Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/saaramar/execve_exploit

Hardcore corruption of my execve() vulnerability in WSL
https://github.com/saaramar/execve_exploit

Last synced: 21 days ago
JSON representation

Hardcore corruption of my execve() vulnerability in WSL

Awesome Lists containing this project

README

        

# execve_exploit
This repo contains my slides and full exploit for my execve() vulnerability in WSL, CVE-2018-0743.

A detailed explanation of the vulnerability and exploit was presented at Bluehat IL 2018. Slides are in the repo, video [here](https://www.youtube.com/watch?v=3deJvbBHET4&feature=youtu.be)

The patch available [here](https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0743)

# Notes:
0. All the offsets, values and constants are based on Win10 16179 (10.0.16179). These can easily be changed to support other versions. While I haven’t tested many other versions, the same exploit should work as long as the vulnerability is unpatched.
1. To allocate large chunks of memory, the exploit calls fcntl(F_SETPIPE_SZ), setting the limit to a fairly large size. This requires root privileges in the context of WSL (which is still low-privileged in Windows). The same exploit would work from a low-privileged user in WSL context if you replace this with a different way to allocate similarly sized chunks. It shouldn’t be too hard and is left as an exercise to the reader :)

![alt text](https://github.com/saaramar/execve_exploit/raw/master/images/poc.png "")