Need help with execve_exploit?
Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.

About the developer

saaramar
209 Stars 41 Forks 6 Commits 0 Opened issues

Description

Hardcore corruption of my execve() vulnerability in WSL

Services available

!
?

Need anything else?

Contributors list

# 197,986
C++
C
Shell
virtual...
6 commits

execve_exploit

This repo contains my slides and full exploit for my execve() vulnerability in WSL, CVE-2018-0743.

A detailed explanation of the vulnerability and exploit was presented at Bluehat IL 2018. Slides are in the repo, video here

The patch available here

Notes:

  1. All the offsets, values and constants are based on Win10 16179 (10.0.16179). These can easily be changed to support other versions. While I haven’t tested many other versions, the same exploit should work as long as the vulnerability is unpatched.
  2. To allocate large chunks of memory, the exploit calls fcntl(FSETPIPESZ), setting the limit to a fairly large size. This requires root privileges in the context of WSL (which is still low-privileged in Windows). The same exploit would work from a low-privileged user in WSL context if you replace this with a different way to allocate similarly sized chunks. It shouldn’t be too hard and is left as an exercise to the reader :)

alt text

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.