finished impl for CVE-2023-0386 #17
Conversation
|
Everything seems to be working, but: Please run the exploit from the "command" parameter in cvex.yml. Do not run it from the Ansible playbook. This way the playbook only installs the vulnerable service, CVEX takes a screenshot of the VM with it, and only then CVEX runs the exploit. |
|
I pushed the new changes, there might be ssh connection problem since it requires reboot. For local testing, I add a function named def upload_file(self, local: str, dest: str):
"""
Upload a file to the remote server. Retry on connection loss.
"""
self.log.info("Uploading %s -> %s...", local, dest)
try:
self.ssh.put(local, dest)
except (paramiko.SSHException, OSError) as e:
if "Socket is closed" in str(e):
self.log.warning("SSH connection lost during upload. Attempting to reconnect...")
self._reconnect()
self.upload_file(local, dest)
else:
raise
def download_file(self, local: str, dest: str):
"""
Download a file from the remote server. Retry on connection loss.
"""
self.log.info("Downloading %s -> %s...", dest, local)
try:
self.ssh.get(dest, local)
except (paramiko.SSHException, OSError) as e:
if "Socket is closed" in str(e):
self.log.warning("SSH connection lost during download. Attempting to reconnect...")
self._reconnect()
self.download_file(local, dest)
else:
raise |
CVE-2023-0386/cvex.yml
Outdated
| playbook: ubuntu.yml | ||
| command: | ||
| - "cd /usr/local/bin && ./exp" | ||
|
|
There was a problem hiding this comment.
Remove unnecessary empty lines
CVE-2023-0386/ubuntu.yml
Outdated
| args: | ||
| executable: /bin/bash | ||
|
|
||
| - name: Output instructions for CVEX |
There was a problem hiding this comment.
Remove this command. The intention is to have a clean Ansible playbook that could be shared.
|
Having binaries is not great. Can we have the source code and then build it during the Ansible run? Or, if it is super long and tedious process, could you at least add the source code of the binaries to the data folder? Thank you for the SSH _reconnect() function, I believe I had encountered it sporadically as well. Could you please create a pull request with these changes on https://github.com/ucsb-seclab/CVEX/? |
| ubuntu: | ||
| playbook: ubuntu.yml | ||
| command: | ||
| - "cd /usr/local/bin && ./exp" |
There was a problem hiding this comment.
It gives me this:
2024-11-20 12:33:22,381 - INFO - [ubuntu] Executing 'cd /usr/local/bin && ./exp'...
2024-11-20 12:33:22,474 - INFO - [ubuntu] [+] exploit success!2024-11-20 12:33:22,474 - INFO - [ubuntu] exp: mkdir ./ovlcap: Permission denied
sh: 1: ./ovlcap/upper/file: not found
Why do we see "Permission denied" after "exploit success!"? Is it OK?
There was a problem hiding this comment.
in my local test without ansible, it gives "exploit success!", followed by: sh: ... (waiting for prompt), i'll look into this
|
I just thought... is it really that hard to build the source code? Shouldn't it be a simple gcc run, no? Could you please try to build it in the Ansible playbook and then use that version during execution? |
yes i'll do that. previously it was troublesome to do on a different ubuntu version, you'll have to modify the package source, since the ubuntu version might be no longer supported. I'll modify to compile locally. |
|
To install gcc, we need to add Building exp.c: Building fuse.c: What is the Also, "Permission denied" still remains. |
No description provided.