Linux Kernel OverlayFS local privilege escalation

Repository purpose: a Go proof-of-concept exploit for CVE-2023-0386 (Linux OverlayFS/FUSE local privilege escalation). It sets up a FUSE filesystem that exposes a single file named 'shell' whose attributes are manipulated (SUID bit and root ownership) during OverlayFS copy-up, resulting in a SUID-root executable on the host filesystem. Structure: - README.md: usage notes (run ./main /tmp/fuse; compile payload as ./shell; expect SUID binary under /tmp/ovl_merged/). - main.go: core exploit logic. Creates overlay directories, mounts a FUSE filesystem at a user-supplied mountpoint, then re-execs itself inside a new user+mount namespace (CLONE_NEWUSER|CLONE_NEWNS) with uid/gid mapped to 0 in the namespace. In the namespace it mounts OverlayFS with lowerdir pointing to the FUSE mount and merged at /tmp/ovl_merged. It then touches /tmp/ovl_merged/shell to trigger copy-up. - overlay.go: helper functions/constants for directory creation and mounting OverlayFS via the system 'mount' command. Hardcoded paths under /tmp: /tmp/fuse/, /tmp/ovl_upper/, /tmp/ovl_internal_workdir/, /tmp/ovl_merged/. - file.go: reads the payload binary from ./shell, provides touchFile() to trigger copy-up, and executeBinary() (commented out in main) to run /tmp/ovl_merged/shell. - payload/shell.go: payload program that attempts setgid(0)/setuid(0) and then execs /bin/bash, yielding a root shell when executed as a SUID-root binary. Exploit capabilities: - Local LPE: produces a SUID-root executable by abusing OverlayFS copy-up behavior with a FUSE-provided file node. - Post-exploitation: spawns an interactive root bash shell via the payload. No network I/O is present; all observables are local filesystem paths and invoked system commands (mount, touch, exec of /bin/bash).

Repository purpose: local privilege escalation PoC for CVE-2023-0386 (Linux kernel OverlayFS capability/uid-mapping bug) using a FUSE-backed lowerdir to smuggle a SUID-root executable into an OverlayFS upperdir, then execute it to obtain a root shell. Structure and roles: - exp.c: Main exploit driver. Creates ./ovlcap/{work,lower,upper,merge}, unshares into new user+mount namespaces, writes /proc/self/{setgroups,uid_map,gid_map} to map the invoking user to uid/gid 0 inside the namespace, mounts an OverlayFS at ./ovlcap/merge with lowerdir=./ovlcap/lower (FUSE mount), upperdir=./ovlcap/upper, workdir=./ovlcap/work. It then creates ./ovlcap/merge/file to trigger copy-up into upperdir. After the child finishes, the parent executes ./ovlcap/upper/file (expected to be a SUID-root binary) via system(). - fuse.c: FUSE filesystem server. Takes two args: [mount path] and [shell path]. It reads the bytes of the provided shell payload (README uses ./gc built from getshell.c) into memory and exposes a single file /file with mode 04777 (SUID root) and uid/gid 0 via getattr. Reads return the payload bytes. This FUSE mount is used as the OverlayFS lowerdir. - getshell.c: Payload binary. Attempts setuid(0)/setgid(0) and launches /bin/bash. When executed with effective uid 0 (via the copied-up SUID bit), it yields a root shell. - test/fuse_test.c and test/mnt.c: Development/testing utilities for FUSE callbacks and overlay mounting; not required for the main PoC flow. - Makefile: Builds three binaries: fuse (static, links libfuse), exp (links libcap though capability APIs are mostly unused), and gc (getshell payload). Exploit flow (as intended by README): 1) Run FUSE server: ./fuse ./ovlcap/lower ./gc (mounts a FUSE FS at ./ovlcap/lower exposing /file as a SUID-root executable containing gc bytes). 2) Run ./exp which mounts OverlayFS using that FUSE mount as lowerdir, triggers copy-up by creating/operating on a file in the merged mount, and finally executes the resulting file from upperdir to pop a root shell. No network activity is present; all actions are local filesystem, namespace, and mount operations.

This repository contains a proof-of-concept (POC) local privilege escalation exploit for CVE-2023-0386, targeting the Linux kernel's OverlayFS and FUSE subsystems. The main file, 'CVE-2023-0386-exp.c', is a C program that sets up a custom FUSE filesystem exposing a SUID root ELF binary at '/hello'. It then orchestrates the creation of several directories and mounts an OverlayFS instance, leveraging the vulnerability to copy the SUID binary into the overlay, resulting in a root-privileged executable. The exploit requires local access, FUSE and OverlayFS support, and a writable directory not mounted with 'nosuid'. The README provides compilation and usage instructions. No network endpoints are present; all actions are local filesystem operations. The repository is structured simply, with one exploit source file and a README.

This repository contains a single Python exploit script ('poc.py') that leverages FUSE and OverlayFS to escalate privileges on a Linux system. The script creates a custom FUSE filesystem that serves a setuid-root payload binary ('a.out'). It then uses Linux namespaces and OverlayFS to trick the system into creating a setuid-root binary outside the namespace, which can be executed to obtain a root shell. The exploit is operational and demonstrates a full privilege escalation chain, including payload creation, filesystem manipulation, and cleanup. The main attack vector is local privilege escalation, requiring the attacker to have code execution on the target system with the ability to use FUSE and user namespaces. The repository is self-contained, generating the C payload on the fly and compiling it as part of the exploit process.

This repository contains a local privilege escalation exploit for Linux systems, specifically targeting the overlayfs vulnerability CVE-2023-0386. The exploit is implemented in C and consists of several components: - `exp.c`: The main exploit orchestrator. It sets up the required overlayfs directory structure, manipulates user and mount namespaces, and triggers the vulnerability by mounting an overlay filesystem with controlled parameters. It also interacts with /proc/self/setgroups, /proc/self/uid_map, and /proc/self/gid_map to set up the namespace mappings. - `fuse.c`: Implements a FUSE-based filesystem that serves a file with SUID root permissions. This is used as part of the exploit chain to inject a payload (the getshell binary) into the overlayfs mount. - `getshell.c`: A simple payload that sets UID and GID to 0 and spawns a root shell (/bin/bash). - `test/fuse_test.c` and `test/mnt.c`: Test and demonstration code for FUSE and overlayfs mounting, not directly part of the exploit chain but useful for development and validation. - `Makefile` and `README.md`: Build instructions and usage guide. The README describes running the FUSE server in one terminal and the exploit in another, resulting in privilege escalation. The exploit requires local access and the ability to execute binaries and mount FUSE filesystems. If successful, it provides a root shell to the attacker. The code is operational and includes a working payload, but is not part of a larger exploitation framework.

This repository contains a local privilege escalation exploit for Linux systems, specifically targeting the overlayfs vulnerability (CVE-2023-0386). The exploit is implemented in C and consists of several components: - `exp.c`: The main exploit orchestrator. It sets up the required overlayfs directories, manipulates user and group namespaces, mounts an overlay filesystem, and triggers the vulnerability. - `fuse.c`: Implements a FUSE filesystem that is used as part of the exploit chain. It provides a file with SUID root permissions and serves the payload. - `getshell.c`: The payload binary, which sets UID and GID to 0 and spawns a root shell (`/bin/bash`). - `test/fuse_test.c` and `test/mnt.c`: Test and utility programs for experimenting with FUSE and overlayfs mounting, not directly part of the exploit chain. - `Makefile` and `README.md`: Build instructions and usage guide. The exploit works by running the FUSE server in one terminal (serving the payload) and then executing the exploit in another terminal. The exploit manipulates overlayfs and user namespaces to create a SUID root binary, which is then executed to obtain a root shell. The attack vector is local, requiring the attacker to execute code on the target system. Several fingerprintable file paths are used for the overlayfs setup and namespace manipulation. The exploit is operational and provides a working root shell payload.

This repository contains a local privilege escalation exploit for CVE-2023-0386, targeting the Linux kernel's overlay filesystem (overlayfs) in versions 5.11 to 5.19. The exploit is implemented in C (exp.c) and leverages FUSE to create a virtual filesystem exposing a SUID root shell binary (embedded as hello_str). The exploit orchestrates the following steps: (1) mounts a FUSE filesystem with the SUID shell, (2) creates the necessary overlayfs directories (upperdir, workdir, overlaydir), (3) uses unshare to enter new user, mount, and PID namespaces, (4) mounts an overlay filesystem with the FUSE mount as the lowerdir and a writable upperdir, (5) triggers a copy-up of the SUID shell from the FUSE lowerdir to the overlay upperdir by touching the file, and (6) executes the copied SUID shell from the upperdir to obtain a root shell. The exploit demonstrates a practical attack chain for bypassing nosuid restrictions and achieving local root on vulnerable systems. The README.md provides a detailed vulnerability analysis, exploitation steps, and background on overlayfs and namespaces. No network endpoints are involved; all actions are local file and namespace manipulations.

This repository is a functional local privilege escalation exploit for CVE-2023-0386, targeting the Linux kernel's OverlayFS implementation. The exploit consists of two main files: 'fuse.c', a C program that implements a custom FUSE filesystem exposing a SUID root binary, and 'exp.sh', a bash script that automates the exploitation process. The attack works by mounting the FUSE filesystem as the lowerdir in an OverlayFS mount, then triggering a copy-up of the SUID binary to the upperdir, which is not mounted with 'nosuid'. This results in a SUID root binary being created in a location where it can be executed for privilege escalation. The README.md provides a detailed technical explanation of the vulnerability, the exploitation steps, and the underlying Linux kernel features involved (OverlayFS, FUSE, user namespaces). The exploit requires local access to the target system and the ability to execute code and mount filesystems. No network endpoints are involved; all actions are performed locally using file system operations.

This repository is a local privilege escalation exploit targeting CVE-2023-0386, a vulnerability in the Linux kernel's OverlayFS subsystem. The exploit consists of several C source files: - 'exp.c' orchestrates the exploit, setting up OverlayFS mounts and user namespaces, and triggers the vulnerability. - 'fuse.c' implements a FUSE filesystem used as part of the exploit chain to manipulate file capabilities and permissions. - 'getshell.c' is a simple payload that, when executed with elevated privileges, spawns a root shell. - The 'test' directory contains additional test code for FUSE and mount operations, not directly required for exploitation. The exploit works by abusing OverlayFS and user namespace features to copy a file with capabilities from a nosuid mount, ultimately allowing a local attacker to escalate privileges to root. The Makefile provides build instructions, and the README describes usage, referencing CVE-2023-0386. The main attack vector is local, requiring shell access to the target system. The exploit does not require network access and does not target remote systems. The payload is operational, providing a working root shell if the target is vulnerable.