Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/saaramar/execve_exploit
Hardcore corruption of my execve() vulnerability in WSL
https://github.com/saaramar/execve_exploit
Last synced: 21 days ago
JSON representation
Hardcore corruption of my execve() vulnerability in WSL
- Host: GitHub
- URL: https://github.com/saaramar/execve_exploit
- Owner: saaramar
- Created: 2018-01-24T20:48:24.000Z (almost 7 years ago)
- Default Branch: master
- Last Pushed: 2018-02-02T09:37:35.000Z (almost 7 years ago)
- Last Synced: 2024-08-05T17:24:02.388Z (4 months ago)
- Language: C
- Size: 1.19 MB
- Stars: 214
- Watchers: 15
- Forks: 39
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
- awesome-hacking-lists - saaramar/execve_exploit - Hardcore corruption of my execve() vulnerability in WSL (C)
README
# execve_exploit
This repo contains my slides and full exploit for my execve() vulnerability in WSL, CVE-2018-0743.A detailed explanation of the vulnerability and exploit was presented at Bluehat IL 2018. Slides are in the repo, video [here](https://www.youtube.com/watch?v=3deJvbBHET4&feature=youtu.be)
The patch available [here](https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0743)
# Notes:
0. All the offsets, values and constants are based on Win10 16179 (10.0.16179). These can easily be changed to support other versions. While I haven’t tested many other versions, the same exploit should work as long as the vulnerability is unpatched.
1. To allocate large chunks of memory, the exploit calls fcntl(F_SETPIPE_SZ), setting the limit to a fairly large size. This requires root privileges in the context of WSL (which is still low-privileged in Windows). The same exploit would work from a low-privileged user in WSL context if you replace this with a different way to allocate similarly sized chunks. It shouldn’t be too hard and is left as an exercise to the reader :)![alt text](https://github.com/saaramar/execve_exploit/raw/master/images/poc.png "")