• set verbose true
• use linux/local/gsm_multiplex_priv_esc
• exploit
• Enjoy your root shell
• set payload python/meterpreter/reverse_tcp
• exploit
• check that you get the Inlining the payload inside the exploit. message
• Enjoy your root shell

This should close #18719

CC @Nassim-Asrir

[zerozenxlabs]

Nice one :)

The github URL is incorrect , the correct one is https://github.com/Nassim-Asrir/ZDI-24-020

      [ 'CVE', '2023-6546' ],
      [ 'ZDI', '24-020' ],
      [ 'URL', 'https://github.com/Nassim-Asrir/CVEZDI-24-020' ]

[cdelafuente-r7]

Thanks @jvoisin for this module. I left a few comments and suggestions for you to review when you get a chance. Specifically, I recommend using a precompiled binary and patching it with the payload and offsets from the ruby code.

[cdelafuente-r7]

If we use a precompiled binary, everything can be embedded by patching it. The payload, the offsets, etc. This would avoid having two binaries on disk.

[jvoisin]

Is there an example somewhere in metasploit on how to do this properly?

[cdelafuente-r7]

Sure, this module is a good example:
https://github.com/rapid7/metasploit-framework/blob/a75013e51a4e72394a9b2ab4a8c00b5861a2cc52/modules/evasion/windows/process_herpaderping.rb

[jvoisin]

I seems that I can't manage to compile a static musl binary with correct pthread support, as the call to sched_setscheduler invariably fails.

[cdelafuente-r7]

@Nassim-Asrir, since this module will use your exploit, a LICENSE is required. I couldn't find one, so I submitted a PR with a standard BSD 3-Clause License.

[cdelafuente-r7]

The payload is assuming /usr/bin/python3 or /usr/libexec/platform-python exist. This might not work on systems with python2 or with different paths.

If I understand this correctly, this sets sgid and suid to 0 on the python process and spawn a shell as the root user. I'm wondering if it would be possible to be more generic and not rely on python exclusively. I believe we can execute our proper binary payload directly without the need of invoking python. Also, Metasploit payloads have the capability of setting suid themself (PrependSetuid option).

So, the idea would be to just execute the exploit binary, with the embedded payload, instead of:

output = cmd_exec "echo '#{payload_path} & exit' | #{executable_path} #{os_id}"

[jvoisin]

It might™ be possible to not rely on the python interpreter, but since the payload is carefully crafted to call chmod u+s python, it's less trivial than what I've done, namely:

• if the payload is ARCH_PYTHON, inline it and compile the exploit locally (is there a mixin to do this by the way?)
• otherwise, use an external binary

What do you think?

[cdelafuente-r7]

Thank you for updating this @jvoisin . I'm sorry I couldn't get back to your module earlier.

I tried to run the module against Ubuntu 20.04.4 with different kernel versions and it failed. I also couldn't make the original exploit work neither.
I tried against 5.8.0-29-generic, 5.4.0-40-generic and 5.4.0-29-generic

$ ./exploit ubuntu
[+] Attempt 1/10
[+] Found kernel '5.4.0-54-generic' [run_cmd]
[+] Found kernel .text, 0xffffffffb0800000
[!] need at least 3 cores ideally, found 2
[-] Fatal: ioctl (Invalid argument) (line 909)

I'm wondering if the exploit works against Ubuntu on VM? Please, would you mind giving more details on the targets you've tested?

[jvoisin]

It's been a long time now, and I've deleted my lab and I don't think I'll have the time to look at this in a while :/